If you own or operate a website, chances are you’ve heard of Cookie Laws and the importance of compliance. What you might not be aware of is that things are changing. Google has announced that it will officially begin phasing out third-party cookies on its Chrome browser in the second half of 2024. This is a result of consumers becoming more aware of the amount of data that companies are collecting on them. Google and other tech giants are now having to adapt to this change in consumer awareness.
The law and upcoming changes may seem like a complex, ingredient-heavy, world to navigate at first but don’t worry, we are here to guide you through the process.
What are cookies?
At this point we’re confident you know we’re not referring to the sweet treat enjoyed by myself and many in the Eyekiller office. Rather, “cookies”, HTTP cookies, web cookies, browser cookies, or whatever you want to call them, are small data files placed on your device to collect information about your browsing session and activity.
Types of cookies
Cookies can be grouped in many ways, but in today’s privacy-focused environment, they are most often described in terms of the “party” that uses them. First and third-party cookies are both used to track behaviour, but there are differences in how they are collected and their intended use can vary.
First-party cookies are generally considered to be the good guys. They are created by the host domain (the site the user is visiting) and they exist to provide a better user experience and keep the session open. This means the browser is able to remember key pieces of information, such as what items you add to shopping carts, your username and password, and language preferences.
Third-party cookies are like the villain of the cookie world. Created by domains other than the one the user is visiting, third-party cookies are mainly used for online-advertising purposes. They also allow website owners to provide certain additional functionality, like live chats.
Are There No Second-Party Cookies?
These are more accurately referred to as second-party data. This is when one website collects first-party data (using first-party cookies) and then shares it with another company via some sort of partnership. For example, a car manufacturer could share its first-party data with a trusted insurance company to use for targeted marketing campaigns, which would mean the cookies become classed as second-party.
When third-party cookies disappear, we may find data sharing becomes more and more popular as companies seek new methods to target relevant audiences.
How Does a 'Cookieless' World Impact Me?
Ad platforms took advantage of the vast amount of data third-party cookies that they collected and used it to allow businesses to launch and measure hyper-targeted advertising campaigns.
However, many browsers, like Safari, have already started blocking third-party cookies by default and Google Chome's deadline for phasing them out is rapidly approaching. As a result, brands may find their ad data disrupted and advertisers may find it more difficult to measure the effectiveness of campaigns. Optimisation and targeting will also experience significant disruption.
One solution is the use of zero-party data, which is voluntarily provided by consumers through methods such as polls, quizzes, or conversational pop-ups. This data is typically stored on a CRM system, which can then be exported for use in digital marketing and other communications. Zero-party data is generally considered to be of higher quality and more reliable than third-party cookies.
To prepare for the end of third-party cookies, domain owners should first conduct a thorough audit of all cookies added to their website and implement a consent mechanism platform that ensures compliance with cookie laws.
What is the Cookie Law?
The ePrivacy Directive, most commonly known as the “Cookie Law”, is an EU regulation that serves as a crucial safeguard for online privacy, ensuring electronic communications remain confidential. The law dictates that explicit consent must be obtained before any personal data is collected or stored. In short, it’s an important measure that allows users to take control of their online data and protect their privacy.
Under the current ePrivacy Directive websites must:
- Provide transparent and accurate information about the cookies used.
- Obtain consent before placing cookies on a user's device.
- Allow users to decline cookies.
- Make their cookie information pages and consent mechanisms as user-friendly as possible.
What About GDPR?
Cookie Law In The UK
After Brexit, the UK is no longer obligated to follow the EU Cookie Law or the GDPR unless any business based in the United Kingdom processes EU individuals’ personal data or monitors their behaviour.
Organisations that handle the personal data of UK individuals must comply with the UK-made version of the GDPR. This is essentially the same as the European GDPR so the requirements for cookie usage are still the same.
The UK also adopted the Privacy and Electronic Communications Regulations (PECR) which is based on the EU ePrivacy Directive, in addition to the Data Protection Act, to create a comprehensive data privacy and protection framework for the UK.
Who Is Responsible?
Do All Cookies Require Consent?
Strictly necessary cookies are exempt from Cookie Laws as they are 100% necessary for a website's operation.
Examples of cookies this may apply to:
Session cookies that are necessary for security purposes e.g. online banking.
Load-balancing cookies that ensure web pages load quickly and effectively.
Cookies used to remember what items are added to a shopping basket in an e-commerce website.
Cookie Consent Management Tools
CookiePro and other cookie consent management platforms make navigating the complex world of compliance effortless by centralising all your needs in one place.
In addition to deeply scanning your website to identify and categorise the first and third-party cookies, these platforms allow you to create and deploy geotargeted banners, build preference centres and record compliance details with ease.
Furthermore, CookiePro’s a/b testing feature for cookie banners enables you to experiment with different designs, allowing you to determine which one generates the highest number of conversions, ultimately improving your digital marketing measurement.
Cookie Compliance Checklist
It’s important not to get bogged down in the nitty gritty details about the individual laws. Do the following to ensure you’re complying with the Cookie Laws:
You need to understand which cookies require explicit consent before moving forward. You can perform a free scan of your website using tools like CookiePro or CookieYes.
2. Update policy pages
5. Allow users to withdraw consent
Users may change their minds and want to alter their cookie preferences. Websites must allow users to do this any time they wish. Once consent is withdrawn the website must immediately cease collecting or tracking any personal data using those cookies.
6. Record proof of consent
You must document and be able to demonstrate that users have given consent, in case of scrutiny by data protection authorities. Proof should include how and when the consent was obtained, and the information provided to the user at the time of collecting consent.
7. Obtain fresh consent when you add new cookies
8. Ask for consent at regular intervals
In addition to asking for consent when new cookies are added, users should be asked to refresh their consent choices at regular intervals.
The exact duration for this is not clear with the ePrivacy Directive stating websites should do this at least once a year while other nation specific laws are in favour of this being every 6 months.
Cookie consent mechanisms like CookiePro often default to a certain expiration period, such as 90 days or so. This may be the simplest option but it’s important to determine whether this interval is appropriate for your business - you don’t want to inconvenience or disrupt the experience of your users.
9. Stay Up To Date
The Cookie Law is constantly evolving. Do your bit by researching the latest regulations and update your website accordingly.
The Importance Of Compliance
In the United Kingdom, organisations that have violated the Data Protection Act 1998 or the Privacy and Electronic Communications Regulations (PECR) can be subject to substantial monetary penalties, with the maximum fine reaching up to £500,000, as issued by the Information Commissioner's Office (ICO).
The consequences can be even greater for organisations that must adhere to EU GDPR. For example, in 2021 Amazon got hit with a whopping €746 million fine following an investigation by the Luxembourg data protection authority, CNPD. The investigation concluded that Amazon failed to get “freely given” consent to store advertising cookies.
The Last Bite
We hope you’ve learned a thing or two about cookie compliance and how important it is in today’s privacy-focused world. Remember, always inform and obtain explicit consent before storing cookies, and don’t forget that consent management platforms like CookiePro can make the process a whole lot simpler.
Still craving more information about cookie compliance? Don’t hesitate to reach out to our team. We’ll be more than happy to help to make sure your website stays compliant and recommend ways to prepare for the end of third-party cookies.