Internet or browser tracking cookies are a type of technology that everyone should understand, especially when it comes to data privacy.
Primarily, cookies collect information about your interests and actions online, like helping websites track your browser activity. While this may sound problematic, it usually makes your life easier.
For example, many online retailers use cookies to keep track of the items in a user’s shopping cart as they explore the site. If websites didn’t set cookies, your shopping cart would reset to zero every time you clicked on a new product. They also help maintain convenient settings like your language preference or account login.
But not all cookies are created equal, and they collect different kinds of information. There are session cookies that are temporary and only in use for a single session. For example, as long as you browse a website or until you check out with your shopping cart.
There are also first-party and third-party persistent cookies, also known as tracking cookies. Data privacy regulations like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) affect how they can be used.
In this article, we’ll examine tracking cookies, how they work, and what’s required to ensure compliance with relevant data privacy regulations while getting the data you need for marketing operations.
What are tracking cookies and what are they used for?
Tracking cookies are small files that are stored on a user’s device when they visit websites. There are two main kinds: first-party tracking cookies and third-party tracking cookies.
These cookies collect data about the user’s online activities, enabling websites to “remember” their interactions and preferences so they can serve them more relevant content, ensure a better user experience, and numerous other use cases. Collected data includes search history, geographic location, purchasing trends, and other behavioral information.
Cookies are used practically everywhere online — Google, Facebook, Amazon, and almost all business or commercial websites — making it difficult to browse the web without some kind of tracking.
What’s the difference between regular session cookies and tracking cookies? Session cookies are temporary files that are only active during individual browser interactions and are usually needed to retain needed information, like the contents of the online shopping cart we mentioned above.
Tracking cookies are set up by websites and will “follow” you as you browse. They conduct cross-site tracking and build up information on a user. Think of this as an information string that’s being pulled along to each new website a user visits, accumulating data until the end of the browsing session.
The data is then used by the organization that owns the site where the cookies were set, or used by or sold to third parties. This is usually other companies or websites that focus on creating personalized campaigns and serving you product ads that match your browsing history and presumed interests.
Find out how GDPR-compliant your website is today and what cookies your site is setting. Just enter the URL, start the audit, then view the detailed list.
What are third-party tracking cookies?
Third-party tracking cookies are set by a vendor other than the website owner. These cookies are used by third-party organizations to collect user data across multiple sites. Most often, this kind of cookie is used for targeted advertising and analytics, enabling these entities to build detailed profiles of a user’s browsing habits and then sell to them.
What are first-party tracking cookies?
A first-party tracking cookie, on the other hand, is set by the website owner. This kind of tracking cookie typically collects data on that one site, which is used to improve the site experience for visitors, like the aforementioned language preferences or user authentication. If a site makes use of a chatbot, it may need first-party tracking cookies to function.
How do tracking cookies work?
Tracking cookies work by monitoring a user’s actions and preferences as they navigate different websites. When the user returns to a website or visits others within the same advertising network, the cookies send information back to the host. This helps build a detailed profile of individual users, which is valuable for analytics and marketing.
This tracking makes it possible for websites and advertisers to remember that visit, tailor content, and display targeted ads based on the user’s browsing history.
What data do tracking cookies collect?
Tracking cookies collect a range of data to improve website functionality and personalize ads. Here is what they typically track:
- URLs and pages visited
- time spent on pages
- clicks on links and advertisements
- login data (by first-party cookies) and user preferences
- device type, operating system, and browser type and version
- search history and input data in forms
Are tracking cookies illegal or dangerous?
Tracking cookies are not illegal, but depending on the type of cookie and the information being collected, their use is governed by regulations like the GDPR and the ePrivacy Directive (to be replaced by the ePrivacy Regulation (ePR)). So the use of tracking cookies without a valid legal basis like consent can be a regulatory violation of data privacy.
Tracking cookies collect a wealth of information about individuals that could be used to identify them. Some personal data, like names and unique ID numbers, are obviously identifying. But other types, like purchase history or IP address, could also be identifying if combined with other data points. Recital 30 of the GDPR states that, in these circumstances, this data may be considered personal data, and be subject to the GDPR.
While tracking cookies are not inherently dangerous, there are some concerns about privacy and compliance with global regulations. This is because they can track extensive information about a user’s internet behavior, which could be misused, used for decision-making purposes with significant effects on the individual, or handled in ways that are not secure.
Privacy laws and tracking cookies
Many privacy laws around the world regulate the use of tracking cookies. These laws are primarily designed to protect user data and online privacy, and ensure transparency between businesses and consumers. Let’s take a closer look at cookie tracking compliance with respect to two such laws: the European Union’s GDPR and California’s CCPA.
GDPR tracking cookies
Using tracking cookies and being fully compliant with the GDPR can be tricky. Regulations require that website providers let their visitors know when websites are using cookies, especially third-party tracking cookies.
They also require upfront information about which cookies (or at least which categories), their purposes, how the data collected may be used, and who may have access to it.
Once visitors know that tracking cookies are being set, such as via the website’s privacy policy and/or a consent banner, they must be able to provide prior consent for each data processing service that collects information.
Without consent, according to a ruling by the European Court of Justice, the collected data cannot be processed, passed on, or sold to third parties, otherwise, the company risks large fines.
This means that no cookies can be set and no data can be tracked without the user first explicitly acknowledging and accepting data collection and use.
While collecting information such as search history, purchase information, and location might not seem too bad, the amount and types of information collected rarely stops there.
“Device information, the time and date when a user clicked on something, the ads a user focuses on, as well as TV shows that are watched are just a small part of the information that is collected,” says Justin Brookman privacy expert at Consumer Reports, “Consent for this must be requested.”
Find out how a CMP solution can help you be fully GDPR-compliant today
Tracking cookies and CCPA
The CCPA is a data privacy law in California that impacts how businesses use and protect individuals’ (data subjects) personal data and rights, part of which relates to how they handle tracking cookies.
Under the law, businesses that collect the personal information of California residents through tracking cookies must inform them about the types of data being collected and the reason for its collection.
The law also requires businesses to provide a clear “Do Not Sell My Personal Information” link on their websites, enabling users to opt out of the sale of their personal data at any time. (Note: since the CPRA has also come into force in California, the statement must now read “Do Not Share Or Sell My Personal Information”.)
While the CCPA uses an opt-out consent model, unlike the opt-in model outlined by the GDPR, for data subjects between the ages of 13 and 16, organizations must obtain consent before they can collect or sell their personal information.
For children under 13, businesses need to obtain prior consent from a parent or guardian. Prior consent is also required if the data to be processed is categorized as “sensitive.”
This regulation highlights the need for transparency and user control in the deployment of tracking cookies. To learn more about the regulation, read our guide to the CCPA here.
Obtaining consent for tracking cookies
Data-driven marketing today requires valid user consent. However, not all consent is created equal. In fact, “The way in which you collect consent is just as relevant,” says Hans Skilrud, CEO of privacy policy generator Termageddon.
Art. 7 GDPR explicitly outlines the conditions for valid consent, a definition adopted by most data privacy laws around the world.
With this in mind, here are guidelines for obtaining valid consent for tracking cookies:
Consent must be freely given
Consent should be voluntary, i.e. given without any pressure or manipulation. Offer clear, unbiased choices without any pre-selections. Tools like the Usercentrics Consent Management Platform (CMP), for instance, make it easy to offer users clear consent options via customizable cookie banners.
Consent must be informed
Users should know exactly what they are agreeing to — with the option of reviewing cookies in use at a granular level — when giving consent for tracking cookies.
This includes details about the data collector, the data being collected, its purpose, third parties with access to it, and retention period. Include all relevant information in a detailed privacy policy. It can also be accessible in the consent banner.
Consent must be explicit
Consent should be an active, deliberate choice. This means that users should not be coerced or influenced into giving consent, such as with only a single button option, pre-checked boxes, or vague and confusing language.
Make sure your language is clear and accessible and that consent options, like buttons, are equally visible and accessible.
Consent must be granular
Consent should be obtained for each data processing activity. As such, clearly differentiate between different tracking cookies and give users the option to consent to their chosen selection.
Consent must be received in advance
No user data can be collected prior to opt in, so tracking cookies should only take effect after consent is obtained. This means your first action with every new user should be asking for their consent via a clear, comprehensive, and intuitive cookie banner.
Google Consent Mode can be used (and is required in the EU in many cases) to signal this consent from the CMP to Google services to control data collection based on consent.
Consent must be well documented
Website operators are subject to the burden of proof in the event of an audit, so it’s crucial that all user consent is documented and easily accessible. A CMP, like Usercentrics, helps keep all relevant consent data in a centralized, secure location.
Data privacy laws also usually give individuals the right to access data collected about them, so consent data may also be a part of a data subject access request.
Consent must be easy to withdraw
Users have the right to change prior consent or withdraw it at any time, and doing so should be as easy as giving it. This means the option to change or withdraw consent should be easy to find on your website, without unnecessary steps or complexity.
Find out the latest in marketing, legal and tech topics and ask any question of our many global experts.
How users stay in control of their data
When using cookies, it is important that users remain in control of their data and are aware of why it is being collected and for whom.
In a study conducted by Ponemon institute, which involved surveying 652 U.S. consumers, as many as 86% of respondents said they are “very concerned when using Facebook and Google,” while 66% of respondents said they are “very concerned when shopping online or using online services.”
This mirrors increasing consumer mistrust. In the same study, two-thirds of consumers (68%) indicated that they are more concerned about the privacy and security of their personal information than they were only a few years ago.
“This lack of empowerment can have devastating effects on consumers’ privacy if it goes unchecked,” Ponemon researchers noted.
This is why it’s important for users to know why website providers set cookies, and to have a clear overview of which cookies are set. Being in control of data also means that users can revoke their consent at any time and be able to give consent only for specific data processing services. Website providers must offer consumers a choice: to opt in granularly and to revoke consent at any time.
Recent data privacy laws also increasingly provide consumers with the right to data portability, enabling them to minimize the inconvenience of taking their data with them to a company’s competitor.
Confused with all of the regulatory changes? You don’t have to be
According to a study conducted by Pew Research, the lack of understanding about data privacy laws among the general public is significant 63% of U.S. residents say they understand little to nothing about the laws and regulations that are currently in place to protect their data privacy. Don’t contribute to that statistic.
Usercentrics offers plenty of webinars and articles to help you stay informed and up to date on the latest policy changes for your company, so you can keep your users informed and obtain the necessary consent for cookie use, as privacy regulations require.
You can also listen to our podcast, Consented, where experts from around the world discuss the critical role of data privacy in consent marketing.
With Usercentrics, your journey to full compliance doesn’t stop at the CMP. You gain access to legal experts, dedicated support and guidance every step of the way so you can be confident about your company’s use of tracking cookies and privacy compliance.
Learn more about how easy it is to implement a CMP on your website and be one step closer to securing your company’s ad revenue with a strong privacy strategy
