What are Cookies?
Cookies are an important tool for any business that operates a website. They can give you a great deal of insight into your users’ online activity and help you create targeted marketing and advertising strategies. And digital advertising is big business, with global spending targeted to hit US$680 billion in 2023.
Cookies can store a wealth of data – enough to potentially identify your users without their consent. Over the last decade, a number of laws and regulations have come into play to ensure this doesn’t happen.
What are the Different Types of Cookies?
In general, there are three different ways to classify cookies: what purpose they serve, how long they endure, and their source or provenance.
Duration
- Session cookies – are temporary cookies that expire once a user closes their browser
- Persistent cookies – are cookies that remain on a user’s hard drive until they erase them or their browser erases them.
Provenance
- First-party cookies – are cookies your website puts directly onto a user’s device
- Third-party cookies – are cookies that a third party, like an advertiser or an analytic system, puts onto a user’s device while they are browsing your website.
Purpose
- Necessary cookies – are essential for users to browse your website and use its features, such as accessing secure areas of the site
- Preferences cookies – allow your website to remember choices users have made in the past, like what language they prefer or their username and password, so they can automatically log in
- Statistics cookies – collect information about how users browse your website, like which pages they visited and which links they clicked on. Their sole purpose is to improve website functions
- Marketing cookies – track users’ online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad.
What is Cookie Consent?
In the EU, the regulations governing cookies are split between the General Data Protection Regulation (GDPR) and the ePrivacy Directive (or EU Cookie Law). While they are different in scope, both require advertisers, publishers, and brands to consider their digital data privacy practices and how they communicate these to their users.
How Does Cookie Consent Work Under the ePrivacy Directive?
The ePrivacy Directive is a law that requires sites to obtain consent from users before retrieving or storing their personal information. Essentially, it gives users the right to say no to the collection, storage, and use of their information.
To be cookie compliant under the ePrivacy Directive, a business must:
- Receive users’ consent before using any cookies, except strictly necessary cookies
- Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received
- Document and store consent received from users
- Allow users to access your service even if they refuse to allow the use of certain cookies
- Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place
Do Cookie Consent Laws Impact My Business?
If your business processes personal data in the EU and provides services over electronic communication, the ePrivacy Directive applies to you. If a US-based company does not conduct any business with EU residents, it is not required to comply with ePrivacy Directive.
The GDPR is much broader, applying to all companies and organizations, independently of their place of origin, that offer goods and services to consumers in the EU or collect and process personal data of website users located in the EU.
Outside the EU, there are a number of laws like the GDPR that protect data privacy. These include the Personal Information Protection Law (PIPL) in China, the California Consumer Privacy Act (CCPA) in California, and the Consumer Data Protection Act (CDPA) in Virginia, among others.
What are the Penalties for Non-compliance to Cookie Consent Laws?
Penalties under the EU cookie law are decided and enforced by local governments. If you don’t comply, you could face criminal charges and fines. For example, in 2022 France fined Google US$169 million and Facebook US$67 million for requiring too many clicks for users to opt-out of cookies.
The Future of Cookies
Laws like the ePrivacy Directive and GDPR mean that there is more awareness on cookie consent and user privacy. Millions of internet users around the world have taken additional steps to ensure the protection of their data, enabling ad blockers, which block cookies and other tracking technologies.
In compliance with regulations and recognizing ongoing user concerns around privacy, browsers are phasing out support for third-party cookies. Apple, Google, and Mozilla have all announced plans to do this in the coming years.
What is Zero-party Data?
The phasing out of third-party cookies will have a profound impact on the digital advertising world and will require businesses to rethink how they collect user data.
There is an alternative to cookies called zero-party data – data that users voluntarily share with your business. This data can include things like preferences, interests, and contact information. It’s typically collected through methods such as surveys, polls, and quizzes.
While it takes more effort to collect, zero-party data has the potential to be more valuable to businesses than cookies because it is more accurate, specific, and reliable. In addition, zero-party data is collected with the user’s consent, so there are no privacy concerns.