Data Mapping: Frequently Asked Questions
Most people find data privacy compliance to be complicated enough....Read Now
December 27, 2023
Understanding cookies and consent management is an important step to becoming compliant with modern data privacy regulations, but there’s another piece of the puzzle: Cookie governance.
Good cookie governance is what differentiates the inefficient from the efficient when it comes to cookie consent management. Once you master the cookie governance lifecycle, many downstream compliance activities become much, much easier. In this article, we’ll walk you through the steps to robust cookie governance.
How do you ensure that the data tracking technology you add to your website is above board? Do you know where those trackers are sending your users’ data? Have your vendors’ changed their data collection processes recently? Do your users know what trackers are active on their website, and have they given informed consent?
In essence, cookie governance is your approach to answering questions like these. Cookie governance is the set of processes that enable you to ensure your cookie lifecycle is healthy, adheres to data minimization and purpose limitation, and complies with data privacy regulations.
Rather than let anybody and everybody add cookies to your website, you should engage in a defined process that helps you keep track of cookies on your site and watch out for any egregious or unexpected data processing associated with a cookie. If you follow these seven steps, you’ll be well on your way to a proactive cookie governance process.
In organizations with poor cookie governance, this step is usually skipped. Nobody “requests” to add new cookies to the site; they just go ahead and do it. That can cause a whole lot of problems down the line with consent management, privacy notices, subject rights requests, and more. Ideally, you should have a standardized procedure for receiving new cookie requests.
New cookie requests will typically come from internal stakeholders, such as members of the marketing or development teams. Sometimes, such a request might come from third-party service providers and vendors, as well. Cookie requests should include information on the purpose of the cookie, the types of data it will collect, the intended duration of storage, and other criteria as needed. If the cookie is associated with a new vendor, you’ll also want to conduct a thorough risk assessment.
If the cookie request is associated with a new vendor or if substantially changes how your organization collects and processes personal data, you’ll want to conduct a privacy impact assessment (PIA).
PIAs help you determine the impact that a data processing activity will have on consumer privacy and data protection rights. A PIA in this circumstance should take into account the type of data collected, the purpose of collection, and the risks associated. Not only does this exercise help you identify when a vendor and/or cookie presents unacceptable compliance risk, but it also provides documentation proving that you were accountable for your data privacy compliance obligations.
The biggest challenge associated with this step is often a lack of resources. Make sure you familiarize yourself with the privacy assessment process before you need to conduct an assessment, so you’re not scrambling to meet deadlines when the time comes. Often, data privacy platforms will include automated and streamlined assessment workflows to help you speed up and scale the assessment process, too.
Next, you’ll want to add the cookie to your website staging environment—this allows you to verify its functionality without affecting the live site.
Depending on the nature of the cookie, you might test to see if it’s collecting the appropriate information, if it fires or is blocked based on user consent preferences, or if it interferes with the functionality of any other scripts or cookies when it fires or is blocked.
At this stage, you’ll also want to make sure it’s accurately classified in your consent management solution, whether that’s a homegrown approach, an integration with your tag manager, or a consent management platform (CMP). Since certain jurisdictions require businesses to provide consumers with granular control over which categories of data trackers they consent to, you’ll need to define whether the cookie is essential or for marketing, analytics, or advertising purposes.
Once any issues have been identified and resolved, you can move your cookie to the production site. It’s always a good idea to monitor your site for problems following any changes you make.
If you’re subject to the GDPR, then you’re required to maintain a Record of Processing Activities (RoPA). However, even if you aren’t subject to the GDPR, then creating a RoPA or an equivalent data inventory will make it many times easier to demonstrate and maintain compliance.
RoPAs and data inventories document details about processing activities, such as what information your new cookie collects, how long that data is retained, and where it transfers that data. Much of this information should have been included in the initial cookie request, but you may need to do some work to identify relevant cookie details.
Creating a RoPA and/or data inventory from scratch can be tricky if done manually. Automated tools for data mapping and inventory can significantly accelerate this process.
Since website users are now being actively tracked by the new cookie, you need to make sure your public-facing documents reflect this tracking behavior. It could be that the specific data privacy law you’re subject to and the category of cookie you’ve used don’t require any updates; in that case, great! However, it’s still a best practice to check your privacy and cookie policies for accuracy.
Cookies and other data trackers can’t be something you set and forget. Conduct regular reviews of your vendor relationships on at least an annual basis to ensure their cookies still function as initially intended. This step in the cookie governance lifecycle also includes real-time monitoring for any security concerns, like data breaches; have there been any affected systems that store or process user data collected by one of your cookies?
Your organization might become subject to new laws with new requirements as well. If you’ve produced the documentation that the previous steps required, then you’ll be well on your way to confirming that you are compliant or making the necessary adjustments to get there.
While this process is achievable with a manual solution, it can easily become an untenable amount of work. Since cookie governance isn’t explicitly required by data privacy regulations, then it becomes tempting to let this whole process slip. Ultimately, that will result in the proliferation of cookies on your website whose functions you don’t understand or that you don’t even need in the first place. That leads to a slower website, less transparency for your consumers, and noncompliance.
Data privacy platforms can help automate many aspects of the cookie governance process. With Osano, you can:
Schedule a demo today to find out how Osano can support your privacy program and cookie governance process.
Are you seeking to take your privacy program to the next level or establish your first program? This model provides you with all of the essential elements, and gives you a score-based means of assessing your own privacy program maturity.Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.