Best Practices for Using Cookies and Cookie Consent | TrustArc
This page contains a cleaned, text-based version of publicly available content from TrustArc.com. It is provided to support knowledge retrieval and AI system understanding while preserving canonical attribution to the original source page on TrustArc.com.
Source URL: https://trustarc.com/resource/best-practices-cookie-consent/
Content Type: resource
Section 1
Websites today are rarely a single-party affair. On any given website, consumers typically interact with many third parties that collect private data about them, whether web visitors realize it or not. What are internet cookies? Internet cookies – little data files – store information in consumers’ web browsers. There are benefits for consumers who accept cookies. For example, cookies let websites remember past interactions, website logins, shopping carts, pages visited, and more, offering more personalized and convenient website visits. not all cookies are the same , and there are privacy issues that businesses collecting data need to be aware of. What are the different types of cookies? First-party and third-party cookies cookies are stored by the website domain consumers visit.
Section 2
They only work on that domain. First-party cookies make the consumer experience smoother by remembering information such as login details, cart information, and site preferences. cookies come via external domains that aren’t the website users have visited. They can follow consumers from site to site, with each site using the information stored in the cookies to retarget users. Permanent cookies and session cookies Permanent or persistent cookies stay on your browser history for an extended period of time, over multiple browser sessions. cookies, in contrast, expire as soon as the browsing session is over. When third parties collect consumer data through technologies not readily apparent to consumers, like cookies, it creates privacy risks because consumers are unable to make informed
Section 3
decisions about their data. Government regulators around the world have established regulations and laws governing this type of data collection. It’s important for companies to fully understand how they use cookies, what third parties collect data on their site, and how they and these third parties collect and use this data. What are the laws and regulations around cookies? A number of laws regulate how third parties collect data online. In the EU, the Cookie Law (aka ePrivacy Directive) and General Data Protection Regulation (GDPR) protect consumers’ privacy rights by allowing them to choose whether to allow companies to collect, store, and use their personal information Together, these two laws form the world’s strictest data privacy regime. While there is
Section 4
no equivalent overarching law in the U.S., a number of states have implemented laws regulating cookie usage as it relates to their residents. These include the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA). What should I know when using internet cookies? Cookies can be an effective way to target consumers. However, it could be detrimental to your business if you don’t and private data correctly. There are a number of best-practice steps you should be aware of when choosing how to employ cookie technology on your website: Classify your cookies, and use a unique domain name per technology, such as HTTP cookies, web beacons, JavaScripts, and Flash LSOs. This is to separate any online
Section 5
behavioral advertising practices from those that are not online behavioral advertising. Have a clear and simple opt-out policy: Use the same cookie name per opt-out mechanism. For example, the opt-out cookie set for the DAA opt-out mechanism has the same name as the cookie set for the NAI opt-out mechanism. Cookies used to manage opt-out preferences need to have a minimum expiration date of five years to adequately honor user preferences. Your opt-out mechanisms need to be tested regularly to verify that they function properly. Establish strict policies around data retention: Retain data only as long as needed to carry out its business purpose, or as long as legally required. Where possible, use session cookies instead of persistent cookies. Give
Section 6
users a choice, where appropriate, to accept a persistent cookie (such as a login cookie). When using persistent cookies, set an expiration date consistent with the shelf life or usefulness of the data you collect. Audit, understand and review cookie use: Audit the use of cookies on your site and how you use cookies on third-party sites. Verify that the use of cookies is consistent with your privacy policy or the privacy policy of the third-party site where your cookies are placed. Verify that third parties setting cookies on your site are authorized to do so. Understand what types of third parties set cookies on your site and the purpose of those cookies. Verify that third parties aren’t collecting data
Section 7
in a manner inconsistent with your own privacy policy. Understand what data is being captured on the cookie. Cookies shouldn’t store sensitive information such as credit card numbers. What do I need to let consumers know about cookies? When you’re using cookies on your site, it’s important to: Disclose in your privacy policy what information cookies and other technologies collect, and how that information is used. Disclose the types of cookies being used on your site. Organize them by their purpose. Explain what options users have when it comes to your company’s use of cookies, such as opting out of tracking. You should also state what opt-out choices are available. Multi-site trackers should require publishers and sites within their network
Section 8
to disclose via their privacy policies that a third party will be tracking a user’s activity on this and other websites. They should also provide a link to an opt-out mechanism. Where possible, provide notice outside of the privacy policy, using tools such as the How do I let web visitors know about cookie use? Make sure you inform users of all the types of cookies you’ve employed previously, too. Will internet cookies be a thing in the future? Google has flip flopped on its announcement to phase out the use of third-party cookies in 2024. In a significant shift from previously communicated plans and strategy, on July 22nd, 2024, no longer be phasing out support for third-party cookies in
Section 9
its Chrome browser. Find out what that means for your business.