Introduction

Most of us associate digital marketing with the obvious examples we see day in and day out. Things like YouTube videos, email campaigns, and digital payment apps. There’s a hidden side to digital marketing though. One associated with tracking, data, and privacy. And it stands behind the cleverest (and maybe even one of the happiest) of words. 

🍪  Cookies. 🍪

What Are Cookies?

I wish I was talking about baked goods. This would be a much more enjoyable read. Instead, we’re talking about small text scripts that are installed on the backend of a website. And they are far more important to a digital marketer than an afternoon snack. 

Cookies are a general term for any piece of code that helps track user data. This can be either anonymous data (track activity) or specific data (stores personal information). They identify web browsers as unique internet users rather than treating millions of people as the same. Cookies allow marketers to better serve their audience by providing them with ads, emails and experiences specifically meant for them.

It’s important to know too that cookies aren’t necessarily just tracking the user in real-time, or on that specific site. Cookies can “stick” with the user even after they leave the website where tracking first began, and continue identifying and tracking their behaviors thereafter. 

Functional vs Tracking Cookies

Many web users have gone from having no knowledge about cookies to having misconceptions about cookies. With major news stories in recent years surrounding Facebook and other big tech companies, consumers are starting to understand a bit more about tracking, but it’s not always accurate.

Let’s begin here. 

There are two forms of cookies: first-party and third-party.

First-party cookies are ones used to track, capture and store data by the business itself (who is managing the website). It’s important to note that a large number of first-party cookies are what’s called “functional cookies.” 

This means that they aren’t used for analytical or marketing purposes, but rather, they help provide a better user experience for the web user. In fact, some websites or web features can’t even function without using these cookies. 

• Consider sites that remember your username and password.
• Credit card information being stored to make repeat purchasing easier, or
• Amazon providing you with an “If you bought this, you might be interested in this” recommendation.

Third-party cookies, on the other hand, are largely used for analytics, marketing, and research purposes. They are called third-party because the data is captured and stored by third-party software providers and the business simply is using its website as the platform for tracking, while having access to the data, too, of course.

Some examples of this might be:

• Local stories running on a website – using your location or IP to provide you with more relevant news. 
• A heat mapping software that lets you track user behavior and improve navigation and user experience of the website, or
• Facebook remarketing ads being used that are based on what products you previously expressed interest in. 

Almost every website you visit uses some form of cookies. Many use a combination of both first-party and third-party. Consider the likes of popular tools like Google Analytics, Hubspot, Marketo, Salesforce, MailChimp, SalesLoft, WooCommerce, and Shopify. Powerful stuff!

Without cookies, there’d be a lot of guesswork in marketing, and we’d see a lot of irrelevant ads all over the place, too.

Summary of Important Laws

Currently, there aren’t any direct laws in the United States that prevent businesses from using cookies to track web users. That includes both first-party and third-party cookies. 

However, the European Union did crack down on tracking a few years ago, and it’s possible that similar laws could be passed in the U.S. in the coming years.

Therefore, it’s important businesses understand what they are up against. 

COPPA

The Children’s Online Privacy Protection Act, or COPPA, helps protect children under 13 from having their information tracked. Companies must take active steps to avoid collecting personal information from children.

CCPA

The California Consumer Privacy Act, or CCPA, was implemented in 2020. This is relevant to businesses who gross more than $25 million annually, buy, receive or sell personal information of 50,000 or more California residents, or if 50% or more of their revenue derives from selling California residents’ data. If any of these criteria are met, the business must have a CCPA-compliant Privacy Policy and must reveal, on the website, the specific information that’s being collected of its California residents, as well as the purpose of that data collection. The business must also provide an opt-out option to stop the cookies from tracking if the user so chooses.

GDPR

​​The current General Data Protection Regulation, or GDPR, was implemented in 2018. This regulates citizens’ control over personal information across the European Union (EU). It affects any business that sells to those in Europe or holds the personal information of European citizens. To comply with this law, businesses must affirm that users are aware and consent to cookies on a website, give the option to users to set their cookie preferences, and provide the ability for users to revoke consent at any time. 

Consent Pop-Ups: Browsewraps vs Clickwraps

If you meet the criteria for GDPR, or if you simply want to give your users the option to opt-in or opt-out of cookie tracking – you’ll likely want to use a pop-up tool that can easily be integrated into your site, in order to gain cookie consent from users.

These pop-ups typically appear when users visit the site for the first time and provide information about privacy and the type of cookies that are used on the site. They also give users the ability to opt-in for cookies, opt-out of cookies, or customize which cookies they’d like to opt-in or opt-out of. 

The pop-up must be noticeable – therefore, most companies use clickwraps or browsewrap.

A clickwrap is more direct. These pop-ups use “express content” by forcing the user to either opt-in or opt-out before moving on to the site. 

A browsewrap is more indirect. It suggests “implied consent” since users are given information about privacy and tracking – but can simply bypass it and continue on with their web browsing. 

Many privacy experts believe that, as the tech world gets more strict with privacy, tracking, and security, it’s possible that browsewraps will fall by the wayside to make way for clickwraps only. 

Are Privacy Policies Needed?

Privacy Policies exist outside of cookie consent pop-ups. And they are just as important. 

Many marketers often ask: “Do I need a Privacy Policy?” The answer is yes. Here’s why.

If you must adhere to GDPR or CCPA, then you absolutely must have a Privacy Policy. But even if you don’t meet the requirements for those two laws, most software companies require you to include information about their software in your Privacy Policy.

Many people copy and paste Privacy Policies they find on others’ websites. This is bad practice for two reasons. 

One, you’re stealing material/content that’s copyright from the original creator – which is illegal. 

Second, your Privacy Policy should be specific to your particular website and the cookies that you are using. If you copy/paste another websites’ policy, yours will be inaccurate. 

Remember that Privacy Policies are important legally-binding documents that ensure your users are aware of how you are tracking them and using their data. You should always consult with your legal team when writing your Privacy Policy or making updates.

Are Terms & Conditions Needed?

A Privacy Policy explains how you are collecting, using, and sharing the personal information of users. It protects the user. 

Terms & Conditions (also called “Terms of Service”), on the other hand, protect you – the business. 

It outlines the rules and guidelines for your website. It’s a contract between you and the user, and it safeguards you legally if there’s a disagreement of how users are using your website, its features, or its content. 

Depending on your business, what you sell, and where you operate, it’s possible that you’re required by law to have Terms & Conditions on your site. Even if it’s not required, it’s still a good practice for all businesses, even if, at minimum, it establishes copyright for the content on your site. 

Terms & Conditions are also legally-binding documents. Consult with your legal team when producing your Terms & Conditions and before publishing it or updating it on your website.

Recommended Actions

If you’ve read this far and are still confused, here are the steps we recommend you take: 

Step 1

Understand more about the laws that you’re required to follow based on how and where you do business. If you conduct business in California or Europe, pay extra close attention.

Step 2

Audit your tech stack and the current cookies on your website – and the cookies that you plan to use on your website in the future. This includes both first-party and third-party, and both functional and tracking ones. 

Step 3

If you choose to (or are required to), install a cookie consent pop-up tool that gains consent from users regarding your cookie policies, directs them to your Privacy Policy, and asks them to opt-in or opt-out. Make sure it takes all your cookies into consideration. Have your legal team review this tool, its functionality, and the way it’s seeking consent.

Step 4

Prepare a page that contains your Privacy Policy, which informs users what cookies are being used, where you are storing that data, and how you are using that data. Make sure to have your legal team review that before publishing. 

Step 5

Prepare a page that consists of your Terms & Conditions, specific to the content and features of your website. Be sure to have your legal team review before publishing. 

Step 6

Ensure your Privacy Policy page is readily available and easy to find. Some marketing tools or advertising platforms will require you to submit your Privacy Policy URL before use.

Disclaimer

This information is for educational purposes only and is not meant to provide legal advice. Before implementing any policies regarding cookie consent, Privacy Policies, or Terms & Conditions, it is recommended you work directly with your lawyer. Site-Seeker is not liable for any actions taken against a business related to the above information or policies.