Jodi Daniels is a privacy consultant and Founder/CEO of Red Clover Advisors, one of the few Women’s Business Enterprises focused on privacy.
Every year, more data privacy laws are enacted that impact how businesses obtain and use consumer information. Already, 12 states have passed legislation designed to protect consumer data, and I believe more will be coming down the pike in the coming years. To protect your business and maintain a cookie approach suited to your business’s unique needs, here are five tips to help you get a jump on cookie compliance and maintenance.
1. Track which jurisdictions apply to your business.
Many states and countries have different thresholds that determine what types of businesses must comply with their data privacy laws (I’ve found that most data privacy laws have exceptions for small businesses). And while many state and country data privacy laws have similar and overlapping policies, there are important differences that businesses need to track. For example, California, Colorado and Connecticut require universal opt-out for cookies, which is most commonly known as global privacy control, so businesses liable to those state regulations will need to add universal opt-out to their cookie policy.
California and many other states take an opt-out approach when placing cookies, however, require notice at the time of collection, and they require an opt-out. In the European Union, however, placing cookies requires an opt-in, which requires implementing a cookie banner, as well as providing an opt-out.
2. Evaluate the types of cookies you use and why you have them.
It’s important to ensure that you categorize your cookies correctly in your cookie policy. There are four common types of cookies.
• Necessary cookies that are essential to site functionality, such as keeping items in a shopping cart or remembering a user’s login credentials
• Preference or functionality cookies that enable a site to remember things like language preferences
• Statistics or performance cookies, such as those used for Google Analytics, that anonymously collect information about how users interact with a site
• Marketing cookies that collect identifiable data about an individual user’s online activity to deliver relevant advertising
Marketing cookies, especially third-party marketing cookies, have the most restrictions. Make sure that your cookies are correctly categorized, you have a reason behind each cookie you use and you’ve taken steps to ensure compliance based on your cookie types.
Note that cookie consent tools can scan cookies, but they aren’t a 100%, never-fail solution. Some can take a first pass at which category a cookie falls into—and some won’t. In those cases, someone has to manually categorize them. As a result, all tools you use need to be monitored.
You also have to consider your cookie types from a compliance angle. Under the California Consumer Privacy Act, for example, advertising and analytics cookies are often deemed a sale or sharing of data, resulting in a plethora of requirements, including placing a link on the home page to allow the user to opt out of the sale and sharing of personal information and a disclosure in a privacy notice about the sale and sharing of personal information.
3. Determine whether a regional or universal approach is right for your business.
The jurisdictions you fall under may influence your cookie consent program. In the U.S., opt-out consent is the norm, while in the EU, opt-in is the standard. Depending on your business model, opt-in cookies may not be the best option. For example, businesses that rely heavily on ads may not want opt-in cookies because they could hamper business.
Cookie banners are another facet of your cookie policy that will vary based on your business. In some jurisdictions, it may be more common for companies to use cookie banners, even if they’re not required, so you may want to add banners depending on your location, market and goals.
4. If you have cookie banners, make sure they’re implemented correctly.
Many companies use cookie banners because they create a sense of transparency between businesses and consumers. But if you have cookie banners, you have to use them the right way. There are a few guidelines I recommend businesses follow.
• Make sure your cookie banner provides symmetry in choice. This means that businesses can’t make it more difficult to select a privacy-protective option than a less privacy-protective option.
• Your cookie banner can’t just say, “We have cookies.” A cookie banner has to describe the kinds of cookies that you have and the reason that you have them. It also needs to be easy for a person to opt out of those cookies.
• Make sure to test how the cookie banner operates. Does it function correctly? For example, if a user hits “reject cookies,” does it actually work? Or does your website still place the cookie?
• Make sure you have the banner on all pages where there are pixels that are dropping cookies. Many times, companies will create a new landing page or update the site and forget to include the cookie scripts, too!
Finally, keep in mind that cookie banners aren’t a one-time setup. If your business adds a new cookie to your system, you have to make sure the new cookies are appropriately categorized, updated in your system and folded into ongoing monitoring processes.
5. Review your privacy policy and privacy notice annually.
Your cookie policy and privacy policy should be an accurate reflection of your business’ actions, and you should maintain up-to-date records on your practices to ensure cookie compliance.
Marketing teams and agencies often add pixels for session recording, targeted advertising and new analytics pixels. These need to be reviewed prior to placement on the site and need to be reflected in the cookie consent software and privacy notice. Also, the cookie banner and privacy notice are a place to build trust with consumers and convey the tone of your brand. Some companies opt for a playful approach, while others focus on really clear language.
Like so much in the privacy world, cookie maintenance isn’t a one-and-done activity. It requires ongoing evaluation and strategic adjustment to ensure you’re meeting compliance requirements as well as consumer expectations. But while the need is ongoing, it doesn’t need to be overwhelming when you have a plan in place.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here