Date: The 22nd of October
Time: 10:00 - 11:00 AM
Cookies can help with core functionality on your website, remember your visitor's preferences, improve their experience, and be used for marketing purposes.
In this webinar you can learn more about the core requirements that apply to you and your website when using cookies.
Register to watch webinar replay with Stine Tornmark, Legal Monster's CEO and Co-Founder.
CEO, Legal Monster
Lawyer specialised in privacy and marketing law, with six years experience from Plesner and six years as VP for Legal and Compliance at Trustpilot.
Good morning, everybody. We're just waiting for two people who just wrote to me about them joining, so we'll go live in a few minutes. But thank so much everybody for coming online, so early in the morning. Today, we're going to talk a bit about cookies and trying to demystify them. Given the fact that a lot of you guys that are joining us today, aren't lawyers and have worked with cookies in the past, the idea is to give you something concrete that you can actually work with and use. So it's a lot about examples and it's a lot about taking questions from you guys so that we cover as much of the things that you would like to know about cookies as possible.
One of you guys have already asked whether or not we're going to be recording it and we will. And I will be happy to share it. So if anybody needs the recording afterwards, I will be happy to send you an email and also cover other questions that you might have if you have specific questions coming along. Just send them through and we'll be happy to hopefully get as much covered as possible. I'm not expecting this to take an hour in any way. Of course, it depends on the amount of questions that you have, but the idea is in general, to make sure that we cover the needed questions and then go from there.
Fantastic. So if we start, I'm going to share my screen because what I've done is a little presentation from you guys, where I've actually found some examples that we can start off with.
I hope that you are all now able to see my screen. And the first thing is a picture of me. More maybe just giving you a sense of my background and why I'm the one talking to you today. I am an attorney. I have worked with ePrivacy and cookies for a lot of years. I worked for a Plesner law firm here in Denmark for six and a half years, having big clients like Google and Netflix and HBO. After that, I spent some time at Trustpilot for six years where I actually did internal compliance, which includes cookies. And I actually implemented the rules in a company that is similar to many of you using cookies for a lot of different purposes.
A lot of you guys know that and the piece of legislation already. The reason why that is also part of the cookie legislation landscape is because people need to give consent to the processing of their data. Many see IP addresses as being personal information, and that is regulated by the GDPR. GDPR also gives rules and requirements related to how a consent needs to be obtained. So when we're talking about giving cookie consent, we're looking to the GDPR rules about how to actually give that. And then you have a lot of local rules and guidelines and rulings. In the UK, you have the ICO. In Denmark you have the Danish data protection authorities and the Danish business authorities, and all these guys actually have different types of guidelines that outline when you need to give consent, what cookies are, et cetera. In France, they're called CNIL.
You also have it in Austria. You have it in the Netherlands. You have it in Ireland as well. I won't dive into the details of what the rules are, but I would rather give you some concrete examples, so you know what you need to do and how to actually work with cookies. So you already know that cookies are used for many different things, and many different companies are offering cookies. It could be Google analytics, it can be Mixpanel. It could be LinkedIn, CloudFlare, and Legal Monster. The type of cookies we're helping companies with are the ones related to giving consent. So technically of course, they're very different, but they're also very different from a legal perspective. And we treat them differently. When we're talking a bit about cookies, we need to start off with the first and actually most important piece. And that is necessary versus non-necessary cookies.
Necessary cookies are the cookies that you need to have on your website in order for the website to actually work. It can be your shopping basket. It can be something like security. And it is also for example, cookies coming from your cookie provider, because you need to have that banner on your website. You need to tell people how to give consent to your cookies. Those types of cookies don't need consent, but I'll come back to that. The non-necessary cookies are different. Here you need to get consent from your users. The types of consents, the types of non-necessary cookies are marketing cookies. It is cookies used for preferences. It's functional cookies. It's advertising, targeted ads, et cetera. There are also another thing that is very important that you guys think about when you're talking about cookies and that is first party cookies versus third party cookies.
There are also much stricter requirements when we're talking about the third party cookies, because here you're sharing responsibility with the guys who are delivering the third party cookies, and you're implementing on your website. For example, Facebook has had a lot of issues with that, and there has been a lot of requirements, legislative requirements that you guys, as a company, or as companies need to comply with when we're talking about third-party cookies, but I'll be happy to come back to that in a second. Then you have session cookies and permanent cookies. Legally they're somewhat the same, but also again, different. The reason for it is that when we're talking about the more permanent cookies that have longer expiration dates, you guys need to think a bit about what is the expiration of each cookie. And it can be two years or 14 months.
Let's take it more in giving some concrete example as to when do you actually get to... When do you need consent from your users? You don't need consent from your users when we're talking about the necessary cookies. You still need to explain to them when you use necessary cookies and the type of necessary cookies you use, but you actually don't need consent. It also means that you can place the necessary cookies on your website as soon as the user... You can place it on the user's browser settings for example, as soon as the user lands on your website. You don't need to block them. They can just work from the get-go. But that's not the case for the other types. So for marketing cookies, LinkedIn being the perfect example, there you need to actually get the consent from the user to that specific type of cookies, before you can actually start using them.
The same goes for preference cookies and functional cookies. A good example can be YouTube. So YouTube, you would say, "Well, it's important that the videos on my website actually work." And that would for me mean that that's a necessary cookie, but it actually isn't. It's a functional cookie. When I'm talking about YouTube cookies and when I'm talking to them being functional, it is that actually, if you stop the video that it's possible for the user to start at the same place where they actually stopped the video. But that's still a functional cookie. And that means on some websites, when you land on that website, you can see that if you haven't accepted functional cookies, there will just be a blank box where the video were supposed to be. And it will say, "Well, we can't show the video unless you accept functional cookies."
That's okay. But what isn't okay is to say that we won't run our website if you don't accept functional cookies, because we believe that the video is so crucial. So it's just to say, to think a bit about consent, you need it from the user, unless we're talking about the necessary cookies. Then there are other situations where you need to get consent from your users when we're talking about cookies. It is, for example, if you have cookies already on your website and you start using the cookies for different types of purposes. LinkedIn is for example, a tricky one. Because LinkedIn can both be analytical cookies and it can be marketing cookies. And let's say that you've only been using specific LinkedIn cookies for analytical purposes. And now all of a sudden, you also want to use the different types of LinkedIn cookies for marketing purposes. Well, that would actually mean that you would need to get consent from your users again, even though they've actually given you consent for LinkedIn's use or for LinkedIn regarding analytical cookies. But because now you're also using marketing cookies from LinkedIn, you need to get consent from your users.
You also need to ask for consent again, if you're starting to use new cookies. So let's say that for up until now you've only been using Google analytics, but now you want to start using Mixpanel and segment as well. That means that you would actually need that cookie banner to pop up again and ask your users to accept those types of new cookies. It's also okay that they give consent to all the remaining ones you have. You don't need to just do it very specifically for only the new ones, but you need to actually ask the users again, because they only said yes to you using Google Analytics when they signed up.
So, I have used the word consent many times now during the last 15 minutes and that's because it is so important for everything related to cookie compliance. But if you can't prove it, legally it is regarded as you not even having the consent, even though you've done everything right, and you have the best cookie banner in the world. If you can't prove that you've got the consent, you don't have it. That is actually what is stated in GDPR and it's also arising from the different types of guidelines coming from the authorities. So that means you need to be able to prove it. So how can you do that? And what data points do you need to be able to show? So what do you need to be able to do and show if the authorities were to come knocking on your door, or if a user actually makes a dispute?
So if it requires one link or one click to give to consent, there should only also be one click to withdraw the consent. This is written in the different types of legislation and guidelines coming from the authorities. So it's actually not debatable. It's not a gray area. It needs to be super easy. It can be done for example, through different types of logo also shields that you implement on your website, but it could also be links. But remember, it's not okay if you don't give your users the ability to withdraw their consent or make changes. It might be that they started off by giving consent to everything, but now they only want to give consent to analytical cookies. Well, then that should be an option.
They should never be able to withdraw or make changes regarding consent to necessary cookies because they're necessary. It's a requirement for you to be able to run your website.
But there's also an easy access to say, "No." However, having said that this isn't actually clear cut and totally fine, because can you see, it's clearly way easier to say, "Yes." Than it is to say, "No." Because if you want to say no, you would click on "No, take me to my setting page." And then here you would actually have to make specific choices. So you can say yes for everything in one go, but you can't actually say no to everything in one go. And that is why this one isn't actually compliant here.
Here it is easier. It's in Danish. So sorry guys, for those of you who aren't Danish, but what it says is that you can reject all or you can accept all, or you can make a more specific selection. This is okay because here you could actually say that I am giving the same easy option to say no, as it is for me to say yes. Ideally you would be able to, without a click on the settings, to be able to actually make more specific selections in one go, but this is I think a good example of a more compliant solution.
Here, same thing. It is way more difficult to say no than it is to say yes. And therefore it isn't as easy for the user to know what is actually the ups and downs of this one. I think another thing that you need to make sure when you're looking at this one is that it is not easy to understand what is actually described here. It is fairly complicated. It is very long, and it is impossible on this you have a law degree to actually decipher what is listed in this cookie wall. That's not okay, and I'll come back to that later. But remember when we're talking about the language, it needs to be simple. That's a legal requirement as well because your users need to be able to understand what they're saying yes to and know the consequences of it.
It is as simple as that. This is an absolute no-go. So to sum up, what do you need to do? Well, you need to make sure that you have a cookie banner on your website that actually shows the different types of categories of cookies. Here it is marketing cookies, it's preferences, and it's analytical and it's necessary. And you need to explain what you're using these types of different categories for, and the specific cookies that are tied to each category. And it needs to be in a way where the user is actually able to say yes or no, or make changes to their settings. And by the way, they need to be able to withdraw their consent.
Blocking of cookies is therefore essential. It means that necessary cookies can be placed from the get go. You can just do it. There doesn't need to be any type of blocking, but everything else needs to be blocked up until the time where the user gives consent. Easy, right? Maybe not ideal. I totally get it. But right now we're talking about what is the legally right thing to do and what the authorities are right now starting to impose. By the way, the French authorities, a few months ago, made it very clear that they're going to be enforcing noncompliant cookie solutions and non-compliant cookie banners. It means that if you guys have a web shop that is targeted to the French market, make sure that you get it updated. The same goes for the Belgium authorities. They have also made it super clear.
The Irish authorities just came out with new guidelines. It's taking effective in October, and they're going to be enforcing it as well. And here in Denmark, we've seen both the Danish data protection authorities starting to impose or starting to go after companies with non-compliant cookie solutions and banners. And so have the Danish business authorities. And Germany, well, you guys, if you've in the German market, know that they are very strict as well. So if you have an uncompliant solution, I would recommend that you start getting compliant in this area because things are changing compared to how things have been the last few years.
So just to sum up in regards to your cookie banners, it needs to be in a way that people actually understand and worded in a way that people actually understand what you're talking about. It means that the text needs to be easy to understand, and they need to know what they're saying yes to. What is also important to remember is that the language in the cookie banner should be in the same language as your website.
It doesn't necessarily mean that if you are a German company and you are a Danish company and your website is in English, that you need to have a Danish banner. No, you need to have it in English, if that's the language that you are actually writing your website in. And it needs to be catered to your target audience. There are big differences in the way you should be wording it, if you are for example, targeting the legal industry. Then it's okay maybe that it's a bit more overcomplicated and not necessarily very user friendly. But if you are targeting the average audience, make it nice and understandable.
So that actually brings me to the end of the slides. And I will now start taking questions and I've already gotten a few. One of them is that, "Where do we see the biggest fines coming from?" Well right now where we're seeing fines being issued by the authorities is in Belgium. We've seen fines from France. In Denmark we've seen different type of press releases coming out from the Danish authorities. And so has a lot of different authorities around Europe. And I think a lot of companies are more afraid of the bad press than they are of fines.
What we'll do after this session is reach out to you guys and give you access to the recording if you would like it. And if you otherwise have any questions or things that you would like us to maybe expand on or elaborate, well, you can always just contact us. The easiest way is actually just to either send us an email through [email protected] or reach out to me. Feel free to do so. My email is [email protected]
So another question that just, actually three came in, I'll answer those. One of them is, "How important is the categorization of cookies?" Well, it is a super good question. It is actually really critical. It is one of the things you really need to think about when we're talking about being compliant. So think a bit about, if you're using Google Analytics, it's for analytical purposes. And get that categorized as analytical cookies.
The same goes for the other types of categories. So yes, that is super critical. Another question is, "Is it necessary to delete cookies when a user is changing their minds?" Ideally, yes. It can be tricky to do technically, but you should be, if the user makes a decision that says, "I have previously said yes, now I'm saying no." That cookie needs to be blocked and ideally deleted. But there is a difference between deleting a cookie and blocking a cookie and the user isn't asking for the cookie to be deleted, but they're asking for the cookie to be blocked. But I do recommend if it's possible technically with the solution that you guys have, that you also would be deleting it.
And question that is also coming, is that more related to languages. "So if your main website is in English, but you also have available sites in German and French, et cetera, well, should the cookie banner be in those languages as well?" The question for that is actually, yes. The reason is you need to have the cookie banner available in the languages that you are offering on your website, because that means you're catering to an audience. And people in France aren't expected necessarily to be able to understand what is written in the English version. So it should be available in French as well.
So I hope this actually answers your questions and if there's anything else we can help with, well just reach out. It was an absolute pleasure. We're going to be doing more of these types of sessions, so if you guys have any type of feedback, we would love to hear it. If you have ideas for areas that you would like us to cover, feel free to let us know.