Cookie Notice Guidelines
Getting Started with Cookie Notices
Greetings enterprise community. The following five steps provide guidance to properly implement a cookie notice for your website.
An Introduction to Cookie Notice: Learn the basics about cookies by reading this overview, including what they do, how they're regulated, how to get started, and how to get help.
Understanding the Regulatory Landscape of Cookie Laws: Understand the geographic and sectoral regulations affecting you. For instance, if your website is marketing to EU individuals, be certain to comply with the ePrivacy Directive and the GDPR.
Conducting a Website Cookie Audit: Perform a cookie audit of your website, which will produce an inventory of cookies found on your site.
Write a cookie banner: Inform visitors to your site about the cookies used. Record consent securely, repeating the process every 12 months and permitting users to withdraw consent at any time.
Writing the Cookie Notice: Write the cookie notice, including the cookie inventory within a table by first-party or third-party, and listing cookie attributes.
Please be advised that this “Cookie Notice Advisory Site” is provided as guidance and does not constitute legal advice. Please use it as a helpful reference. You may contact us for assistance by calling or emailing our service desk; contact information can be found at the bottom of this page.
If you have general questions that may benefit the Enterprise community, please post your question in forum found here. If you want to receive email updates on a post you are interested in, select "Follow Post" in the upper right hand corner within the post of interest.
Step 1: An Introduction to Cookie Notices
The world is abuzz with cookie banners and cookie notices, prompting users for consent to plant technical cookies on devices. But what is a website cookie, and why all the recent attention?
In this section, we will examine website cookies from the perspective of how these tiny but powerful technologies relates to everyday businesses, including:
understanding the idea of website cookies, how they work, and their various forms;
realizing the power of cookies, their benefit to website operators, and the concern of privacy advocates regarding unchecked cookie power;
auditing websites to create an inventory of cookies employed throughout one’s website;
writing a cookie banner and cookie notice, and creating an online cookie inventory with attributes within a cookie table;
employing automated cookie tools such as OneTrust to manage cookie consent; and
getting help from Allendevaux privacy professionals with your site’s cookie notice, from a cursory review (with recommendations) to a full implementation.
Many people ask, “Why are website cookies called cookies at all?” Some say the term cookie was coined after the story of Hansel and Gretel, who were able to mark their trail through a dark forest by dropping cookie crumbs behind them as markers of where they had been. In computation, the concept was first used on UNIX operating systems, and to differentiate, they were originally called magic cookies.
While we no longer call them magic cookies, they are commonly called technical cookies, website cookies, or simply cookies. But what are cookies, and how are they used?
Cookies are small text files that are placed by a cloud service (such as amazon.com) onto your device such as your phone, laptop, tablet, etc. when you view websites online. Like the analogy of Hansel and Gretel, a cookie enables website operators to track that you’ve visited their site before, helping to store data about you and your preferences so that you’re not prompted to repeat yourself in that regard. An example of information stored on a cookie is your personal registration data like your name, email address, contents of a shopping cart, the preferred layout of a webpage, preferences of what you like and so on. Without cookies, websites wouldn’t be able to personalize many things.
Step 2: Understanding the Regulatory Landscape of Cookie Laws
Most online users do not understand the power of cookies, and regulators are working to ensure the power of cookies do not go unchecked. While governments around the world are drafting new cookie laws as of the writing of this text, such as Brazil’s LGPD or California’s CaCPA, the European Union’s ePrivacy Directive provides an excellent baseline to examine, soon to be upgraded to the ePrivacy Regulation (ePR).
The ePR covers more than just cookies, including unsolicited email, spam text messages, automated calling and other annoyances that marketing companies are using. Regarding cookies, the ePR will be upgrading requirements for cookie compliance. Even though the forthcoming regulation is a European text, it applies to other countries as long as those companies send direct marketing communications to EU individuals, collecting information and using cookies. The penalties for violating the ePR can be massive, expected to range from 10 to 40 million euros, or 2% to 4% of global revenue, whichever is greater, depending on the violation. But why are high fines being implemented?
Fines and compliance penalties (such as mandatory biannual audit by a third party) are intended to ensure compliance with cookie laws, designed to respect the privacy and security of individuals unless consent has been provided to collect, track and profile a user’s online activity. But not all cookies are the same, and cookies collect differing types of information depending on their type.
The Most Common
Types of Cookies
In most cases, there are four types of cookies you will encounter:
Strictly Necessary Cookies
Strictly necessary cookies enable you to move around the website and use its features. Without these cookies, we will not be able to provide certain features, such as automatic forwarding to the least busy server, or remembering your wish lists.
Permitting website operators to measure and improve the site’s operation to count visitors, track sources, determine how visitors move around the site.
Permit enhanced functionality of the website and personalization such as live chats.
Also called advertising cookies, these are there to build profiles of your interests and show you relevant ads on other sites.
Your cookie notice should list these cookie classifications, and inventory the cookies used under each heading. In order to do this, it’s best to start by conducting a cookie audit, and this topic is covered next.
Step 3: Conducting the Website Cookie Audit
In order to comply with regulations, and in order to write a proper cookie notice, start by auditing your existing website. To view an example website audit performed by certified IBITGQ auditors at Allendevaux & Company, use the contact page and let us know. We'd be happy to send over an example.
The audit produces an inventory of cookies used throughout the site, and determines the types and attributes of cookies used to track a user’s online activity.
Often times, the audit results surprise website operators, not realizing the types and extent of cookies being employed including third-party tools. In nearly all cases, the website audit reveals a labyrinth of linked pages violating existing laws, but the audit also produces a list of actions to take to bring a site into compliance. The audit also produces a comprehensive list of cookies that can be listed in the cookie notice, ensuring the practice of due care and due diligence have been performed responsibly.
Once you have the results of your website audit, you can construct two essential elements:
the website cookie banner, which is displayed when a user first visits the website, and collects consent from users to employ cookies; and
the website cookie notice, which provides detail about which cookies are employed, whether or not it is a first-party or third-party cookie, the names of the cookie, and attributes such as its lifespan.
Step 4: Writing a Cookie Banner
Your website’s cookie banner should appear when visitors first arrive to your site. Sometimes called a “consent banner”, these short notices inform users about cookies the website wants to use, and gives users a choice (called consent) before setting a cookie on the user’s device.
Within the European Union, the ePrivacy Directive in association with the GDPR requires prior, informed consent to be displayed to users before setting cookies; further, you must document each instance for every unique visitor. As a general rule, follow these guidelines:
Give visitors an opportunity to opt-in and opt-out of any type of cookie, providing specific and accurate information on all cookies and other tracking technology in use on the website.
Record consent before collecting any data from the user, keeping the record securely stored.
Allow visitors to withdraw their consent at any time.
Delete visitor’s data upon request.
Renew consent requests every 12 months.
Some of you may choose to use an automated tool to do this, and there are many you can use.
If you need help with any of this, including which tool to use, contact Allendevaux & Company
Website Cookie Banner Examples
Cookie Banner Example One
This website employs cookies to remember users and understand ways to enhance each user’s experience. While some cookies are essential, others help us improve your experience by providing insights into how the site is used. For more information, visit our Cookie Notice.
Cookie Banner Example Two
To make this website work properly, and to provide the most relevant services to our visitors and platform users, we place small data files called cookies on your device when we have your consent to do so. Our Cookie Notice provides you with information about these cookies, what they do, your choice related to these cookies, and how to control them for this website.
Providing Choice and Receiving Consent
Regardless of the notice you write, you must place a tick box or button that permits the users to accept the cookie such as <Accept Cookies>. If you have the capability, it is also helpful to provide individual specificity on the types of cookies used by your system. You’re probably familiar with seeing something similar to the following:
Cookie Type and Description
Strictly Necessary Cookies: These cookies allow the provision of enhance functionality and personalization, such as videos and live chats. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these functionalities may not function properly.
Performance Cookies: These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site.
Functional Cookies: These cookies allow the provision of enhanced functionality and personalization, such as videos and live chats. They may be set up by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these functionalities may not function properly.
Targeting Cookies: These cookies are set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant ads on other sites. They work by uniquely identifying your browser and device. If you do not allow these cookies, you will not experience our targeted advertising across different websites.
It is important in some geographies to ensure the preferences are not set to “On” by default in accordance with an explicit consent requirement. This requires an individual to consciously switch a preference from “Off” to “On” before saving the overall preference settings.
As mentioned earlier, the consent selection must be recorded securely, and renewed every 12 months.
Getting Professional Help
Do not be discouraged if you need help from certified professionals; small and large entities alike often outsource these legal and technical complexities to privacy professionals like Allendevaux.com. If you are unsure, seek the advise of a professional entity with experience in privacy laws and regulations and technical implementation.
Step 5: Writing the Cookie Notice
With that background, it’s time to write your cookie notice. The following is an example website cookie notice. You may copy and modify this notice for use on your own website, changing the contents to fit your unique environment.
We recommend your cookie notice to be a dedicated page, with a link to this page made available from the footer of every webpage.
Example Cookie Notice
That You Can Use
Last modified: Date
To facilitate this website’s functionality, and to deliver pertinent services to cloud users and website visitors, this site installs tiny data files called cookies onto your device when you provide us with consent to do so. Accordingly, this message relays information about these cookies, detailing their functionality, your ability to permit or deny their installation, and how to control them.
What Is A Cookie?
A cookie is a small text file that a cloud service or website saves on your computer, phone, tablet or other mobile device when you visit the website. Once these files are installed on your system, the cookies are transmitted back to the originating cloud service or website on each subsequent visit, enabling the service to recognize returning users with their saved preferences and user selections. In some cases, other affiliated websites may recognize the same cookie, enabling cookies to be shared across related services.
Cookies on this site may be delivered in a first-party representation (set by Acme Services) or third-party representation (set by another website), and may also be set in association with emails you receive from us. Please be aware that third-party cookies are cookies are set by an entity other than the website owner for purposes such as collecting information on user behavior, demographics, or personalized marketing. An example of a third-party cookie could be youtube.com or doubleclick.net and others, where these third-party tools could be used within the Acme Services website; in those cases, the cookie is controlled by the third-party. These cookies enable embedded content to function properly, such as YouTube videos, Facebook advertising, Instagram feeds, PayPal payment processing forms, application forms or other tools. Again, if used, these associated services use their own cookies. We do not have control over the placement of cookies by other websites or the lifespan of these cookies, even if you are directed to them from our website.
Cookies help us enhance your experience when using the website. They also help us understand how people use our site, such as which pages are most popular, so that we can better serve our site users.
Cookies Used On This Site
You may encounter various types of cookies on this website, such as:
strictly necessary cookies, required for the website to function and cannot be switched off without impacting its functionality;
performance/analytical cookies, permitting website operators to measure and improve the site’s operation to count visitors, track sources, determine how visitors move around the site;
functional cookies, permitting enhanced functionality and personalization such as live chats;
targeting cookies, to build profiles of your interests.
Each of these cookies may be represented by Acme Services in the form of a first-party cookie, or one of our partners in the form of a third-party cookie. Because it is important for us to maintain transparency and foster choice, each of these are explained below.
Strictly Necessary Cookies
Strictly necessary cookies are necessary for the website to function and cannot be switched off. They are usually only set in response to actions made by the user which amount to a request for services, such as setting privacy preferences, logging in or filling in forms. Users can set their browsers to block or alert them about these cookies, but some parts of the site may not function properly.
Performance And Functional/Analytical Cookies
Performance and functional/analytical cookies are similar with slight differences; they both provide information to the server or cloud service to track that’s useful to the operator. Performance cookies provide reliability metrics, which can include but are not limited to network latency, packet loss, jitter, server-side delay and other helpful metrics. Functional/analytical cookies provide information such as the number of unique web users, demographics, browser types encountered, length of stay on a webpage, length of stay on a website, and other analytics useful to a website operator.
We use Google Analytics cookies to collect information about how visitors use our website. Google Analytics employs both performance and analytical cookies. These cookies collect information in the aggregate to give us insight into how our website is being used and how it’s performing. We anonymize IP addresses in Google Analytics, and the anonymized data is transmitted to and stored by Google on servers in the United States. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. The following table has more information about these cookies.
To view an overview of the privacy of your Google Analytics cookies please go here: https://support.google.com/analytics/answer/6004245.
You may install a Google Analytics Opt-out Browser Add-on by going here: https://tools.google.com/dlpage/gaoptout.
Targeting cookies are set through a site by advertising partners. They may be used by those companies to build a profile of users’ interests and show relevant ads on other sites. They work by uniquely identifying a user’s browser and device. If a user does not allow these cookies, he/she will not experience targeted advertising across different websites.
How To Control And Delete Cookies
You have the capability to control and delete cookies with most browsers. This section provides guidance regarding how to do that.
Using Your Browser
Many of the cookies used on our website and through emails can be disabled through your browser. To disable cookies through your browser, follow the instructions usually located within the “Help” or “Tools” or “Edit” menus, depending on your browser. Please note that disabling a cookie or category of cookies does not delete the cookie from your browser unless manually completed through your browser function.
Cookies That Have Been Set In The Past
Collection of your data from our analytics cookies can be deleted. If cookies are deleted, the information collected prior to the preference change may still be used, however, we will stop using the disabled cookie to collect any further information from your user experience. For our marketing cookie, when a user opts out of tracking, a new cookie is placed to prevent users from being tracked.
For more information, feel free to contact our Data Privacy Manager at email@example.com.
Getting Further Help
If you need guidance understanding the information above, contact the Allendevaux & Company Service Desk. You will be assigned to a certified privacy professional accredited by ISO, IBITGQ or the IAPP with experience in privacy law and compliance. You’ll also find contact information at the bottom of this page for telephone and email.
We need your consent to receive your information and contact you. By pressing the 'Send' button below, you are providing that consent. You have the right to withdraw your consent at any time. To withdraw your consent, please email us here. For more information about what we do with your personal data and how we protect it, see our privacy notice.