Lex Indicium

Don’t Crumble Under Cookie Restrictions

February 3, 2021


Nearly half of all websites use cookies – small text files stored on internet users’ computers and mobile devices so web servers can track that user. Cookies come in a variety of flavors in terms of their purpose, the party placing the cookie, and the duration they last on a user’s device. For example, a cookie may have a functional (ex. cookies that remember visitors’ preferred language), analytical (ex. cookies that report site usage statistics), or advertising/marketing purpose (ex. cookies used to retarget advertising to visitors). “First-party cookies” are placed directly by the website being visited while “third-party cookies” are set by another party other than the website’s owner. “Session cookies” are deleted after the user’s session on the website ends while “persistent cookies” can last from days to years after the end of the user’s session.

Proceed with Caution – Cookies May Create Legal Exposure for Site Operators

Cookies can be incredibly useful to website operators as they can enable the operator to gather helpful information about how visitors use its website and thereby target its advertising efforts without disrupting the user experience.  However, as web visitor privacy control continues to be prioritized by applicable law and marketplace demand, the landscape for using cookies has changed dramatically from three years ago and will continue to change.  Here are some key recent developments:

  • Third-party cookies are falling out of favor with Big Tech. Firefox and Safari already block third-party cookies and Google announced that it would stop supporting third-party cookies by 2022. Considering these three browsers account for over 85% of global web browsing activity, organizations that currently rely heavily on third-party cookies should begin pivoting to alternative tracking technologies (e.g. first-party cookies, ETags, universal IDs, local storage, IndexedDB, web SQL, etc.) sooner than later.
  • Europe and California require websites to post a “Cookie Notice.” A Cookie Notice should identify the cookies used, as well as their purpose and duration. The Notice should also state whether third- parties have access to the data collected by the cookie(s). Note that in California, consent to use cookies is not needed. However, a notice about cookies must be provided and California residents can opt-out of the sale of their personal information, including such data collected through cookies. Further, beginning January 1, 2023, California law will allow California residents to opt-out of targeted advertising, targeted ads, and cross-context behavioral advertising.
  • In Europe, express visitor consent is needed in order to use most cookies. Consent in Europe means a visitor has taken an active step to indicate his/her agreement to the use of cookies. When visitors do not expressly agree or disagree to a cookies consent request or simply continue to browse without consenting to the use of cookies,  the website should consider the visitor as having declined to the use of cookies. Some regulators have gone further to require websites to re-request consent from visitors every six months and ban the use of color for indicating consent to a cookies request.
  • Cookie walls are unlawful in Europe. A cookie wall essentially blocks a visitor’s access to a website if they do not “consent” to the use of cookies. The European Data Protection Board has determined that such conditional access cannot constitute “consent” because the visitor has no meaningful choice.

Becoming “Cookie-Compliant”

If your organization uses cookies, and particularly if Europe or California are key markets, you should ensure that a detailed cookie notice is hyperlinked in the footer of your website. The notice should describe the cookie, the purpose, the party placing the cookie, and the duration of the cookie. Ideally, in identifying any third-party placer of the cookie, a hyperlink to that party’s privacy policy should be included. Keep this notice up to date and regularly review your organization’s cookies and evaluate how critical it is for your business versus how problematic that cookie could be in terms of visitor expectations and/or potential regulator review to assess your organization’s appetite for risk for using that particular cookie.

In addition, if your organization is required to get visitor consent before using cookies, be sure that the consent request is clearly communicated to the visitor and that the consent mechanism is easy to understand. Do not rely on colors to indicate consent, and do not use pre-checked “agree” boxes.  If a visitor does not consent to cookies (or makes no choice), you should not block the visitor from using the website, and you should stop using cookies.

receive news & alerts

Yes, I’d like to receive updates with firm news and insights that are relevant to me.