You may have heard you need a cookie policy on your website, but don’t know why or where to start. In this POV (Point of View) article, we’ll outline the reasons for having a cookie policy and discuss how to prepare to be compliant. Before you make any cookie policy decisions, make sure you are required to do so. Based on the requirements, many start-up and scale-up companies don’t meet the regulatory thresholds to even qualify. However, if you meet the requirements, it’s important to prioritize compliance with the Cookie section of the Consumer Privacy Act. The purpose of these regulations is to protect consumers from companies collecting, sharing, selling, and profiting from their personal data without their knowledge or consent.
Do you qualify?
To determine whether your business qualifies, you must adhere to the new regulatory requirements in Virginia, California, Colorado, and in the EU.
- Does your company collect personal data on 100,000 or more California, Virginia, or Colorado residents in a calendar year?
- Does your company buy, sell, or share the personal information of 100,000 or more California, Virginia, or Colorado residents in a calendar year?
- Does your company earn at least 50% of its annual revenue from selling or sharing California, Virginia, or Colorado consumer information in a calendar year?
- Does your company exceed an annual revenue of $25 million (applies to CA and VA)?
- Does your company control or process the personal data of more than 100,000 Colorado or Virginia residents in a calendar year?
- Does your company control or process the personal data of at least 25,000 Colorado or Virginia residents and derive more than 50% of gross revenue from the sale of Colorado or Virginia residents’ personal data?
- Does your company operate inside or outside of the EU and offer goods or services to residents or businesses inside the EU?
Not all entities are required to follow these guidelines. If you are not doing business in California, Colorado, or Virginia and controlling the data of residents, you don’t need to comply with the CPA/CDRA/CPRA, as noted above. Also, if you are a non-profit, you are exempt in VA and CA (not Colorado).
The types of organizations listed below are exempt:
- Airlines
- Public Utilities
- Financial institutions
- Governmental entities
- Entities covered by the Health Insurance Portability and Accountability Act (HIPAA)
- Entities, collecting or processing data for health insurance law purposes
- Entities, collecting or processing data for employment records purposes
- Entities, processing de-identified personal data
- Consumer reporting agencies
- Higher education institutions
Even if exempt, we do recommend including details of a compliant cookie policy on your website, typically placed in the footer of your website.
If you are not exempt and answer yes to any of the above questions, then you are regulated by the GDPR, CPRA, CDRA, or CPA and must comply with the privacy, cookie, and data collection policies.
What is a Cookie?
Now that you know whether or not you need to comply with the privacy, cookie, and data collection policies – what is a cookie? A cookie is a pixel or text code placed on the hard drive of your computer by the server of a website that you visit. The cookie is placed there to recognize your browser or remember information specific to your browser if you were to return to the same site. Please note, all cookies have expiration dates. If regulated by GDPR, CPA, CPRA or CDRA, the cookie categories and expiration dates must be outlined in the cookie policy.
- Here are the cookies by category that could exist on a website:
- Necessary cookies are placed on the site for two sites to connect/integrate with each other.
- Functional cookies are needed to allow a website to function better, advancing the usability of the site.
- Analytic cookies are placed on the site for tracking and monitoring the usability and performance of the site.
- Performance cookies support the performance of the site.
- Advertisement cookies are placed to help track users for paid advertising campaigns.
- Other cookies tend to include sales to capture data for managing communications with consented users.
Cookie Consent Options
In all the cookie consent models we investigated, there are varying levels of consent available. Many site owners provide varying levels of choice about the types of cookies they serve. However, from a practical and user experience perspective, there are varying degrees of granularity available to site owners to address which cookies are served.
There are some states that have passed and have started regulating the Consumer Protection Acts: California (CPRA/CCPA), Virginia (CDPA), Colorado (CCA), and the European Union (GDPR). Please note that CCPA has now evolved to be the CPRA, and it came into effect on January 1, 2023. With CPRA, CDPA, and CCA, businesses are not required to obtain consent to use cookies. It is based on the opt-out consent framework which means that the use of cookies is allowed provided website users are given the right to opt-out, with opt-out instructions stated in their cookie policy on the website.
The types of consent are as follows:
- Notice Only
- Implied Consent (opt-out option is available in cookie policy)
- Soft Opt-in
- Explicit Consent
A cookie consent banner is necessary for those companies that must be compliant with CPA, CDRA, CPRA, or GDPR. These rules were put in place for large companies that are collecting, storing, sharing, selling, and making money on consumers’ personal information without their consent.
What’s the Risk?
Cookies have proven more effective in driving conversions, and likely your revenue. Companies need to be prepared for how a cookie consent banner will affect their online marketing efforts.
It is important to consider the function of the privacy policies being implemented. The data consumers provide explicitly or implicitly is called First-Party or Third-Party data. The difference between the two and how this information is used may directly affect a paid media campaign.
First-party cookies often improve the user experience by remembering user preferences and settings. This also includes data such as email addresses, purchase history, or preferences that provide businesses with data that can be used for marketing collateral because users have given explicit consent.
Third-party cookies track site performance and consumer behavior and are directly affected by customer opt-outs because third-party data is collected from external sources and often used to track user activities across multiple websites. According to recent Adobe research, about 75% of marketing and customer experience leaders globally rely heavily on tactics that utilize third-party cookies.
Therefore, the company must consider how to address the possibility of 40% of website users deciding to opt out of all cookies when presented with the option easily.
Need help navigating the ins and outs of cookie policies? Bright can help you with preparing your cookie policy and consent banner for your site, website and data management, and aid in finding new strategies for digital marketing efforts.
Contact us today for a free consultation!