Cookie Compliance Considerations

Compliance Considerations When Using Cookies and Other Online Tracking Technologies

Cookies, pixels, session replay tools, and other online tracking technologies (collectively, “Cookies”) can help maximize advertising spend and provide valuable insights, but also create litigation, enforcement, and reputational risks under privacy, wiretapping, “unfair and deceptive acts or practices” (UDAP”), and other laws.  This white paper describes common considerations that can help mitigate these risks, but is provided only for general and informational purposes, is not intended to be comprehensive or to recommend any specific action, and does not constitute legal advice.  All companies should consult their own legal counsel.

  1. Inventory: Identify what Cookies you use and why you use them. Consider creating an inventory and a process to track and approve changes to your Cookie practices.

  2. Notice: Consider whether externally facing privacy policies meet legal requirements to describe practice practices accurately and completely, including the use of Cookies.

  3. Banner: Consider whether to deploy a pop up “banner” disclosing Cookie practices and/or offering consumers choice. 

  4. Choice: Consider what choices to offer consumers, including “opt-in” (meaning Cookies do not fire until a user agrees), “opt-out” (meaning Cookies can fire unless a user declines), or no choice.  If you offer consumers choices about the use of Cookies (such as the right to “opt out” of “selling,” “sharing,” or “targeted advertising” under state privacy laws), think about how you will document and ensure you honor those choices.

  5. Transparency: Review any banner or preference center to ensure they are not confusing, unfair, deceptive, or imbalanced in a way that constitutes a “dark pattern.”  

  6. Third Party Vendor: Consider engaging a vendor to assist with these compliance and risk mitigation steps.  Most reputable vendors support customizable functionality, such as “geofencing” options to provide different banners or choices in different states to address varying legal requirements and practical risks.  If you use a vendor, ensure you have proper contracts in place to meet legal requirements.  

  7. Monitor: Evaluate whether evolving legal requirements require changes to your strategy.

  8. Audit: Consider periodic audits to test controls to make sure they are functioning properly. 

Complying with the rules for using Cookies is legally and technologically complex. Our customers should be aware of the risks associated with these Cookies and consult with their legal counsel to put in place appropriate measures to avoid liability.