Introduction
The successful utilization of online cookies has become increasingly valuable to organizations as they attempt to enhance user experience and maximize the understanding of existing and potential consumer bases. However, both consumers and regulatory bodies continue to raise privacy concerns surrounding cookies, as their purpose is to track and store online consumer behaviors. There is a great deal of confusion surrounding what the General Data Protection Regulation (“GDPR”), California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), and European Data Protection Board (“EDPB”) has published on the use and disclosure of cookies. In order to address that confusion, we have addressed some of our clients’ most frequently asked questions concerning cookies and regulatory guidance.

Cookies Explained
Q: What is a cookie?
A cookie is a small text file, e.g. a series of letters and numbers, (e.g., ID=96352398) processed and stored by a web browser and computer to remember information about a user and customize user experience.

Q: How do cookies work?
A cookie comes from the web server that hosts the web page a user is visiting. The cookie is then delivered to the user’s web browser and device hard drive, and a copy is written to the web server to remember the user upon returning. Cookies help websites create a more personalized user experience by storing and remembering information such as: login details, language preferences, or online shopping cart items. Depending on the type of cookie, session or permanent, the cookie may expire after a period of time.

For example, if a user orders a book on Amazon.com they will fill out a web form with their name and address details. In that process, Amazon assigns the user a unique ID, a cookie. Amazon stores the user’s information with that ID in its database on its server and sends the ID to the user’s browser as a cookie. The user’s browser stores the ID on the user’s hard drive. The next time the user visits Amazon.com, the ID is communicated back to the server. The server looks up the user by their ID and customizes the web page, based on the stored information, and sends those details back to the user. The page might then greet the user with their name, retrieve important information, or display relevant ads.

Q: Are there different kinds of cookies?
Yes. Generally, a cookie typically falls under one of the following four categories:

Strictly Necessary Cookies are a website’s basic form of memory, used to store the preferences of a user on a given site. These cookies are essential for the provision of a site and any requested services, but do not perform any additional or secondary function. These cannot be disabled by users as they are essential to the website’s functionality.

Performance Cookies are used to enhance the performance and functionality of a website but are not essential to its use. These cookies provide statistical information on site usage, i.e., web analytics. These may be used to count visits and traffic sources and to measure and improve site performance.

Functionality Cookies allow websites to remember the user’s site preferences and choices they make on the site including username, region, and language. These cookies can remember user preferences to boost user experience on a website.

Targeted/Ad Cookies are used to customize a user’s ad experience on a website. They can prevent a specific ad from appearing repeatedly, remember user ad preferences, and tailor ads based on user activities. Third parties often set them, and these cookies present the highest privacy risks to visitors.

Cookies and Privacy
Q: Are cookies considered Personal Information (“PI”)? Do they store PI?
Yes, both the GDPR (Recital 30) and the CCPA (Section 1798) explicitly name cookies within the scope of personal information under each respective regulation.

Depending on context, cookies may store certain types of PI, as needed, to provide functionality. For example, Functional Cookies may store PI. There is varying research about the limits (or lack thereof) on data that cookies can store. Therefore, it is important to understand the purposes behind the different types of cookies and the mechanisms by which they may interact with PI.

Q: What are the key regulatory requirements as they relate to cookies?
Under the GDPR, consent must be a clear affirmative action: This can range from clicking an opt-in box, pushing an accept button, or choosing specific settings from a drop-down menu. Pre-ticked boxes are not allowed on consent forms and can result in penalties.

Although the GDPR does not state specific requirements for public privacy or cookie notices, typically, GDPR cookie compliance is achieved on websites through cookie banners that allow users to select and accept certain cookies for activation rather than others when visiting a site.

Under the CCPA, cookie consent is based on an opt-out mechanism, which means websites can use cookies without prior consent, but are required to provide consumers with a simple way to opt-out of the sale of their data within the context of cookies at any time. In addition, the CCPA states specific requirements for written cookie policies. A CCPA compliant cookie policy must include the categories of personal information collected on the website, information about the third parties this information is shared with, types of cookies and other tracking technology and a description of the consumer rights and how to exercise these rights.

Q: Closing a cookie banner or “cookie wall” … what does this mean in terms of GDPR, CCPA?
Under the GDPR consent must be a clear affirmative action. Therefore, a simple click to exit out of a cookie banner, or a pre-ticked check box does not appear to meet the EU’s standard. Moreover, on May 4, 2020, the European Data Protection Board (EDPB) adopted guidelines for GDPR compliance that clarify what constitutes valid consent for personal data processing in the EU, and confirm that the use of “cookie walls”, popups placed on a website to inform users about the cookie use on the website without a reject option, as a way of obtaining consent is non-compliant. The EDPB guidelines clarify that freely given, informed, specific, and unambiguous indication of a user’s wishes constitutes valid consent. In other words, a website must provide users with a clear choice of consent for all cookies (and other equal tracking mechanisms) prior to the use and processing of users’ personal data.

Under the CCPA cookie consent is based on an opt-out mechanism, meaning websites can use cookies without prior consent, and a simple cookie banner or cookie wall is sufficient.

Q: Is third party cookie considered a “sale” under CCPA?
The CCPA broadly defines “sale” to mean either:

“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for valuable consideration” or “sharing orally, in writing, or by electronic or other means, a consumer’s personal information with a third party, whether for valuable consideration or for no consideration, for the third party’s commercial purposes.”

Therefore, under the CCPA, a “sale” could mean that a business enables a third party to collect personal information in exchange for some consideration. For example, if a business places third-party cookies on its website, and that third party isn’t truly performing a service for the business, that may suggest that there is a sale. If the third party is considered a “service provider” under the CCPA, however, this may not be viewed as a sale. On the other hand, from a technical standpoint, some could argue that there is no sale because third-party cookies collect information for the third party directly which suggests that the business is not selling anything.

The CPRA helps clarify the question on whether placing a cookie could constitute a “sale” by adding “sharing”. The CPRA expands on the right to opt-out to include not only “sales” of PI (as it is now) but also sharing of PI.

Managing Cookie Consent
Q: What should the cookie consent management process look like?
Cookie consent management should work on an ongoing, repeatable basis. The first step in successful cookie consent management is to determine your organization’s regulatory and business needs with regard to cookie management and consumer consent. Next, perform a cookie scan; this is key when trying to identify all relevant web domains to ensure all cookies are identified. Based on the results of cookie scans and your in-scope compliance needs, it may then be necessary to add a cookie section to your privacy notice detailing the types of cookies used and their uses, as well as a cookie banner and preference center to your website.

Organizations should aim to periodically perform cookie scans and identify changes over time, as cookie banners and privacy and cookie notices should be in line with changes to cookie practices on your website(s) and regulatory guidance. Enhancements to the cookie consent management plan should occur as regulatory guidance changes. In partnership with OneTrust, LevelUP can create customized cookie banners, enable preference centers, schedule recurring cookie scans, and auto-generate consent records to demonstrate compliance over time and provide a path forward for ongoing cookie consent management.

Q: How can we identify the cookies present on our domain?
Using the OneTrust Cookie Consent solution, LevelUP can make it easy for companies to scan their website for cookies. Download our list of tips for utilizing OneTrust’s Cookie Consent solution here.

Interested in learning more about our privacy and data protection services? Get in touch with us.