Search
SOLUTIONS
SERVICES
CAMPAIGNS
TECHNOLOGY
INSIGHTS
COMPANY
OUR WORK
OUR WORK
CONTACT
CONTACT
Important Steps to Take When Considering a Cookie Manager
Technology

Important Steps to Take When Considering a Cookie Manager

December 9, 2020 | by Stu White
  1. Home
  2. Blog
  3. Technology
  4. Important Steps to Take When Considering a Cookie Manager
Investis Digital provides the important steps to take when considering a cookie manager.

Privacy regulations, data processing agreements, cookie rules are a positive sign of the internet becoming a better, safer and more respectful place for everyone. However, for companies that are required to implement these regulations and follow the prescribed rules, there is a lot of confusion on how to practically adhere to them.

As any Data Protection Officer will tell you, the privacy regulation landscape has become a lot more complex over the past two years. While eventually there is likely to be more standardization in how privacy regulations are applied across the globe, this is a distant ideal that unfortunately won’t be realized for many years to come.

Till then, companies should be vigilant and keep a close eye on how the globe is being fractured into policy zones, with different flavors of privacy regulations and nuances to cookie management expectations.  This can be especially problematic when addressing data protection measures. What may be an appropriate way to protect data in one country can be very different to how data should be protected within another. In fact, the very definition of what constitutes what data should be protected can differ between policy zones. Confused already? It’s about to get worse.

Companies are stuck in the mire of the evolving regulations…and evolving they are! PECR (EU), CCPA (California), LGPD (Brazil), PDPB (India), GDPR (EU), CPLT (Chile), FDPA (Switzerland), Privacy Act (New Zealand), etc. In most of these regulations, there have been major and minor amendments over the past 12 months alone.

The problem would be easier to solve if the policy zone regulations applied strictly to those interacting with your content within the same policy zone as your company, but they don’t. This problem is well illustrated by the humble company website. Unless your company blocks access to the company website for any site visitor outside of a named policy zones, you need to consider the policy zone that the site visitor is visiting from. You cannot assume the site visitor is from a policy zone you prefer to work with.  In other words, an EU-based company site doesn’t only need to consider the EU-policy zone (where GDPR and PECR applies), but other policy zones which site visitors could be visiting from. In the U.S., the same applies. Just because you think you’re serving mainly a U.S. audience doesn’t mean you can ignore the regulations within the other policy zones.

Then we add browser cookies into the mix and the problem gets even more complex. With cookies, getting consent from the site visitor before loading the cookie (depending on the policy zone of the site visitor) is just part of the challenge. Schrems II (a ruling by the Court of Justice of the EU in July 2020) showed that irrespective of whether consent was provided for cookies loading, if these cookies were being used to transmit data to the U.S., they probably shouldn’t be loaded at all. What the industry previously took for granted with compliance in data transfers between countries (including data transferred through cookies), was clearly not as robust as we thought. The use of Google Analytics, the favored and cost-effective way to understand the traffic on a website, has now been put into question for EU-based companies simply because the site visitor’s data is being sent outside of the EU and into the U.S. for processing. Real fines, not just the threat of fines, are being applied to companies who do not toe the line and companies are often not aware of where the line is that they need to toe! A few years ago, who would have thought that EU-based companies would be in a situation where they could get fined for loading Google Analytics cookies? The very foundations of how website performance is analyzed has been shaken. Fast forward to the coming months and years, further surprises will await.

So, now you expect this blog to reveal the answers to the problems and challenges I’ve mentioned. Well, I can certainly give you answers to the predominant questions I hear from companies every day, where companies are desperate for clarity on what a compliant cookie manager looks like, where a non-compliant cookie manager could result in your company being fined by the regulators. But for the wider concerns, companies faced with the evolving privacy standards, there is no easy answer. Your choices are either to partner with a company that has their finger on the pulse of privacy regulations or to put time into researching the latest amendments across the increasing number of policy zones that appear each year.

As for the important aspects to consider when choosing a cooking manager, it’s quite simple.

  • Step 1: First you need to consider the policy zones which impact you. Looking at where your website visitors are coming from is the first step in this process. Once you have identified what policy zones to solve for, then your cookie manager needs to be able to alter its behavior depending on where a site visitor is browsing from. In some policy zones, you need to prevent non-essential cookies loading until the site visitor consents, in other policy zones you can load all cookies before consent is provided.
  • Step 2: You need to consider whether your website processes / stores personal data in the cookies it uses. If you’re not sure, then it’s safer to err on the side of caution and assume there’s at least some level of personal data processed (this can include IP addresses or anything which could be used to identify an individual). If personal data is processed, then the consent to load cookies needs to be recorded. In addition, the wording within the cookie policy at the time consent was provided needs to be recorded too.
  • Step 3: Your cookie manager cannot preference a site visitor to consent to cookies. Both the “accept cookies” and “decline cookies” selections must have equal weight, you can no longer make it more difficult for a site visitor to decline cookies compared to accepting cookies.
  • Step 4: A site visitor must be able to withdraw the previous consent they provided in a way that is as easy as when they first provided consent.
  • Step 5: The site visitor needs to be able to be able to consent to non-essential cookies loading at a granular level. For example, where they can decide to load performance-related cookies, but not load targeting-related cookies.
  • Step 6: Make sure your cookie policy accurately reflects the full set of cookies loaded on your site and is worded in a way which explains why these cookies are being used.
  • Step 7: Lastly, and very importantly is considering the use of third-party cookies. Cookie managers will be able to manage first-party cookies with ease. But when it comes to third-party cookies loaded after the site visitor expresses a consent-preference, the situation is more challenging as the cookies are not loaded immediately but could be loaded later. A good example is an embedded third-party video player, which could load cookies only when the site visitor clicks “play”. In this case it is not always possible to block these cookies from loading. We recommend a full site audit to identify where third-party cookies are used, where decisions can be made on how to deal with each case.

Whether you are a customer of Investis Digital or not, please get in touch at [email protected] if you have questions. The privacy regulation and cookie management landscape can be frightening to face alone.