Online cookies: Becoming compliant to protect a business

15^th November 2021

The editorial unit

The editorial unit

15 November 2021

Cookies are essential for obtaining a seamless browsing experience, and almost every website on the Internet is running on them. Some cookies are mandatory because a website cannot function properly without, while others exist to contribute to a pleasant user experience e.g. remembering personal details for autofilling purposes or saving items in the shopping cart.

With the advent of data privacy laws such as the GDPR and the CCPA, website owners are now required to actively take responsibility for their data handling procedures. This includes providing transparency of active cookies on their domain in addition to giving end-users control over their data.

Furthermore, the GDPR requires businesses to obtain user consent before placing cookies on the end-user’s device. A cookie consent popup is thus a requirement in the GDPR, but it is, however, only a requirement under certain circumstances in the CCPA.

What are cookies?

Cookies are small text files that collect information about website users. The type of information can range from technical specifications of the device used to the user’s political convictions. The term “cookie” comes from “fortune cookie” as both types of cookies are structures that carry a message. Cookies were invented sometime in the early 90s and can now be found on nearly every website in existence.

These little files fall under four categories: necessary cookies, preference cookies, statistics cookies and marketing cookies. The latter two make up the majority of cookies on the Internet. Statistics and marketing cookies are essential to running an online business, as they can collect useful and important information about website visitors’ online behaviour and preferences. By collecting this type of data, business can create more efficient marketing strategies to increase profit.

Though many have vilified cookies because of the nature of the data that they can collect, the technology is, in itself, neither bad nor evil. Rather, it is the potential harm that can be done should the data fall into the wrong hands that is concerning.

What are the GDPR and the CCPA?

For too long end-users had no control over their data and, in an increasingly digital world, it was only a matter of time before authorities issued regulations to protect end-users’ rights.

The GDPR (General Data Protection Regulation) is an EU data privacy law that controls how businesses and organisations handle personal information about their users. It was enforced on 25^th May 2018. The CCPA (California Consumer Privacy Act) is similar to the GDPR: it’s a data privacy law too, although it is only a state-wide regulation in the US. The CCPA was enforced on 1^st January 2020.

The purpose of both the GDPR and the CCPA is to give individuals control of how their data is handled, stored, and shared. However, where the GDPR applies to for-profit and non-profit organisations that handle personal information of users located in the EU, the CCPA only applies to for-profit organisations handling personal information of Californian residents.

Non-compliance with the GDPR and/or CCPA can result in heavy fines in addition to bad publicity about one’s company.

The editorial unit