Don’t Get In the Cookie Jar: Cookie Management and Why You Should Review Your Policies

Updated: Jan 12th 2021
Cookie Policy Management

As a website owner, cookies serve as one of your most powerful tools for creating a smooth user experience. But while cookies remain a fundamental piece of internet browsing, mismanaging their use can lead to privacy, and potentially legal, issues down the line. Implementing a clear Cookie Policy helps establish trust with your users by helping them understand why you use cookies and how it benefits them.

What Are Cookies?

HTTP cookies are small bundles of data stored in a user’s browser when they visit your site. This enables the site to remember settings, such as login information, when  users return to the site. Site owners use cookies to track how users interact with the site in order to increase performance and make changes to improve the user experience, among other functions.

In many cases, cookies are necessary for a website to function as expected. One example includes ecommerce, which relies on cookies to store items in a shopping cart if users leave the page. Anyone who browses the internet takes advantage of cookies every day, even if they don’t realize it.

While cookies are used as a catch-all term, there exist different types of cookies that perform distinct tasks and pose varying levels of security risks. A few of the most common types of cookies include:

Session Cookies: are used to save short-term bits of information used during a single browsing session, as in the ecommerce example above. Session cookies are explicitly deleted whenever the browser is closed, making them perfect to maintain the user’s login identity.  Session cookies are also often used for website navigation tracking.

Persistent Cookies: are longer-term values that the browser remembers whenever the user visits the site, even after the browser is closed.  Persistent cookies have a defined duration that can be as short as seconds or minutes, and as long as years.  Persistent cookies are often used to save settings and preferences to maintain a convenient and consistent experience for the user.  Persistent cookies can also be used to identify and track long-term user behavior on the site across multiple browsing sessions.  

Third-Party Cookies: Session and Persistent cookies described above are only visible to the specific website who set them.  Third-party cookies, however, are capable of storing values that apply to multiple websites.  Third-party cookies can be used to identify individuals as they navigate across multiple websites… but only if those websites use the same third-party tools. Third-party cookies are typically set by widgets and other tools that website owners place on their sites.  These third-party cookies have the capability to identify and track users on any website that uses that particular widget.

Despite their importance, cookies can present trust, privacy, and security risks, particularly when it comes to third-party cookies. It’s your responsibility as a website owner to know what cookies your site is setting and to ensure the cookies are used ethically and responsibly so your user’s information stays safe. 

What is Cookie Management?

As issues over digital privacy rights become more forefront, users are increasingly demanding to know how websites use their private information. A recent Cisco survey found that over 84% of global consumers wanted more control over how their data is used. 

Fortunately, most browsers allow users to configure their cookie settings to control which types of information is tracked by the websites they visit. Browsers such as Chrome, Edge, Safari, Firefox, and Internet Explorer provide detailed, step-by-step instructions on how to configure cookie use. When you set about creating a Cookie Policy, you’ll want to include these instructions so users can apply them as they see fit.

According to a Pew Research survey, nearly 60% of the American public doesn’t understand why websites collect their personal data. To build trust with your users, site owners need to help them understand how cookies work, what they are, and how you use them. Despite the public’s reticence to hand over their personal information, users tend to be forgiving if you explain why you need their data. The best way to accomplish is through creating a Cookie Policy.

Creating a Cookie Policy

A clear Cookie Policy ensures that your visitors understand why and how you use cookies, while mitigating legal risk against laws addressing cookie use. 

Site owners can start by performing a cookie audit. Most sites run more tracking cookies than you realize, so you’ll need to know exactly which user data is being collected and for what purpose. Remove cookies that collect data you don’t need, or that violate privacy rules. Finally, create a list of cookies being used on your site and classify them by the categories listed above. You can perform a cookie audit using tools such as Osano’s free Website Privacy Report

With your cookies collected and categorized, you can now start building your Cookie Policy. Provide a brief explanation describing what cookies are and why you use them. Next, you’ll want to list the specific cookies used on your site and the purpose behind their use. Make sure to post your policy in a conspicuous, unchanging spot on your site, such as the header or footer. 

Your final step involves requiring user consent over your cookie use. Pop-up banners are typically the most effective way to gain user consent, as they are difficult, if not impossible, to ignore. This banner will pop up the first time a user visits your site and should accomplish the following three goals:

  • User is aware and consents to cookie use
  • User has the option to set their cookie preferences
  • User can revoke consent at any time

Do I Really Need a Cookie Policy?

The short answer: Yes. Besides using a Cookie Policy to gain user trust, it’s also legally required in many cases.

In recent years, the US, and especially Europe, created laws to protect consumer data and combat unethical cookie practices. The most comprehensive of these laws is the General Data Protection Regulation (GDPR), which was adapted from the EU ePrivacy Directive and applies to any site that operates in the EU or is used by EU citizens. Considering most websites attract visitors across the globe, the GDPR applies to virtually every site. 

To stay in compliance with GDPR, you must meet the following requirements:

  • Consent must be freely given, specific, informed, and unambiguous
  • Consent must be a clear affirmative action, such as an opt-in box or an accept button
  • User must be able opt out
  • User needs to have the option to accept or decline particular cookies 
  • User who reject cookies must still receive full access to the website

While there is no similarly comprehensive cookie law in the US, the California Consumer Privacy Act (CCPA) covers users in California, the most populous state in the US, making good odds that the law will apply to your site. But if you complete all the GDPR requirements, you’ll likely also be covered under CCPA, though there are additional requirements under CCPA related to the selling of data. Visit the provided links to become familiar with both laws. It’s also worth noting that GDPR and CCPA do not apply to essential cookies meant to improve the site’s functional use.

Time For a Cookie Break

Cookies are one of most complex, yet important tools in your toolbox as a site owner. They help your site function and give the kind of user experience your visitors expect, delivering a website experience that’s memorable and convenient. Your task is now to explain to your users why they’re so important. They’ll thank you for your service with increased trust.

It might sound like a lot to deal with all these cookies, but the main thing to remember is that your goal is to be as transparent as possible. Trust is the most valuable currency when it comes to offering services online, and this should always be your end goal. If you’re straight with your users, they are more likely to trust you and use your services.