Cookies compliance: a guide for global businesses

This article is intended for marketing-focused professionals, and will focus on Google Analytics (GA) and its current status in the European and American spheres of data protection laws. It will also include a quick method of checking what cookies are placed by your website and a short introduction of the “universal opt-out signals” that have gained regulatory traction in the US.

Cookies have been around since the dawn of the Internet. They are small text files that are dropped on your device when you visit a website, and can be used for a multitude of purposes such as remembering the products in your cart as you shop around, or your language or currency preferences. Although these uses sound rather harmless, cookies can also be used to “remember” each website visit and the products you view 

If you sell online, you likely use these analytics cookies to track your website’s performance, understand user behaviour, and improve the online experience for your customers. From your customer’s perspective, knowing that your entire browsing experience is being monitored and possibly shared with third parties can feel intrusive, hence why people have started demanding more control over when and how such cookies are placed on their devices.

From a data protection perspective, analytics cookies inevitably lead to the collection, processing and sharing of personal data. It might not be obvious at a first glance, but IP addresses are personal data and can be used to uniquely identify an individual. IP addresses can be linked to other personal data with the help of data brokers’ identify graphs. Besides IP addresses, analytics cookies and tracking pixels can even collect sensitive information, as was recently the case with a HIPAA-bound telehealth startup.

Quick overview of Google Analytics (GA) in Europe and the US

Created with Mapchart.net, as at March 2023

GA cookies don’t fare well in the European Economic Area (EEA) - the data supervisory authorities from France, Italy, Finland, Norway, Austria and Denmark have ruled that GA usage is unlawful. The Austrian authority was the first one (January 2022), while the Norwegian one was the latest (March 2023).
This means that websites operating in these countries should not use GA unless they use a proxy server to pseudonymize the data before it’s sent to Google, which is a rather costly and complex solution. All of this is happening because these data supervisory authorities have ruled that no safeguards are sufficient to uphold the privacy of EU visitors in regard to GA data transfers.

The good news is that the upcoming Trans-Atlantic Data Privacy Framework, expected to be finalised within the next 6 months, should again legitimise data transfers from the EU to the US and allow websites to use GA in all EEA countries. Until then, organisations should be cautious and at least make sure they only place GA cookies after informed consent is received from European (EU) visitors. As for the UK, GA can be used without any hindrances as long as you receive informed consent.

In the United States, specifically in California, Virginia, Connecticut, Colorado, and Utah, GA cookies can be placed without consent, but users have to be presented with the option to opt-out. This opt-out can be exercised through various platforms, technologies, or mechanisms such as cookie banners, “Do Not Sell/Share My Personal Information” links, or through universal opt-out signals.

GA aside, a global organisation needs to have a dynamic approach to cookie compliance, where depending on a user’s geolocation, a certain cookie banner is shown that presents certain options based on the applicable legal requirements. For example, a Californian user will be shown a CCPA-specific banner that allows them to opt-out of targeting and analytics cookies, while a French user will be shown an EU-specific banner that asks for consent before dropping said cookies. Of course, you may go even lower at the national level as each EU Member State has implemented the ePrivacy Directive in a slightly different manner. Either way, this level of compliance granularity can be achieved by using a Consent Management Platform (CMP). Before you get to that, you might first want to know what cookies are placed by your website and whether they are correlated to the statements made in your Cookie Notice. Let’s look at a practical solution.

Checking cookie placement

Although there is a plethora of tools you can use to check cookie placement, such as CookiePro or Cookiebot, you might prefer a quicker, manual method before making use of such tools.

Step 1: Open a new private / incognito window in your browser and access the website you want to check. Do NOT press any buttons from the consent banner. Note: Use a browser that doesn’t automatically block third-party cookies.

Step 2: Press F12, go to the Console, and paste the following code, and then press Enter: sessionStorage.setItem("cookiesBefore", document.cookie);

This makes a snapshot of all the cookies placed before any consent actions.


Step 3: Consent to all (or some) cookies. You may repeat these steps to check the placement of each category of cookies.

Step 4: In the Console, paste the following code, and then press Enter:

var cookieArr = sessionStorage.getItem("cookiesBefore").split("; "); cookieArrNow = document.cookie.split("; "); for (var k in cookieArrNow) { if (cookieArr.indexOf(cookieArrNow[k]) < 0) { console.log(cookieArrNow[k]); }}

The Console will now display all the cookies that were added after you consented. In this image, we can see that one cookie has been placed after consenting to all cookies (ignore those ƒ functions): ss_cookieAllowed.

Step 5: Compare the cookies displayed in the Console with the cookies mentioned in your Cookie Notice. If you spot any discrepancies, you might want to proceed with a comprehensive cookie audit. We at Trace conduct such cookie audits and can even help you implement a CMP, such as the one from our partner BigID.

Global Privacy Control (GPC) as a Universal Opt-Out Signal

GPC is an open-source tool that works like a browser-level signal through which users express their preference not to be tracked. In simple terms, when activated, a browser waves a flag that informs websites that they should not share or sell personal information associated with that interaction. The CCPA now requires businesses to honour such signals as if they were valid consumer requests to stop the sale or sharing of personal information; the first enforcement action under the CCPA specifically requires Sephora to implement GPC. The Colorado Privacy Act and the Connecticut Data Privacy Act have a similar requirement effective on July 1, 2024 and January 1, 2025, respectively.

GPC and similar tools are gaining traction in the eyes of legislators. You can very easily check whether a website has implemented GPC by visiting the /.well-known/gpc.json page of a website: yourwebsite.com/.well-known/gpc.json. A website that hasn’t yet implemented it will throw a 404 “Not Found” error. Implementing GPC is surprisingly easy and no personal information has to be collected or disclosed.

Conclusion

We are bound to see significant developments in the near future - the approval of the Trans-Atlantic Data Privacy Framework will likely make GA usage lawful again, while the ePrivacy Regulation might be finalised and bring amendments to the lawful overall usage of cookies. Short term, the regulations implementing the CCPA and the Colorado Privacy Act will offer us a better understanding of how universal opt-out signals are to be implemented.

Trace keeps up with all the latest privacy news and developments and can help you navigate and implement practical solutions that strike the right balance between data-driven marketing efforts and compliance with global data protection laws. Reach out to us for an informal discussion about your needs and we’ll be glad to give you some insights.

This article was authored by Trace privacy consultant Bogdan Barburas , CIPP/E, CIPT, CIPM, CIPP/US.

Bogdan barburas