BOISE, Idaho — If you are following the various privacy laws being passed around the world, you have certainly heard a lot of chatter about cookies. You may also be annoyed by website banners that pop up whenever you view a website.

What are cookies and why are they used?

Cookies are small text files that websites store on your device. Cookies were created by Lou Montulli and first used in 1994 by the web browser Netscape.[1] The first cookies were used to identify whether users had previously visited a particular website.

Over the years, cookies have evolved, making users increasingly concerned about cookies tracking their online behavior, particularly without their knowledge or consent. Today, cookies are primarily used to make websites work more efficiently; however, they are also used for marketing and advertising purposes. Cookies help websites remember information about you, such as your login details and what is in your online shopping cart. But cookies are also used to track your online activity for targeted ad campaigns.

Types of cookies

First-party cookies are stored on your device by the website you are browsing.

Third-party cookies are stored on your device by third-party companies, such as an advertiser. Most third-party cookies are used for advertising purposes.

Session cookies are only kept for the length of the browser session. These cookies are temporary and are deleted as soon as you close your web browser or end the browsing session. This type of cookie generally does not have any privacy concerns.

Persistent cookies are those that remain on your device until you erase them or until they expire, which can vary.

Flash cookies are created and stored in the Adobe Flash app. These cookies are not deleted when the browser cookies are cleared—they must be deleted within the Flash player’s settings.

Privacy and Compliance

So, what do cookies have to do with privacy? The information companies obtain about you from using cookies creates concern about how that information should be used and protected.

The laws surrounding cookies can vary and the use of cookies is continuously changing, which makes compliance an ever-evolving task. A few examples of legislation regarding cookie usage are the GDPR in the EU, Brazil’s LGPD, and California’s CCPA and CPRA. Presently, the U.S. does not have any federal laws or regulations that specifically address cookie usage. But this could change.

Cookie compliance is complicated because websites can be viewed by people anywhere in the world. For example, if a website collects information from California residents, the company, even if it is outside of California, can be covered by the CCPA/CPRA, and therefore must comply with these laws. Further, the same website may collect information from citizens in the EU and therefore must also comply with the GDPR.

What can you do to make sure you are in compliance? This is where those pesky website banners come into play (and yes, they have a purpose). First, you should determine what types of cookies your company is currently using. After assessing what types of cookies your website uses, your company should create a cookie policy that is disclosed to your users. Your cookie policy should contain information such as what types of cookies are being used, how they are being used, a description of the personal information being collected, and whether the information is being shared with any third parties. Under the EU’s GDPR, information collected through cookies is considered personal data, so users must consent to the use of cookies. This is a practice that is spreading to jurisdictions where consent is not required. Under California’s CPRA, which will go into effect on January 1, 2023, users have the right to opt-out of the sharing of their personal information for targeted advertising and limit the use of sensitive personal information. These requirements will have a big impact on how cookies and cookie data can be used. Some companies choose to include the cookie notice within their privacy policy while others create a separate policy. Lastly, this cookie policy should notify users who visit your website by providing the disclosure on a website banner or in the form of a pop-up notification.

The use of cookies is complex and so are the laws and regulations surrounding privacy and cookie usage. It is important to stay up-to-date with the various regulations coming into effect. Accordingly, your privacy and cookie policies should be reviewed and updated on a regular basis to stay in compliance and build trust with your consumers.

[1] Kukulka, Magdalena. “What are browser cookies? The history of cookies in digital advertising.” New Programmatic, 23 July 2021