FAQs About Cookie Consent
Cookies can be confusing. What are they anyway, and when do you need someone's consent to collect personal data using cookies?
We provide the answers to these commonly asked questions and more below.
- 1. What are Cookies?
- 2. Why Do You Need Consent to Use Cookies?
- 3. Where in the World Do You Need Cookie Consent?
- 3.1. The European General Data Protection Regulation (GDPR)
- 3.2. Children's Online Privacy Protection Act (COPPA)
- 3.3. Personal Information Protection and Electronic Documents Act (PIPEDA)
- 3.4. Brazilian General Data Protection Law (LGPD)
- 4. Where Don't I Need Cookie Consent?
- 4.1. 1. Australia
- 4.2. 2. New Zealand
- 4.3. 3. USA
- 5. What Happens if Businesses Don't Get the Consent They're Required to Get?
- 6. Can Businesses Make it Mandatory that Users Give Consent for Cookies?
- 7. When are Some Cookies Necessary?
- 8. How Can Businesses Get Consent for Placing Cookies?
- 8.1. Clickwrap Consent
- 8.2. Browsewrap Consent
- 9. How Do Third Parties Get Cookie Consent?
- 10. How Do Business Store Cookie Consent?
- 11. When Do Cookies Expire?
- 11.1. Session Cookies
- 11.2. Persistent Cookies
- 12. When Do I Need to Obtain Consent Again?
- 13. Conclusion
What are Cookies?
"Cookies" are simply small packets of data. They're sent to a device when someone visits a website, and they're stored in the user's browser.
Essentially, cookies store data that allows websites to "remember" users. For example, they might contain someone's username. They can also be used to track someone as they move around a website, which enables businesses to:
- Send people personalized ads
- Remember someone's shopping cart
- Check website performance
- Monitor browsing behavior
So, cookies can help businesses improve the overall user experience on their websites.
Why Do You Need Consent to Use Cookies?
Cookies are capable of processing what's known as personal data, or personally identifiable information. To protect users' privacy rights, it's important that people have the option to refuse cookies if they don't want to share personal information with businesses.
To be clear though, you don't always need consent to use cookies, which we'll cover below.
Where in the World Do You Need Cookie Consent?
Cookie consent is required in many (but not all) jurisdictions around the world. Let's break down the main laws and where they apply.
The European General Data Protection Regulation (GDPR)
Under the GDPR, you can't collect personal data without someone's express, informed, and obvious consent. So, you can't use cookies to collect anything which may be deemed personal data unless you have express consent. "Personal data" is essentially anything you can use to identify a specific person.
If you're in any doubt, always get consent. We'll cover how to do this below.
If you must comply with the GDPR, you should also comply with the ePrivacy Directive. Again, the idea is that you can't add a cookie to someone's browser without their prior consent unless the cookie is for basic purposes only i.e. site functionality.
Contrary to popular belief, the GDPR didn't repeal the ePrivacy Directive, so make sure you comply with both if you're targeting EU-based individuals.
Children's Online Privacy Protection Act (COPPA)
If your website is aimed at under-13s, or you know that under-13s are likely to use your website, you can't use "persistent" cookies to collect personal data from minors without verifiable parental or guardian consent, according to COPPA requirements.
Persistent cookies stay on someone's browser at the end of their session, which allows your system to remember the user. We'll cover them a little more below.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA works on an opt-out basis. This means you should give someone the option to refuse cookies, but there's no need to obtain their express consent unless you're collecting sensitive personal data e.g. health information, religious beliefs, political leanings.
An example of how this might work is a pre-checked checkbox assuming consent to cookies, which the user is then free to "uncheck" if they don't want a business using cookies. If you're collecting sensitive data, the checkbox should be unchecked.
Brazilian General Data Protection Law (LGPD)
Under the LGPD, you need a user's consent before you can collect personal data from them.
Because cookies can collect personal data, you must obtain consent from the "data subject" or user before you can use marketing, tracking, or analytics cookies.
There's one final crucial point you must bear in mind here: The above laws apply no matter where in the world your business is based. For example, if you're targeting users in the EU, you must comply with the GDPR even if you're based in China, and so on.
Where Don't I Need Cookie Consent?
There are some places around the world where there's no need to obtain consent before you place cookies on a user's device. Here's a summary of the major three:
1. Australia
In Australia, the applicable privacy laws are the Privacy Act 1988 and the Spam Act 2003. Neither Act makes it a requirement for businesses aimed exclusively at Australian visitors to get consent before using cookies. However, you should still have a cookie disclosure notice or banner on your website.
If your website draws traffic from elsewhere around the world, such as the EU, then you must comply with the applicable privacy laws which means you may need a cookie consent process.
2. New Zealand
Again, there's no requirement in New Zealand privacy law to obtain cookie consent. So, if you're a local business targeting New Zealanders only, then you may not need a cookie consent banner (although you should still tell people you use cookies).
If you're targeting users outside New Zealand, then you must comply with privacy rules for that jurisdiction e.g. the GDPR.
3. USA
There's no single rule mandating the use of cookie notices in the United States. However, you must check local and federal laws before assuming that it's safe to forego cookie banners.
It's still good practice to inform people that you use cookies, even if you don't need user consent. And, again, you must comply with global privacy laws if you're targeting non-U.S. users.
If your country of choice is not listed here, then it's important you check the privacy laws applicable to your region before you try to use cookies without formal user consent.
What Happens if Businesses Don't Get the Consent They're Required to Get?
Failing to obtain the necessary consent is a breach of privacy law.
The penalties depend on which specific privacy law you breached by not obtaining consent, but they include financial penalties and fines. You may also suffer reputation damage or lose customers in the event there's a data breach or privacy violation involving your business.
If you're at all unsure how to comply with the applicable privacy laws, you must seek professional, tailored legal advice to avoid incurring these penalties.
Can Businesses Make it Mandatory that Users Give Consent for Cookies?
The short answer is no. Under the GDPR, individuals must be free to choose whether to accept cookies and provide access to their personal data. Mandating cookies takes this free choice away from users, which means you're not obtaining valid consent.
Moreover, it's a condition of various privacy laws that users should not be discriminated against if they choose not to accept cookies or provide personal information for marketing purposes. Prohibiting users from your website on the grounds that they won't accept certain cookies may be deemed discriminatory.
Whether you need to comply with the GDPR or not, you shouldn't make cookies consent mandatory.
When are Some Cookies Necessary?
If your website won't work without using a certain cookie, then it's what's called a "necessary" cookie. In other words, it's essential for the website's functionality. These cookies normally expire at the end of the session (in other words, they're "session" cookies, which we'll cover below).
Necessary cookies matter if you're obliged to comply with the ePrivacy Directive. Under Article 5(3), you can install cookies which are necessary to provide essential services to someone:
For example, say someone's shopping at your ecommerce store. They want to add something to their cart and continue browsing. To keep the item in the cart, it's essential for your website to add a certain cookie to the user's browser. This is then a strictly necessary cookie and you don't need permission to use it.
You should always check applicable privacy laws if you're in any doubt as to whether you need consent to use a certain type of cookie.
How Can Businesses Get Consent for Placing Cookies?
There are two ways to obtain consent: clickwrap or browsewrap.
Clickwrap Consent
With clickwrap, the user generally can't access your website until they engage with your cookie notice. The cookie notice appears when the user first lands on the page and it won't disappear until they at least confirm they're happy to proceed.
This is the best type of cookie notice to use, because it ensures the person gives free, informed, and express consent which is essential for the GDPR.
Here's an example of clickwrap from DocuSign. It shows up when you begin scrolling, and you can't continue without acknowledging the notice:
Even if you're not targeting EU customers, consider using clickwrap. It's more transparent and conclusive than browsewrap, and it covers you if an EU-based person happens to visit your website.
Browsewrap Consent
With Browsewrap, you're just telling people that you use cookies and the only real choice you give them is to not use your site or service, or agree by default to the use of cookies. This type of banner might work best in regions like Australia and NZ where formal consent isn't required.
Here's an example from Cash App that clearly gives users no choice here except to agree to cookies, or go use a different app:
You don't normally need consent for "strictly necessary" cookies. Here's an example of what this section of your cookie banner might look like, from T Nation:
How Do Third Parties Get Cookie Consent?
If the cookie comes from a website other than the site which the user is currently accessing, then it's a third-party cookie. These cookies may come from third-party vendors such as analytics companies, advertisers, or social media sites.
Third parties must also obtain a user's consent before they can install cookies. However, it's generally up to the business owner to use a cookie consent banner which is sufficient to obtain consent for all parties.
Here's an example of what a banner might look like, from TechTarget. In the "Site Vendors" column, people can give consent to third-party cookies from external partners, such as Salesforce:
The issue with third-party cookie banners like this is that from the third party vendor's perspective, it's risky because they're relying on the site owner obtaining the appropriate consent. Third parties usually ask website owners for a legally binding contract ensuring they comply with cookie consent requirements.
How Do Business Store Cookie Consent?
There's no right answer, but you must have a safe and secure storage process for holding all cookie data, including where consent is refused.
- Consult an IT specialist if you're unsure how to proceed with safe cookie storage
- Check the applicable privacy law to see how long you must hold onto this information for
When Do Cookies Expire?
How long it takes for cookies to expire depends on whether they're a "session" cookie or "persistent" cookie.
Session Cookies
Session cookies disappear, or expire, once the user closes the website and ends the session. Because they're only temporary, and they're essential for website functionality, there's usually no need to obtain user consent before using them.
Examples of session cookies might include cookies designed to:
- Keep users logged in for the duration of their visit
- Track their shopping cart
- Monitor the length of a user visit/session (for purely anonymous, analytical purposes)
Persistent Cookies
Persistent cookies "persist" as long as they're reasonably necessary.
While there's no clear guidance for how long these cookies may last, try to consider what's fair on the user. For example, if they haven't visited your website for six months, it's probably worth getting their consent again.
When Do I Need to Obtain Consent Again?
There's no hard rule on when cookie consent expires. However, you shouldn't assume that consent lasts indefinitely, so it's good practice to refresh your cookie consent every 12 months or so.
When it's time to renew consent, you can just use the same process you used to obtain consent in the first place.
Conclusion
We've covered a lot of ground here, so let's be clear on the key takeaways you should remember.
- You don't need someone's consent to strictly necessary cookies. These are cookies which are required for the website to work properly.
- In the EU, you can't collect personal information through cookies without obtaining someone's free, informed, and obvious consent.
- Elsewhere, you must at least tell people that you use cookies so users can opt out if they wish.
- You can't make giving consent mandatory, because this means you're not getting free consent.
- Clickwrap is the better standard for obtaining consent because people must expressly indicate their cookie preferences before they can use your website.
- Session cookies don't normally need consent, but persistent cookies might.
- You should aim to renew cookie consents at least once every 12 months.