Understanding Cookies Compliance in Digital Marketing

About our expert

JODI DANIELS

Jodi is the Founder and CEO of Red Clover Advisors, a privacy consultancy that helps companies create privacy programs, build customer trust and achieve GDPR, CCPA, and US privacy law compliance. Jodi helps companies with the daily operations such as data mapping, individual rights, training, policies, etc. and also serves as a fractional chief privacy officer. She is cohost of the podcast She Said Privacy/He Said Security. 

We all know that message about cookie tracking when you visit a new website. What do you do in that situation? If you’re like the rest of us, it will be a case of sometimes ‘yes’, sometimes ‘no’. 

https://youtu.be/_SgbRJtXkpU

A history of data privacy laws

Modern data privacy laws began with the EU’s GDPR (General Data Protection Regulation) guidelines in 2018. By the end of 2023, this will have extended to the US, with a total of 5 state privacy laws (California and Virginia are already effective, with Colorado, Connecticut, and Utah joining them by the end of the year). Worldwide there are over 150 privacy laws, and more are being introduced every year. The aim of most of these laws is to legislate around what personal data is collected and how it is used by advertisers. 

Evidently, this has huge implications for digital advertisers, and they need to be aware of it just as much as their legal departments do. Not only does a failure to comply risk calling customers’ faith in you into question, there are now bad-faith actors specifically targeting compliance failures for hefty payouts. Sephora were caught selling sensitive customer information and were served a $1.2 million fine by CCPA in August 2022. Home Improvement, FTC, Meta and Chick-fil-A are some other big companies who have fallen foul of regulations. Their transgressions include embedding Facebook pixels that collect customer data without their consent, sharing customer health data to advertisers, and sharing personal information with Meta.

But what do consumers actually think about their data and how it is used? According to a 2022 report by Ad Science; 

  • 68% of consumers are uncomfortable with their data being used for advertising purposes
  • 99% of consumers agree that privacy is important when browsing online
  • 34% of consumers are willing to share their data with shopping sites for a more personalized experience

What we can glean from this is that people do care about privacy and what happens to their data. 

But what constitutes personal data? You might think this is limited to banking or medical data. However, something as simple as a name, IP address or browsing history can constitute personal information. So when customers opt out of sharing personal data, all of this information is off limits to advertisers.

Something else that can often be misunderstood is the difference between ‘selling’ and ‘sharing’ of data. According to CCPA, the selling of data means there must be some element of monetary or value exchange in return for the data, whereas with data sharing there is not. This is important to recognise, as the CCPA classifies AdTech as data selling rather than sharing. This is a specificity which is not covered by GDPR. As such, an additional disclosure must be made in the privacy terms and an additional opt-out must be given to users around the sale of data.

What are the different uses of cookies?

There are four main categories of cookies:

  • Strictly necessary cookies: These are essential to the working of the site e.g. remembering cart items or login details.
  • Preference cookies: These are sometimes called functionality cookies and they allow a site to remember things like language preferences, regional setting, etc.
  • Statistics cookies: These are sometimes called performance cookies and they anonymously collect how users interact with a site e.g. Google Analytics.
  • Marketing cookies: These collect identifiable data about an individual’s online activity in order to deliver relevant advertising.

Users also have the ability to set their cookie preferences in the browser, which means the options they are presented with should be limited to strictly necessary and sale of data. Using a cookie tool lets you handle this as well as changing or differing regulations. For example, cookie notices in the EU should ask users to opt in to cookies (except strictly necessary cookies), whereas in the US, users are asked to opt out. 

What should be included in a cookie banner?

So how can you make sure your cookie banner does its job whilst also not negatively impacting on your users? Here are some Do’s and Don’ts to help you crafting your cookie banner:

  • DO have a clear explanation of the types of cookies being used
  • DON’T use dark patterns to trick users e.g. ‘Accept’ and ‘Reject’ buttons should have equal prominence
  • DO list all the cookies being used
  • DON’T force users to accept
  • DO consider the mobile experience
  • DON’T block the homepage or other website content with your banner

Rather than seeing the cookie banner only as a legal necessity, you can actually include it in your site's user experience by integrating your brand voice. There are innumerable examples of terrible cookie banners, but Starbucks and Coca Cola stand out as great examples of how cookie banners can be fun.

When writing your cookie banner, it’s not enough simply to say that you are using cookies. Here are some things you should consider including in your message:

  • The types of cookies you use (as listed above)
  • Why you are using them e.g. Analytics, to create a personalized experience, etc.
  • A place for them to change or customize the cookie settings
  • A link to your privacy policy (which should include all parts of your cookie policy)
  • Options to accept or reject specific cookies and – depending on the jurisdiction – a ‘Do not sell my data’ option 

Here’s an example of a standard cookie banner text:

“We use cookies to provide social media features and to analyze our traffic. We also share information about your interactions with our site with our social media, advertising, and analytics partners. To learn more about our cookies and how to manage your privacy preferences, please see our Privacy Notice.

Global Privacy Control

Companies are also required to honor the Global Privacy Control signal that users set at a browser level. Cookie software tools are usually able to deal with this.

‘Do not sell my information’ and financial incentives 

Where required, you should include a link to your ‘Do not sell my information’ and financial incentives policy. Pottery Barn’s website includes these in the footer links.

Google Analytics and data privacy

Google Analytics is a tool used by digital marketers to track all sorts of useful information about their users. However, if you are relying on GA, you should know that this tool is illegal in Austria, France, Denmark, and Italy. There are alternative tools like Matamo, PostHog, Plausible, and Fathom that you can use in these territories. If you’re using GA, make sure you disclose this in your privacy notice. You should also make sure that, in GDPR territories, users have the option to opt in.

Privacy, data, and de-identification

The idea of de-identified data is that it is data that is not linked to a specific user and can therefore be used for advertising purposes. It's not always clear what data is de-identified but if it can be reunited with personal information in some way, it’s not de-identified.

In addition, when certain types of sensitive data is collected for a specific purpose (that the user agrees to), you can’t always use it for other purposes. For example, with health related data, you may collect it initially to deliver your service but then want to use it to create a research paper. Even when specific data is not disclosed, you would need to seek additional consent for that. Besides health data, sensitive data also includes banking details, biometric data, religious or sexual orientation, etc.

With each new software tool, vendor, or data use case, privacy should always be considered. Ultimately, you have final responsibility for ensuring compliance.

Data privacy ops

In every organization, it’s important to consider all the elements involved in your data privacy policy:

  • Governance – Do you have someone in your team who is responsible for data privacy?
  • Policies and standards – Do you have internal and external documentation that describes your data privacy policy?
  • Data inventory – Do you have a list of all the means and purposes you use customer data for e.g. Custom marketing emails, etc.
  • Privacy impact assessments – Do you know the privacy risks you have in your organization? (this is required in some territories).
  • Individual rights – Do users have the option to opt in or out of data collection?
  • Vendor management – Who are your vendors and are they complying with your data privacy policies?
  • Marketing consent and preferences – Are you using opt-in or opt-in? Can users opt out of specific uses and into others?
  • Security – Is the data you collect on users secure?
  • Training – All team members should be aware of your privacy policy and new hires should be trained up on it too? 
  • Sustainable compliance – Compliance requirements change as new technologies come into the market. It’s important to stay on top of these and update your policy as needed.
Scroll to Top