If you've worked in digital marketing at all in recent years, you know that the instructions for effective cookie use on company websites have been tweaked and tested more often than the secret recipe for Levain Bakery's award-winning chocolate chip cookie (my personal favorite type of cookie, I might note!).
Ever since the European Union passed the General Data Protection Regulation (GDPR) in 2016, governments worldwide have been regulating how businesses collect personal information about their users via cookies.
Those privacy laws are nuanced; therefore, although cookie compliance isn't necessarily hard, it can be complex. That is especially true in the US, where sectoral and state laws bear the responsibility for privacy legislation in lieu of federal laws.
But here's the scoop: Cookie compliance helps you build a strong privacy program that benefits your company and your customers.
Here's our secret recipe for achieving and maintaining cookie banner compliance.
6 Steps to Achieving and Maintaining Cookie Banner Compliance
Step 1: Determine applicable laws
Building a cookie consent management program that is agile and compliant with multiple regulations is much easier if you know all the rules before starting.
But here's the thing: Companies are often subject to more than one regulation, depending on...
- The size of their organization
- The number of data records they collect
- Where their offices are located
- Where their customers or employees live
The cookie banner requirements for GDPR are different from the obligations listed in other laws such as the California Consumer Privacy Act (CCPA), California Privacy Rights Act, the Colorado Privacy Act, or the Virginia Consumer Data Privacy Act (VCDPA).
Here's where working with privacy experts can be helpful: They'll be well-versed in who each regulation applies to—and how.
Step 2: Create a data inventory
A data inventory, sometimes called a data map, is a record of the totality of a company's data assets.
Data inventories reveal...
- What types of data are collected and why
- How the data is used
- Whom the data is shared with
- Where and how long the data is stored
A data inventory is a multitasking wonder. Here are a few examples of what it does for privacy programs:
- Creates a comprehensive overview of your company's data practices
- Evaluates and improves protocol for third-party vendor management
- Assesses individual rights management practices
- Creates a record of processing activity (ROPA), which is required per GDPR Article 30
- Ensures that an organization's privacy policy and cookie notifications match daily data operations
Step 3: Set a notification launch sequence
Most data privacy laws and all data privacy best-practices require notifying website visitors—before the cookie does its job—what information the cookie is collecting and how that information will be used.
Depending on where you're located, cookies should:
- Be blocked until notifications have launched and consent has been received (GDPR), or
- Fire at notice or before time of collection (US)
Banner notifications should include detailed information about what data is being collected by the cookies, how it will be used, and whom it will be shared with—in jargon-free language so users can make an informed decision. Using cookie software—and working with a privacy professional to implement it—can help simplify implementation of that requirement.
Step 4: Establish opt-in or opt-out processes
The type of cookie consent you need to obtain varies by law.
Under most US consumer privacy laws, cookies can be set without direct consent from users. Although an assumption of consent is the baseline under the opt-out principle, laws still mandate that customers be given the ability to easily deny cookies as well as refuse the sale of their data to third parties.
GDPR is an opt-in system, in which consent must be "freely given, specific, informed, and unambiguous" through a "clear affirmative action." Since preselected boxes and continued site use do not constitute "clear affirmative action," users must actually click a button agreeing to the deployment of cookies.
Opt-in systems are not required by all laws, but they exceed the standards in opt-out laws and, as a result, they are considered the gold standard in data privacy management. Companies that implement opt-in consent from the start will likely be able to respond quickly and with more agility to the dramatic and rapid changes to consumer privacy laws and best-practices that are common in the current landscape.
Step 5: Link to privacy and cookie policies
It's no secret that cookie banners aren't a particularly popular part of any browsing experience, necessary as they may be. Putting entire privacy and cookie policies into a pop-up banner will turn a banner into a page, making people more likely to ignore it.
Instead, consider including a "Learn More" or "Privacy Policy" button on the cookie banner.
That button should link to not only the company's privacy policy but also a list of all cookies, as well as a more detailed description of the site's cookie settings.
Step 6: Ensure secure storage of consent records
Most experts recommend that companies maintain a record of consent for five years. Those records should be securely stored, but they also need to be easily accessible if a customer files a data subject access request (DSAR) or an individual rights request. They will also be critical to proving compliance in the event of an audit.
Building Your Privacy Cookbook
Dessert is not a meal, and a privacy program needs more than compliant cookie banners to be successful. But learning to bake cookies builds fundamental skills that can transfer to other dishes, and establishing cookie management policies in line with data privacy best-practices will make building out a fully functional privacy program a (ginger)snap.
More Resources on Cookies and Data Compliance
Adapting Marketing Measurement to a Post-Cookie World [Infographic]
Heads Up, B2B Marketers: Data Rights Aren't Just a Consumer Issue
