Most of the internet runs on cookies. While some cookies are necessary for a website to function properly, others exist to help make the browsing experience nice and smooth. The majority of active cookies, however, are third party cookies used to collect user data for marketing and business development purposes.
With the recent advent of data privacy laws such as the GDPR and the CCPA, companies and organizations are now forced to follow strict regulations for how to handle personal data collected through cookies.
E.g., one of the requirements of both the GDPR and the CCPA is for website owners to provide an elaborate and up to date cookie policy with details about which cookies their website installs, how long the cookies will be installed, what kind of data they collect etc.
Keep reading for a short introduction to cookies and the data laws GDPR and CCPA.
What are cookies?
Cookies are a type of tracking technology that was invented sometime in the early 90’s. The term “cookie” derives from “fortune cookie” because both type of cookies are structures containing a message.
There are four types of cookies: Necessary cookies, preference cookies, statistics cookies, and marketing cookies. The latter two make up the majority of cookies on the internet. The reason for this is that businesses can utilize the collected data to create targeted advertising with the intent to acquire more customers and sales.
Cookies can collect information such as IP address, technical specifications of a device, browsing activity and even sensitive information such as sexual orientation and political and religious beliefs.
Cookies are not a bad technology though, as all they do is collect data. It is, however, what one can do with the collected data that is concerning.
What is the GDPR?
The GDPR (General Data Protection Regulation) is an EU-wide data privacy law that regulates how companies and organizations manage data of users within the EU. As such, a company or organizations does not need to be physically located in the EU to fall under the regulations of the GDPR. Simply catering to or having users from the EU is enough.
The gist of the GDPR is to hold companies and organizations accountable for how they handle data. As a result, they must provide transparency and documentation of active cookies and their purposes in addition to handing over control to their end-users, giving individuals complete control of how their data is used.
Furthermore, the GDPR demands that website owners get consent from their users before setting any cookies.
The GDPR was enforced on May 25th, 2018, and non-compliance can result in heavy fines of up to €20 million or 4% of the organization’s global yearly turnover, depending on which is higher.
What is the CCPA?
Similar to the GDPR, the CPPA (California Consumer Privacy Act) is a data privacy law that regulates how businesses handle personal information from California residents with transparency and user control being important keywords.
However, unlike the GDPR, only for-profit businesses fall under the regulations of the CCPA. Moreover, there are three thresholds to take into consideration. As such, the CCPA applies to for-profit businesses that either:
- Sell personal information of 50,000+ California residents on an annual basis
- Have an annual gross revenue exceeding $25 million
- Or derives more than 50% of its annual revenue from selling personal information of California residents
Also, unlike the GDPR, websites that fall under the CCPA are not required to gain consent from their users before placing cookies. Here, it is sufficient to inform users about what data is collected and why at or before the point of data collection. The only exception is when it comes to California residents below the age of 16.
Non-compliance with the CCPA can result in fines of $7,500 per violation and $750 per affected user in civil damages. The CCPA was enforced on January 1st, 2020.
