Jodi Daniels is a privacy consultant and Founder/CEO of Red Clover Advisors, one of the few Women’s Business Enterprises focused on privacy.
getty
Whether your favorite is chocolate chip (my personal favorite), snickerdoodle or (gasp!) oatmeal raisin, nothing beats a warm cookie. You can spend up to $1,000 on a single cookie, but some cookies are classics because they don’t require fancy ingredients or complicated steps. Just stick with your basic ingredients, mix them together and give them 10 minutes in your oven.
The digital cookies on your website are like a great chocolate chip cookie: simple, easy and basic. But if you aren’t careful, you can end up with a site chock-full of artificially flavored cookies that are risky to your business.
Cookies: A History
Invented by a Netscape engineer, cookies are small, randomly encoded text files that store data about a user's website visit on their own computer, rather than on a company's servers. Cookies can help improve the user's experience, as they keep shopping carts full across visits and remember your login preferences.
Stored locally and too small to hold malware, cookies themselves are typically more helpful than dangerous. But when combined with bad actors or pervasive tracking protocols from advertisers, cookies can create a privacy risk for consumers and a liability risk for you.
The Cookie Matrix
New legislation has changed some of the terminology around cookie “flavors,” so let’s go through a quick refresher.
Cookies can also be first-party cookies (which are cookies you put there yourself, such as Google Analytics) or third-party cookies (which are set by a third-party server, like that social media share button you add to your blog posts) and generally fall into three categories:
• Session cookies, which are used to track movement within a website and are only active during a user’s site visit. If they leave the site or close their browser, the cookie is deleted.
• Persistent cookies, which are used to remember language preferences, login credentials, payment information, permanent shopping carts, targeted ads, etc.
• Flash cookies, appropriately called zombie cookies, are very hard to kill. Even if you delete all cookies in your browser, this browser-independent undead cookie will live to track another day.
Some cookies are generated by the all-present website banners. These include:
• Strictly necessary: Cookies needed for a website to function properly.
• Advertising: Cookies designed to collect information from you that directs advertisements to you based on presumed interest.
• Analytic: Cookies that track how users navigate and interact with a website.
• Functional: Similar to strictly necessary cookies, functionality cookies help the website remember your preferences and provide requested services.
Cookies In Privacy Law
Thanks to a continually growing body of privacy regulations, as a site owner, you’re responsible for the cookies that set up shop on your users’ browser (whether you put them there or they came embedded with tools). Additionally, regulations like the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) require businesses to both notify consumers of what cookies their site has and give consumers a right to opt out of cookies collecting their information.
The GDPR and CCPA don’t apply to each and every business, but that kind of thinking can lead you down a risky compliance path. Not only do these regulations reflect the fact that privacy is top-of-mind for consumers, but they’re also influencing the larger regulatory environment. Many of the standards set in these two regulations are influencing other proposed legislation fueled by an increasingly effective privacy rights movement.
That means you better know what your cookies are doing so you don’t get caught with your hand in the cookie jar.
How To Organize Your Cookie Strategy
Don’t be scared, though. There are some practical steps you can take so your cookies work for, not against, you.
1. Conduct cookie audits.
Before you do anything else, you need to know what cookies are on your site and what they are doing. Whether you do it yourself or hire someone, you need to be able to answer the following questions:
• Do I know where all my cookies came from?
• What type of data does each cookie collect and why?
• Does any collected data contain personally identifiable information?
• Is the collected information going to a third-party vendor?
Cookies that don’t have an expiration date, track users through sensitive areas or are installed without consent are all compliance and security red flags.
2. Establish your consent policy.
Quality cookie consent and notice banner management systems can be found for as little as $10 per month, but the banner alone isn’t enough. You also need to decide how your users get to interact with your cookie policy. You have two options:
• Informed consent: Informed consent means your site automatically activates necessary cookies and then asks users to learn more about the policy. If they move on and browse, even without reading your policy, consent is implied.
• Opt-in consent: The consumer-first cookie management approach is opt-in consent. Explicitly required by the GDPR for everyone and by CCPA for children under 16, opt-in consent fires only strictly necessary cookies and then requires users to select which of your other cookies they are OK with.
3. Inform users about any third-party data sharing.
Ad retargeting services, social media share buttons and live chat pop-ups can differentiate your website, but they also leave a lot of third-party cookie crumbs behind. That doesn’t mean you can’t use them, but make sure you know exactly what they are doing, and pass that information, clearly and explicitly, to your users.
Baking With All The Ingredients
Even if you don’t have to clean up your cookie notice policy for compliance reasons, it could save you time, money and stress to review it to make sure it’s consumer-friendly and aligned with industry best practices.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
