Does My Website Need a Cookie Policy?

If your website doesn't have a cookie policy yet, here's why you may need one.

Cookies, those little snippets of data that can reveal so much about an individual, are both a hindrance and helpful. Cookies make the web go around, but they can also be annoying, and sometimes privacy-invasive. Some jurisdictions, such as the European Union (EU) have specific legislation on the use of cookies and the display of cookie policies.

In the EU, the law that handles the use of Cookies is known as the EU Cookie Law or ePrivacy Directive (ePD, soon to be ePrivacy Regulation, ePR).

The United States, however, has a more complex and mosaic approach to privacy. This means that there is no definitive federal basis for how cookie policies are displayed or used on a website used by U.S. citizens. So, what do website owners need to know about displaying cookie policies to visitors?

If you are a business with a web presence in the United States, do you really need a cookie policy? Keep reading to find out.

What is a cookie policy?

Cookie policies are often mandated by legislation; however, they are also a way to ensure that your company is transparent with your customer base. A cookie policy typically details what type of data is collected, why, and who it is shared with. There are several types of cookies, some are necessary for the smooth operation of a website, whilst others are used for behavioral targeting and often shared with third parties.

Cookie policies can be incorporated into a wider privacy policy on a website or as a standalone section. Cookie popups, of the type we are all too familiar with, should incorporate a link to a more comprehensive cookie policy. Typical sections in a cookie policy include:

    What are cookies?
    What types of cookies are used on the site?
    How are these cookies used?
    How can the customer disable or manage the cookies?

However, cookies are an evolving species, and as such, maintaining a cookie policy that reflects the cookies used on a given website can be an ongoing task.

Cookie policies are mandated in several countries, including the EU (under GDPR) and Brazil (LGPD). They are also increasingly entering the U.S. state privacy lexicon, including the states of California (California Consumer Privacy Act, CCPA/CPRA) and Virginia (Consumer Data Protection Act, CDPA). Both states require companies to obtain opt-in consent before processing personal data. Both states require website owners to provide users with a privacy policy that allows visitors to opt-out of targeted advertising.

It's a "World Wide Web" for cookie policies

The USA has no specific federal cookie law. However, because other jurisdictions, such as the EU, Brazil, and the state of California do specify strict cookie handling requirements, this may mean that even USA-based websites require a cookie policy. If your U.S. website is likely to have visitors from California, Virginia, the EU, the UK, or other U.S. states and geographies that have privacy laws, then you will need to provide a cookie policy for those visitors.

How cookie policies impact the end-user and the website owner

The end-user: Cookie policies begin with cookie consent. The ubiquitous cookie popup notice is almost iconic in its presence on websites across the world. The user is taken through a process to capture consent and make them aware that a site offers more information on cookie handling in a privacy policy or a dedicated cookie policy.

Typical interactions with cookie consent involve clicking to agree to consent to some or all the cookies used by a website. A 2019 study of website visitors' view of cookie consent showed that 40% of users agreed to "only consent to mandatory cookies". Only 12% of visitors agreed to allow the use of all types of cookies (this would include behavior cookies).

The website owner: A cookie policy must reflect the types of cookies collected and their use. The policy must also capture the specific requirements of each jurisdiction of your website visitors. The best way to ensure that cookie policy requirements are met is to use the most stringent legislation as a common denominator.

The GDPR/ePR is currently the gold standard for cookie regulations. The hard part of complying with cookie regulations is in the maintenance of the cookie policy as cookie functionality and regulations change.

Cookie policies and the privacy debate

Cookies are used to provide a smooth user experience on a given website. For example, cookies ensure that shopping carts are updated and make logging into a website easier. But cookies are also contentious. Cookies have the power to track a user across the web. They can also store personal data, including behavioral information. It is for this reason that the EU's GDPR and the CCPA have defined cookies as being unique identifiers.

Currently, the USA has no federal privacy law. However, individual states, California being at the vanguard, are legislating for privacy. Website owners should keep a watchful eye on the changing landscape of privacy legislation across the USA.

Keep up with changes in privacy laws in the USA using the International Association of Privacy Professionals (IAPP) U.S. Privacy legislation Tracker, which keeps up-to-date details on a state-by-state basis.

Further complications in privacy that may impact cookie policies

Visitors from non-US countries: If your website expects to have visitors from the EU, recent changes to privacy law may affect your cookie policy. Until July 16, 2020, the EU and U.S. were able to manage data transfers between the two under a mutual agreement known as the "Privacy Shield". From July 2020, the Court of Justice of the European Union ("CJEU") invalidated the Privacy Shield in the "Schrems II" ruling.

On June 4, 2021, the European Commission determined that standard contractual clauses (SCCs), specifically designed to provide adequate safeguards for the transfer of personal data, would replace the Privacy Shield. Companies that transfer data from the U.S. to the EU via cookies should look at the impact of the new ruling.

Federal Trade Commission (FTC) enforcement: The FTC's remit to prevent "unfair and deceptive acts and practices" means that whilst it does not create privacy policy legislation, it can enforce privacy through other means. The types of enforcement actions taken by the FTC may impact your cookie and privacy policies, and include:

    Failure to abide by the details in a published privacy policy
    Make personal data transfers that are not disclosed in the privacy policy
    Make inaccurate privacy and security in a privacy policy
    Violate data privacy rights by collecting, processing, or sharing personal data

Do I need to offer a cookie policy for my U.S. website?

The short answer is "it is better to be safe than sorry, so put a cookie policy in place". If not, you will have to restrict access to your website to an increasingly limited demographic of visitors from geographies that do not have privacy legislation.