Click to learn more about author Anas Baig.
Data regulations such as the CCPA and GDPR are encouraging organizations to be responsible custodians of consumer data. In order to do so, organizations need to keep track of all avenues through which a consumer’s data can be collected and store it in compliance with the CCPA and GDPR. One of these avenues that is easily overlooked is the dropped cookies on an organization’s website.
When a user logs on to a website for the first time, the server assigns them a user-specific identity that is distinctive. This identity is stored on the mobile or computer on which the browser is running. In case the user enters the website again, the browser sends a cookie to the server, allowing the website to remember the user. In other words, cookies function as a kind of memory of the internet running through protocols that provide data flow.
These cookies can be used to track a consumer’s behavior and therefore process their data and surfing habits. Privacy regulations require organizations to have a consent form set up on their websites that clearly states what cookies are being collected and how they will be used. Then the consumer decides if they want to give consent for these cookies or not.
Contrary to what some users may think, cookies are not inherently malicious. If you run a scan with antivirus software and you find a tracking cookie, the tracking cookie does not represent malware that includes viruses, worms, Trojan viruses, spyware, adware, and ransomware. Considering different cookie regulations around the world, the CCPA and GDPR are the most extensive data privacy regulations and have different cookie consent policies set in order to make organizations comply with these regulations.
GDPR Cookie Consent Requirements
The GDPR focuses on organizations taking freely given consent from their consumers before they store or process any of their personal data, including dropped cookies on their website. Websites and apps that are used by visitors from the EU must implement a consent banner that complies with GDPR, and it has to have several pieces in place.
Under the GDPR, consumers need to be fully informed about the types of cookies that are being stored and why they are being stored before the consumer can give them consent. Specifically, consent needs to be:
- Freely given: The consent needs to be given on a voluntary basis.
- Specific: The consent needs to be specific to a particular item.
- Informed: Consumer must be fully aware of what they are consenting for.
- Unambiguous: It requires the consumer to give either a statement or a clear affirmative act.
- What information is collected
- What you do with consumer information
- How you protect consumer information
- If you disclose any information to third parties
- How you store consumer information
- How users may access, migrate, request rectification, restriction or deletion of information
CCPA Cookie Consent Requirements
- What types of cookies are set in place
- How long do these cookies persist on the user’s browser
- What data and categories are tracked and collected
- For what purpose is the data collected
- Where the data is sent and with whom it is shared with
- How to reject cookies, and how to subsequently change the status regarding the cookies