Cookie Consent and Authorized Data Collection_Mar23.pdf
0 likes34 views
The document is a comprehensive guide on cookie consent and data collection practices, focusing on privacy management for businesses dealing with EU and US customers. It outlines the types of cookies, the laws governing cookie usage, compliance requirements for companies, and best practices for ensuring data privacy. The guide emphasizes the importance of user consent management and provides insights into tools like Adzapier for effective compliance with privacy regulations.
Cookie Consent and Authorized Data Collection_Mar23.pdf
- 1. E - B O O K COOKIE CONSENT & AUTHORIZED DATA COLLECTION: THE WAY TO ASSURE PRIVACY
- 2. 1 Customer data needs safe handling, and unbridled use of various data tracking technologies can hinder data security. Therefore, business owners and marketers should emphasize identifying the potential harm of using data collection technologies. Cookies have long been known to bring setbacks to global corporations. However, other technologies can also set a business on fire if not used responsibly. This handbook will focus on the cookie consent requirements for businesses that deal with the European Union and U.S. customers.
- 3. Part 1: Understanding Data trackers, Consumer Data Privacy Rights, and the need for prioritizing privacy management processes within an organization. 2 An Overview of Web Cookies Cookies are small pieces of text that websites place on user devices (smartphones, tablets, PCs.) Websites use cookies for a variety of reasons. While some cookies are ‘essential’ for a site’s functioning, others are placed on user devices for fulfilling specific purposes. The essential cookies allow the proper functioning of a website’s features (such as identifying a registered user or locking users’ language preferences.) These cookies also let playing embedded videos without affecting website speeds. On the other hand, a website can work fine without the ‘non-essential’ cookies. Websites use these cookies to gather specific information about visitors. The data collected by these cookies contain, but is not limited to: • Use activity on various pages • Individual’s web browsing history • Users IP address • Social Security Number • Payment Details
- 4. 3 Based on lifespan There are two types of cookies based on their active duration on a user device (smartphone, PC, tablet.): Session Cookies: These cookies remain active on a browser until the user exits a website. The expiry time of session cookies varies for the ‘session duration’, the amount of time a user spends on a website. Persistent Cookies: These are cookies used to perform deliberate data collection even after visitors exit a website. Also known as ‘tracking’ or ‘stored’ cookies, these do not get deleted when visitors leave a website. Instead, persistent cookies can stay active on user devices for up to 2 years. There’s another type of persistent cookie called a Super Cookie. The website visitor cannot detect it as it does not land in the location where other browser cookies are stored on user devices. This type of web cookie is also notoriously hard to remove as it rebuilds upon deletion. Based on the source of origin Web cookies can originate from two kinds of sources: First-party Cookies: The cookies employed by websites for carrying out specific functions, such as remembering users upon revisits, are known as first-party. These cookies may or may not be essential for the proper functioning of a website. However, site owners can use them to deliver tailored user experiences. Third-party Cookies: These cookies are deployed by third parties on user devices. Organizations other than the site being visited by an internet user are known as third-party, including ad services, google integrations, and other website data collection technologies. These cookies are placed for capturing data needed to facilitate the services incorporated in websites through third-party integrations. An example of a third-party cookie is an analytics cookie stored by Google for recording customer journeys on behalf of a website. Cookies generated by video streaming services such as YouTube and Vimeo also come under this category. Types of Cookies Internet cookies are classified into two categories:
- 5. 4 The Laws that Govern Cookie Use The ePrivacy directive and the General Data Protection Regulation (GDPR) in 27 European Union (EU) countries govern the use of cookies and similar technologies. The GDPR is applicable in the United Kingdom, which is no longer a part of the EU. While the GDPR lays down explicit instructions on how companies can safeguard an individual’s data privacy rights, the ePrivacy directive takes precedence in cases where cookies violate data privacy laws. In the U.S., no federal law governs cookies and similar technologies. However, California is the first state to establish and enforce a data protection law. The California Consumer Protection Act, or CCPA, monitors companies' data processing and protects California residents' privacy rights. The California Privacy Rights Act, or CPRA, is an amendment to the CCPA and will come into full effect in 2023. It aims to expand the capacity of the existing law by redefining the definitions of ‘personal data’ and placing new obligations on businesses. Other Data Tracking Technologies that concern individual data Privacy Although this guide focuses on the use of cookies, there are similar data collection technologies that businesses need to keep in mind while implementing privacy management practices. Websites can use the following types of data trackers to collect user information with or without providing clear information to visitors: • Embedded Scripts • Pixel Tags • Fingerprinting • Mobile Ad identifiers A website or mobile app may not use all the technologies mentioned on user devices. However, third-party vendors hired by websites use vivid tracking technology to provide a requested service. For example, if a website uses Google Analytics (GA) to evaluate the performance of webpages and customer response, GA places trackers on user devices. The trackers (scripts, tags, etc.) used by GA are loaded on user devices on behalf of the business or website using its services.
- 6. 5 Virginia is the second state to implement a full-fledged data privacy law in the form of the Virginia Consumer Data Protection Act or VCDPA. Also, Utah, Connecticut, and Colorado will soon have their privacy laws in place. Compliance is complicated, yet crucial! Whether a website uses first-party or third-party cookies on user devices does not matter. A company’s need for collecting personal information is also irrelevant in terms of customer data privacy. The only thing that should matter to businesses is taking responsibility for the safety and anonymity of consumer data. The laws around data privacy and confidentiality are getting stricter by the day, and businesses need to keep up with the evolving regulations. Maintaining a trusting relationship with website visitors is essential for the growth of online companies. Therefore, respecting and complying with data privacy laws is the best way forward! Severe Penalties for Data Violations The penalty for trespassing the privacy rights of EU citizens can go as high as €20 million (roughly $20,372,000), or 4% of a company’s global annual turnover. Laws in the U.S. can penalize businesses with up to $7500 for each intentional violation of the privacy rights of California residents. The Virginia law places a similar fine on companies that violate the data protection law. The fines for Children’s data privacy rights violations are steeper and are formidable! The Need for Effective Privacy Management Big companies, including Facebook, Instagram, TikTok, Amazon, Sephora, and H&M, have recently been in the limelight for trespassing privacy rights of consumers. Hefty financial and reputational damages can be a factor that propels these companies towards handling customer data with tremendous respect and keeping them from committing heinous violations in the future. User consent management can help avoid severe reputational and financial damages. Small and medium-scale companies must learn from the mistakes made by giant firms. Privacy regulations impact a business regardless of its market size. Moving forward, companies must commit to adopting and implementing responsible data collection and processing practices.
- 7. Part 2: Identification and Implementation of Compliance Practices. 6 Compliance Requirements Complying with the EU and US data privacy regulations can be complicated, but it isn’t impossible! The GDPR is an elaborate law, and its key requirements are as follows: • Informing individuals about the data policy and data sharing or selling policies • Allowing for easy ‘opt-out’ of various data collection and processing methods • Seeking user content before placing cookies and other trackers on user devices • Respecting user consent • Not Discriminating against individuals based on consent choices While the U.S. laws have much familiar with the GDPR, they have some fundamental requirements: • Informing customers about their privacy rights and how to access them • Collecting explicit user consent before placing non-essential cookies and other trackers on user devices • Allowing for easy opt-out of the sharing and selling of personal data • Limiting the data collection to the information needed for providing services asked by an individual
- 8. 7 Best Practices for Compliance Small and medium-sized businesses can implement the following practices for compliance with the privacy regulations: Appoint a Dedicated Data Protection Officer(DPO): It is feasible for many companies to have a single DPO who can cater to their data protection requirements. Use a reliable consent management solution: While having a common DPO is an exemption given to small and medium-sized businesses, it is beneficial to use comprehensive software to assure customer data privacy and compliance. Keep a check on Cookies: Businesses must keep track of how many and what kinds of cookies and similar technologies they intend to place on user devices. Proactive Privacy Management: Companies must focus on proactively informing their customers about their data and cookie use policies. Simple and accessible policy banners explaining data collection and processing terms and conditions are helpful. Businesses also need cookie banners that allow collecting valid user consent for data processing while making privacy a promise to the customers. Plan and Proceed: While getting compliant with the existing and emerging privacy regulations can be daunting, it is easier with the help of experts. Thus, small and medium-scale businesses can use privacy compliance service providers for hassle-free compliance. However, it is also crucial not to fall prey to dubious cookie consent tools. Many tools that seem ‘free’ can accumulate visitor data without informing the customer or the website owners.
- 9. 8 Adzapier Consent Manager: Effective Privacy Management on the go! Adzapier provides a comprehensive and accessible Consent Management Platform for small and medium-scale businesses. The following are some of the key features of the CMP: Cookie Auto-blocking: Adzapier CMP ensures all unnecessary cookies stay inactive on the web browser until users approve them. Auto-cookie blocking allows website owners to comply with the laws of different countries by keeping non-essential (persistent or third-party) cookies inactive before getting user consent for their placement. Cookie Search tool: This tool identifies and categorizes a website's cookies. It provides an accurate list of active and inactive cookies on a website. It allows for scheduling monthly, or weekly website scans that help stay updated on the cookie use status. Google Consent Mode: with Google Consent Mode, websites can ensure that cookies and similar tracking technologies from Google services do not load on user websites without prior consent. This mode ensures that third-party cookies from integrated services such as Google Analytics stay inactive unless approved by website visitors. Customizable Cookie Banners: Adzapier CMP allows customizing cookie banners to fit a website’s style and design. The banners can be created in different fonts and take custom text inputs so that websites can set the tone of the written information. On-screen recording: Collecting user consent is one-half of the compliance strategy, and maintaining proof of consent is another. Adzapier CMP enables on-screen recording on websites that allow keeping detailed records of when and to what data collection practices and methods visitors consent.
- 10. 9 Adzapier CMP also provides the following: Data Security: With Adzapier, website owners and marketers can be sure about the safety of customer data. The platform serves as a consent management system and does not compromise the privacy of website visitors. It collects user consent without interfering with the data collection practices of a website upon receiving and transferring valid user consent. Assured Compliance: Adzapier CMP assures full compliance with the GDPR, CCPA, CPRA, and VCDPA. Seamless Integration: The platform is easy to integrate with websites hosted on various platforms such as WordPress, Squarespace, bigCommerce, and Shopify. It does not affect the functionality of a website or slow its loading speeds. Easy Access: Adzapier Consent Management solution provides an easy-to-access dashboard with the tools and features businesses need to comply with the EU and US data protection regulations. The dashboard allows managing user consent without the need for multiple software integrations. Dedicated Support: The CMP offers small and medium-sized businesses end-to-end privacy support and counseling. From realistic product demos to on-call support, Adzapier offers the best-in-class customer service that ensures privacy compliance!
- 11. www.adzapier.com sales@adzapier.com (855) 212-9063 2021 Adzapier. All Rights Reserved Any information obtained from the Adzapier website, services, platform, tools, or comments, whether oral or written, does not constitute legal or regulatory advice. If legal assistance is required, users should seek legal advice from an attorney, a lawyer, or a law firm. Get a Free Consultation Keep Reading 10 FAQs Is Cookie Consent Mandatory? Yes. Any business that collects, shares, processes, sells or buys customer data should disclose the practices on its website. The company must also collect explicit user consent before deploying cookies on user devices. Is a cookie banner a legal requirement? Of Course! A cookie banner allows companies to inform website visitors about its cookie use while enabling the collection of user consent. It is not only a legal requirement but a vital incorporation of websites. Can cookies be installed without permission? No, never! Companies may think they can stay unnoticed, slyly placing cookies on user devices, but that’s unsafe. People are becoming more aware of their privacy rights, and data laws are evolving. It is time companies favoring deceptive cookie use practices get their act together. Can I write my own cookie policy? Yes. However, it is not one of the best practices to write cookie policies without expert legal advice. The GDPR provides cookie policy templates that website owners can customize. Website owners can employ dedicated policy generators to create tailor-made privacy policies that do not risk privacy rights violations.