As ubiquitous as so-called “cookies” are in the operation of the Internet, their use and the rules that govern their use are generally poorly understood. What even *is* a cookie? What are they used for? Can you really get in trouble with legal authorities for using them on your website? What’s allowed and what’s not?
But no one wants to break the law and incur costly penalties that could both lead to fines and the loss of reputation in the marketplace.
This guide will help you understand how cookies are used, which cookie laws are important to follow, and how organizations like yours are managing cookie compliance.
What are cookies, anyway?
We’ll keep this quick because you probably have a general idea at this point, but essentially cookies are small data files that websites place into the memories of devices that access the site. That way, during the time the device is on the site, and often for the next time that device accesses the site, the site can remember that device and gather information about what the device is doing or did in the meantime.
There are many different ways of categorizing cookies, but there are three primary distinctions that matter the most:
- Session vs. Persistent: Does the cookie automatically delete when the device stops accessing the website or does it stick around until the next visit and beyond?
- Necessary vs. Elective: Does the site need the cookie in order to operate correctly (such as allowing you to put items in an online shopping cart to save for later) or is the cookie performing some other task like allowing users to shape their experience or marketers to track their activity?
- First-party vs. Third-Party: Is your organization dropping the cookie or is the cookie being dropped on behalf of a marketing partner or other outside organization? FYI: You are the “first party,” the user of your site is the “second party,” and any other organization is the “third party” — in case you wondered how that term worked.
As we discuss how to legally deploy cookies, you’ll find these distinctions come up over and over again. Whether a cookie is a first-party, necessary session cookie, or a third-party, elective persistent cookie makes a big difference!
What are cookie laws, and who has passed them?
The first data protection law was enacted in Germany in 1970. Since then, the European Union has led the rest of the world in data protection and online privacy legislation. The first comprehensive data protection regulation was passed in the European Union, the EU Directive on Data Protection, in 1995 and covered the collection, use, transfer, and security of personal information of residents of any European Union country.
Then, in 2011, the EU passed the E-Privacy Directive — often called the Cookie Directive — which regulated the placement of digital files on digital devices.
Most recently, in 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect, establishing core principles to govern the collection of personal information, along with strict penalties for violations of those principles. In combination with the E-Privacy Directive, the GDPR classifies any data created by an identifiable person as personal data and requires consent before collection of that data, along with granting people a number of rights to access, delete, correct, and object the collection of their personal data.
This ushered in a wave of privacy legislation around the globe as other countries sought to continue doing business with the European Union and as digital privacy came further to the front of mainstream conversations with the rise of fully digital lives where personal data is extremely valuable and can be extremely sensitive.
Other important laws that affect cookie use include:
The California Privacy Rights Act (CPRA)
An update to the California Consumer Privacy Act (CCPA) that comes fully into effect on January 1, 2023, the CPRA classifies online activity data as personal data and tightly regulates its use, allowing California residents to opt-out of collection and sale and sharing and to request access to their personal data, among other rights. If your cookies are being used to track activity, they are covered under CPRA.
The Virginia Consumer Data Protection Act (VCDPA)
Also coming into effect on January 1, 2023, the VCDPA allows consumers to opt out of targeted advertising, profiling, and the sale of personal data. If your cookies are being used to collect information that allows ads to be targeted, to build a profile of a customer, or to enable the sale of their data down the road, they are covered by the VCDPA.
The Connecticut Data Privacy Act (CTDPA)
Coming into effect on July 1, 2023, the CTDPA similarly allows consumers to opt-out of targeted advertising, the sale of personal data, and profiling that leads to “significant effects,” such as a different price on a product or different services being offered.
The U.K. Data Protection Act
Once the United Kingdom left the European Union, it needed a law to mimic the GDPR in order to continue sharing data with the EU. The UKDPA is virtually the same as the GDPR.
Short for Lei Geral de Proteção de Dados Pessoais, LGPD is often referred to as the Brazilian GDPR and conveys largely the same rights regarding personal data and similarly penalizes organizations who don’t allow people to access them. For all intents and purposes, the EU’s cookie rules are the same as Brazil’s cookie rules.
South Korea’s PIPA
One of the world’s older and strictest privacy laws, South Korea’s Personal Information Protection Act (PIPA) was among the first, in 2011, to impose significant penalties for the mishandling of personal data. While cookies aren’t expressly mentioned in the act, it is similar to the GDPR in that cookies that collect personal information require consent.
The Personal Information Protection Law (PIPL) passed by China in 2020 and now in force is among the most stringent privacy laws in the world. In particular, it requires consent for the collection of personal data and there are very specific conditions under which you are allowed to move personal data outside of the country’s borders. If your cookies are collecting personal data and transmitting it back to a server in another country, that could be a considerable problem. Major violations of the law can mean a fine of up to 5% of your annual revenue, or roughly $7.5 million, whichever is higher. There can also be fines for individual members of your executive team or employee base of up to about $150k. You may even have to directly compensate affected parties.
While Japan doesn’t address cookies specifically, and the Act on the Protection of Personal Information (APPI) has somewhat rarely been enforced against non-Japanese organizations, it’s generally believed that data collected by cookies would fall under personally referable information and you’d need consent to transfer that data out of the country.
If you market to the European Union and the broader European Economic Area, the GDPR applies. Similarly, if you market to Brazilians or South Koreans, the LGPD and PIPA apply. In China and Japan, the enforcement of the law is still developing, but there is some possibility that you don’t even need to explicitly market to people living in those countries for the laws to apply. If you collect the data of people living there, you need to care for it according to their laws.
For the U.S. state laws, they generally only apply to for-profit businesses and have thresholds for the number of residents you collect the information of, amount of revenue you collect annually, or other benchmarks that make them apply. If you are unsure if these laws apply to you or will apply to you, you should consult a data-privacy-focused lawyer.
Further, everyone who pays attention to privacy laws generally agrees: We will have more states and countries with cookie laws in the future and they will mostly be in agreement with each other.
As the United Nations notes, there are currently 137 countries with at least some data privacy legislation on the books. Not all of them regulate privacy in the same way, or regulate cookies in the same way, but most are coming around to the basic idea that you should ask for consent before collecting data about someone and that you should get some kind of consent (even if it’s opt-out) before you place persistent cookies on a device.
Most organizations of any size are generally deciding that they will try to create a cookie compliance program that assumes all of the privacy laws apply to them if they do business in that country or state at all, as it can be very difficult to know exactly where customers are when they engage with your website.
How do I comply with cookie laws?
Websites that are operated solely in the United States or other countries not covered by the GDPR, and don’t do business in the states that have passed privacy laws, may include a statement warning users that the site is intended only for residents of certain countries. Even if a company is willing to ignore millions of potential customers, however, there is no guarantee that such a warning would be sufficient to avoid possible penalties if the company knowingly collects information about users in EU countries or in states like California, Virginia, and Connecticut.
These systems are largely operated via so-called “cookie banners” or “cookie notices,” which alert visitors to the fact that cookies will be placed as soon as they land on the site, and allow visitors to either agree to those cookies being placed (by clicking a button to make the banner go away) or to customize their experience by clicking through to a dashboard and selecting those cookies (if any) they are comfortable with.
Some organizations may choose to develop this cookie management system on their own, especially if they are a tech-focused company that has coding and IT skills in-house. However, crafting a cookie notice that complies with not only the GDPR and LGPD and other international laws, but also respects user privacy choices in the United States, is not only a difficult one, but also presents a moving target.
Fortunately, ready-made cookie disclosures and management systems are available. Osano Consent Manager, for example, is designed to comply with the GDPR, LGPD, and aspects of current U.S. state laws, updated as new privacy laws are passed and come into force.
What are the penalties for not complying with cookie laws?
The GDPR authorizes supervisory authorities to impose various penalties, including:
- Ordering a temporary or permanent ban on collecting data of EU residents.
- Ordering the processor to erase data processed in violation of the law.
- Banning the transfer of data to certain countries.
- Imposing significant fines — as much as 2% or 4% of a company’s annual revenues.
The CPRA creates a new privacy enforcement agency, as well as empowering the attorney general’s office and municipal attorneys to:
- Impose fines of up to $2,500 per infraction.
- Impose fines of up to $7,500 for what are deemed intentional infractions.
Other international and state laws impose, or will impose when they come into force, similarly large fines and penalties.
With implementation of cookie policies now a relatively straightforward task, and the consequences for non-compliance so large, most organizations are rightly making the decision to implement cookie banners and notices that allow them to comply with a broad set of privacy laws.
Given the global nature of business today, websites are available to just about everyone, across the world, and you never know where your next customer will come from. It’s best to make them feel comfortable that you care about their privacy and are doing your best to make sure they have an experience that is legal and they can trust.