Does My Website App Need A Separate Cookie Policy, Too?

Perfect Chocolate Chip Cookies by Kimberly Vardeman Creative Commons Attribution 2.0 Generic (image cropped)

I’m often asked by potential (and even existing) clients whether their company’s website or app needs an actual, separate Cookie Policy, or whether it’s sufficient to address Cookies in their privacy policy or statement alone? In this post, we explore what the Cookie Policy is, the main laws that are currently applicable, and the legal and practical considerations of separating your Cookie Policy from your Privacy Policy (which you, of course, already have right?).

What are Cookies anyway?

[Experienced website owners and developers may want to skip ahead] To step back a bit, “cookies” are small text files that store data on your device your computer, smartphone, or other device, which are sent to a specific server (normally belonging to the website the user is accessing). Cookies allow the site or app to remember things like your login, prior searches, or items you left in an online shopping cart) and thereby improve the user’s experience and future interactions. At the same time, for consumer and privacy advocates, some Cookies make it far too easy for websites and apps to track a user’s every online move and use their browsing histories for the site or app owner’s own gain.

What is a Cookie Policy?

A Cookie Policy is a statement that ideally lets users of your site or app know what Cookies are active, what data is being collected and tracked, for what purpose, and where such data is going.

In the past, this information was included (if it was ever given at all) within fairly vague and oftentimes unreadable privacy policies, or even the Terms of Use or Terms of Service, for the website or app.

As a result, users would end up accepting almost any terms of service or Privacy Policy without actually reading them (shocking, I know!) or affirmatively consenting to have their data and history tracked.

Is a separate Cookie Policy really required by law?

Good question. One for which I will respond with a very attorney-like “Yes and No.”

Whether a Cookie Policy is in fact mandated will depend on which law you’re referring to and, if no law actually applies to your site or app, then what users your site or app is directed towards and actually has (or might likely have). Confused yet?

Let’s put it another way. As of the time of this post (and I can comfortably say for the foreseeable future), there is no Federal law mandating a business have a “cookie policy” per se (although there might be Federal Trade Commission Act concerns if your business, say, says it has or adheres to a Cookie Policy when it, in fact, doesn’t).

However, a specific, separate Cookie Policy may be required to comply with the EU’s “Cookie Law”, General Data Protection Regulation (“GDPR”), as well as California’s recently enacted California Consumer Protection Act (“CCPA”) and possibly the consumer or privacy laws of your own state.

EU Cookie Law

By now you have no doubt visited your favorite website or app and had a little (oftentimes annoying) pop up that asks your permission to use Cookies. If you’re like most people the past few years (although maybe not so much any more), you probably wondered why the heck are all these apps and websites doing this?

Back in 2011, the European Union adopted Directive 2009/136/EC (a/k/a, the “Cookie Law”) as part of the EU’s effort to expand online privacy for its citizens. The Cookie Law affects all websites based in the EU or targeting users in the EU and requires website operators to promptly alert users of the presence of Cookies, as well as explain the specific types of Cookies being employed.

More importantly, users must be able to refuse or accept the placement of Cookies on their devices. Therefore, when you run across those banner or pop-up notifications in your browsing, it is basically that site or app complying with the Cookie Law.

Does my U.S. website or app have to comply with the Cookie Law?

As with so many things in the law, there is not an entirely black and white answer.

First, the low hanging fruit; if you’re based in the EU or obviously directing your activities towards citizens of the EU (whether or not they’re actually within the EU or not), then the Cookie Law almost certainly applies to your website or app.

On the other hand, if you’re a mom and pop business located here in Arizona with a web storefront offering or selling your goods or services locally to strictly local, non-EU citizens, then you probably don’t need to hire an Internet and e-commerce attorney like myself to prepare or audit your Cookie Policy policy to comply with the Cookie Law.

The grey area comes in for sites and apps that don’t necessarily fit this description and are wittingly (or unwittingly) directing their goods or services over the Internet and likely beyond the territorial borders and citizens of the United States and to the EU.

The other consideration is, even if your business might be able to skirt complying with the EU Cookie Law and GDPR on cookies, it probably won’t be able to avoid directing itself, or having users from, one of the other largest economies in the World: California.

The California Consumer Protection Act

Having gone into effect in 2020, California’s CCPA introduces stricter provisions for companies collecting, using, or processing the “personal information” of individuals.

Under the definitions section of CCPA, a “Unique identifier” or “Unique personal identifier” includes “a device identifier; an IP address; cookies, beacons, pixel tags, mobile ad Identifiers, or similar technology” which can be used to recognize a (California) consumer, a family, or a device that is linked to a consumer or family, over time and across different services.

In plain English, it means that Cookies count as “personal information” and thus fall under CCPA requirements and that companies using Cookies must have policies which disclose information about their use of Cookies and data collection practices.

What information should a separate Cookie Policy have?

While the text of the CCPA, like that of the EU’s Cookie Law and GDPR, is not that specific, there are definitely themes in the key provisions that offer a practical roadmap for what a compliant Cookie Policy should look like.

These themes include, among other things, transparency, data subject’s right to information and access, opt-in/opt-out rights, as well as data minimisation or outright deletion.

If they are not already, all of these things should be reflected in your website or app’s Cookie Policy. Namely, your Cookies Policy (or Privacy Policy section dealing with Cookies) should:

  1. Explain that you use Cookies on your website and explain briefly what Cookies are
  2. Disclose what types of Cookies you (or any third parties) are using on your site or app
  3. Disclose to users why it is that you use these Cookies, and
  4. Notify your users of their right to opt-out of having Cookies placed on their devices.

Can BHANDLAW help with our website or app’s Cookie Policy?

To summarize, your website or app might need a separate Cookie Policy depending on your intended audience and the privacy laws affecting your business.

Our Phoenix, Arizona based Internet and e-commerce law firm regularly assists website and app owners combine or integrate their Cookie Policy with their Privacy Policy where the circumstances permit. We can also help guide and craft separate Cookie Policies in situations where your website or app is directed towards or attracts residents from the EU or California consumers, or might in the future.

If you have questions or concerns about your existing Privacy or Cookie Policy, or need guidance or assistance in crafting or revising them, please feel free to let us know more about your needs by using the form on the right.

Ben Bhandhusavee is the Managing Attorney for BHANDLAW, PLLC, a startup, technology, and e-commerce law practice advising founders and management teams on company startup, corporate and technology transactions, e-commerce, as well as Internet privacy concerns. The firm serves corporate and individual clients throughout Arizona, the United States, and internationally. Our offices are conveniently located along the Camelback corridor in Phoenix’s financial district. For more information about our Internet Data/Consumer Privacy practice, feel free to reach out using the contact form on the right or call us at (602) 222-5542 to schedule a meeting. Connect with Ben on LinkedIn or Avvo.