For digital-first entrepreneurs, the internet’s promise and power is nowhere more concentrated than in the majestic cookie.
That’s right. The cookie. A small text file placed in your computer that enables logins and customization, affiliate links, product optimization, and elegantly targeted advertising campaigns. And abusive advertising campaigns. And intrusive monitoring. Which is why governments around the world have begun to reign in the mighty cookie.
Cookie regulation, like privacy law more broadly, is evolving quickly. And governments everywhere are starting to extract real fines for noncompliance. If you’re a digital-first entrepreneur—particularly if your app, products, or content has global reach—you need to keep up.
Unfortunately, cookie regulations are not consistent from one jurisdiction to the next.
In the European Union, the GDPR and ePrivacy Directive allow sites to install cookies for essential functions. But they require informed user consent before installing cookies for non-essential purposes like analytics or targeted advertising.
In carrying out these regulations, EU member nations require cookie banners so that EU users are given notice and an opportunity to give informed consent or reject the use of non-essential cookies entirely. Each EU member has regulations defining its version of “informed consent.” Each requires an opt-in style cookie banner. Most require that the banner describe the types of cookies being collected, what they’re used for, and if any are from a third party. The GDPR also requires mechanism for a user to withdraw its consent.
With a hodgepodge of state laws and federal regulations, the United States is just as convoluted, if not quite as far along.
The California Consumer Privacy Act (CCPA) is widely considered to be the most restrictive of U.S. privacy laws. But unlike the GDPR, it doesn’t explicitly require cookie banners. Instead, the CCPA merely requires that a “business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” The CCPA includes cookies under the definition of “personal information.” The site can disclose the collection of personal information in a popup or banner or it can link to the exact sections of its cookie policy or privacy policy where that disclosure can be found.
It turns out the best way to give notice that complies with the CCPA is through a cookie banner.
And when third-party cookies are involved, this all gets even more complicated.
So what’s a busy, heads down entrepreneur like you supposed to do?
This is a case of high-water-mark regulation. You could have your site serve a minimally compliant experience based on each user’s location. But the easier option is to comply with the most-strict jurisdiction where you operate. For most of you that will be the EU. Which means cookie banners, disclosure, and opt ins for all non-essential cookies.
If you limit your activities to the United States or can easily bifurcate your experience between US and non-US users, you may be able to continue pushing non-essential cookies without explicit consent to US users so long as you disclose it and offer a way to opt out. But we don’t expect that to remain the law in the US forever. And it only takes one jurisdiction to raise the high-water mark on everyone.
