Demystifying cookies

Legal Monster webinar

This webinar ended, but you can watch it on demand by submitting a form below

Demystifying cookies

Date: The 22nd of October

Time: 10:00 - 11:00 AM

Cookies can help with core functionality on your website, remember your visitor's preferences, improve their experience, and be used for marketing purposes.

Making sure you use cookies on your website correctly is essential for compliance. But the cookie rules can be complex and confusing, and depend on many factors.

In this webinar you can learn more about the core requirements that apply to you and your website when using cookies.

Register to watch webinar replay with Stine Tornmark, Legal Monster's CEO and Co-Founder.

Webinar speakers

image

Stine Mangor Tornmark

CEO, Legal Monster

Lawyer specialised in privacy and marketing law, with six years experience from Plesner and six years as VP for Legal and Compliance at Trustpilot.

Transcript

Stine:
Good morning, everybody. We're just waiting for two people who just wrote to me about them joining, so we'll go live in a few minutes. But thank so much everybody for coming online, so early in the morning. Today, we're going to talk a bit about cookies and trying to demystify them. Given the fact that a lot of you guys that are joining us today, aren't lawyers and have worked with cookies in the past, the idea is to give you something concrete that you can actually work with and use. So it's a lot about examples and it's a lot about taking questions from you guys so that we cover as much of the things that you would like to know about cookies as possible.

One of you guys have already asked whether or not we're going to be recording it and we will. And I will be happy to share it. So if anybody needs the recording afterwards, I will be happy to send you an email and also cover other questions that you might have if you have specific questions coming along. Just send them through and we'll be happy to hopefully get as much covered as possible. I'm not expecting this to take an hour in any way. Of course, it depends on the amount of questions that you have, but the idea is in general, to make sure that we cover the needed questions and then go from there.

Fantastic. So if we start, I'm going to share my screen because what I've done is a little presentation from you guys, where I've actually found some examples that we can start off with.

I hope that you are all now able to see my screen. And the first thing is a picture of me. More maybe just giving you a sense of my background and why I'm the one talking to you today. I am an attorney. I have worked with ePrivacy and cookies for a lot of years. I worked for a Plesner law firm here in Denmark for six and a half years, having big clients like Google and Netflix and HBO. After that, I spent some time at Trustpilot for six years where I actually did internal compliance, which includes cookies. And I actually implemented the rules in a company that is similar to many of you using cookies for a lot of different purposes.

If we go to the next one, I'm going to talk a little bit today about, very briefly, what are the rules that cover cookies? What are the types of cookies that we're talking about? For example, necessary cookies versus non-necessary cookies. We're going to be talking a little bit cookie policies, when you need to get consent from your users, when they need to be able to withdraw their consent. And what type of languages your widget and cookie policy should be in.

If we take the first one for many of you, maybe also the most boring piece, it's about the legislation that regulates cookies. So in general, here in Europe, the ePrivacy directive is the main piece of legislation that is regulating how you should be using cookies and what you would also call as similar legislation. The ePrivacy directive is the directive that is defining when you need the cook consent, what you can use cookies for, and other types of legislation. Side-by-side for that piece of directives are the GDPR.

A lot of you guys know that and the piece of legislation already. The reason why that is also part of the cookie legislation landscape is because people need to give consent to the processing of their data. Many see IP addresses as being personal information, and that is regulated by the GDPR. GDPR also gives rules and requirements related to how a consent needs to be obtained. So when we're talking about giving cookie consent, we're looking to the GDPR rules about how to actually give that. And then you have a lot of local rules and guidelines and rulings. In the UK, you have the ICO. In Denmark you have the Danish data protection authorities and the Danish business authorities, and all these guys actually have different types of guidelines that outline when you need to give consent, what cookies are, et cetera. In France, they're called CNIL.

You also have it in Austria. You have it in the Netherlands. You have it in Ireland as well. I won't dive into the details of what the rules are, but I would rather give you some concrete examples, so you know what you need to do and how to actually work with cookies. So you already know that cookies are used for many different things, and many different companies are offering cookies. It could be Google analytics, it can be Mixpanel. It could be LinkedIn, CloudFlare, and Legal Monster. The type of cookies we're helping companies with are the ones related to giving consent. So technically of course, they're very different, but they're also very different from a legal perspective. And we treat them differently. When we're talking a bit about cookies, we need to start off with the first and actually most important piece. And that is necessary versus non-necessary cookies.

Necessary cookies are the cookies that you need to have on your website in order for the website to actually work. It can be your shopping basket. It can be something like security. And it is also for example, cookies coming from your cookie provider, because you need to have that banner on your website. You need to tell people how to give consent to your cookies. Those types of cookies don't need consent, but I'll come back to that. The non-necessary cookies are different. Here you need to get consent from your users. The types of consents, the types of non-necessary cookies are marketing cookies. It is cookies used for preferences. It's functional cookies. It's advertising, targeted ads, et cetera. There are also another thing that is very important that you guys think about when you're talking about cookies and that is first party cookies versus third party cookies.

Third party cookies are slowly dying. And when you've maybe read some news on LinkedIn or in the newspapers, and people are saying that cookies are dying, they're actually talking about third party cookies. And what is also really important to remember is that cookies aren't dying. And the rules related to cookies aren't dying, regardless of changes coming from Apple and Google. And the reason for it is that the cookie legal landscape says that it is the use of cookies and similar technologies. So even though you are seeing changes coming from Apple, and you're seeing changes being made by Google, that means that third party cookies are going to be very difficult to use going forward. But first party cookies will still live on.

There are also much stricter requirements when we're talking about the third party cookies, because here you're sharing responsibility with the guys who are delivering the third party cookies, and you're implementing on your website. For example, Facebook has had a lot of issues with that, and there has been a lot of requirements, legislative requirements that you guys, as a company, or as companies need to comply with when we're talking about third-party cookies, but I'll be happy to come back to that in a second. Then you have session cookies and permanent cookies. Legally they're somewhat the same, but also again, different. The reason for it is that when we're talking about the more permanent cookies that have longer expiration dates, you guys need to think a bit about what is the expiration of each cookie. And it can be two years or 14 months.

You need to think about for how long do I actually need it, not for how long I would like to have it. And there is a big difference in that regard. Session cookies are easier because you only have the data for that session, but it's also of course not as interesting because it means that you don't have to data for as long as you would for the permanent cookies. So there are differences. And the reason why I'm going through this more in detail is because when we later talk a little bit about the cookie policy, you need to actually explain to your users what the cookies that you're using are from first party or first party cookies and what are third party cookies. And the same goes for the necessary, non-necessary types. And of course also session cookies and permanent cookies.

Let's take it more in giving some concrete example as to when do you actually get to... When do you need consent from your users? You don't need consent from your users when we're talking about the necessary cookies. You still need to explain to them when you use necessary cookies and the type of necessary cookies you use, but you actually don't need consent. It also means that you can place the necessary cookies on your website as soon as the user... You can place it on the user's browser settings for example, as soon as the user lands on your website. You don't need to block them. They can just work from the get-go. But that's not the case for the other types. So for marketing cookies, LinkedIn being the perfect example, there you need to actually get the consent from the user to that specific type of cookies, before you can actually start using them.

The same goes for preference cookies and functional cookies. A good example can be YouTube. So YouTube, you would say, "Well, it's important that the videos on my website actually work." And that would for me mean that that's a necessary cookie, but it actually isn't. It's a functional cookie. When I'm talking about YouTube cookies and when I'm talking to them being functional, it is that actually, if you stop the video that it's possible for the user to start at the same place where they actually stopped the video. But that's still a functional cookie. And that means on some websites, when you land on that website, you can see that if you haven't accepted functional cookies, there will just be a blank box where the video were supposed to be. And it will say, "Well, we can't show the video unless you accept functional cookies."

That's okay. But what isn't okay is to say that we won't run our website if you don't accept functional cookies, because we believe that the video is so crucial. So it's just to say, to think a bit about consent, you need it from the user, unless we're talking about the necessary cookies. Then there are other situations where you need to get consent from your users when we're talking about cookies. It is, for example, if you have cookies already on your website and you start using the cookies for different types of purposes. LinkedIn is for example, a tricky one. Because LinkedIn can both be analytical cookies and it can be marketing cookies. And let's say that you've only been using specific LinkedIn cookies for analytical purposes. And now all of a sudden, you also want to use the different types of LinkedIn cookies for marketing purposes. Well, that would actually mean that you would need to get consent from your users again, even though they've actually given you consent for LinkedIn's use or for LinkedIn regarding analytical cookies. But because now you're also using marketing cookies from LinkedIn, you need to get consent from your users.

You also need to ask for consent again, if you're starting to use new cookies. So let's say that for up until now you've only been using Google analytics, but now you want to start using Mixpanel and segment as well. That means that you would actually need that cookie banner to pop up again and ask your users to accept those types of new cookies. It's also okay that they give consent to all the remaining ones you have. You don't need to just do it very specifically for only the new ones, but you need to actually ask the users again, because they only said yes to you using Google Analytics when they signed up.

The final piece is also to remember, if you make changes to your cookie policy and the way you're processing information and data based on your cookie policy, you actually also need to inform your users about it. And many of the cookie providers out there, they have that ingrained in their cookie banners. So the easiest way of solving that would actually to have the cookie banner pop up again. Others might send out an email to your users and saying, "Hey, we've updated our cookie policy and it is effective of a certain date. Here is a link." That's also fine, but you need to inform your users about the changes.

So, I have used the word consent many times now during the last 15 minutes and that's because it is so important for everything related to cookie compliance. But if you can't prove it, legally it is regarded as you not even having the consent, even though you've done everything right, and you have the best cookie banner in the world. If you can't prove that you've got the consent, you don't have it. That is actually what is stated in GDPR and it's also arising from the different types of guidelines coming from the authorities. So that means you need to be able to prove it. So how can you do that? And what data points do you need to be able to show? So what do you need to be able to do and show if the authorities were to come knocking on your door, or if a user actually makes a dispute?

Well what you need to be able to prove is at what point did you user give consent, so the date stamp. You also need to prove what the user gave consent to. So not only what was the wording in that cookie banner that the user was shown, but what did the user actually give consent to? Here I'm thinking about your cookie policy. I'm also thinking about the types of cookies and the purposes that you were describing to your users. When we're talking about cookies and you were talking about visitors on your website, you'd necessarily don't know the name of those people. What you need to be able to show is then what IP address actually gave the consent? And you also need to be able to prove, of course, what language were actually shown to the user. So there is a requirement that there is data available that shows that you've got the consent from the users.

Important, and this is where I think a lot of people are right now non-compliant and I'll give you a few examples, but it is super critical that users can actually withdraw their consent. It's not enough that you just simply in the browser, or in your cookie policy, make a description that you can go into your browser and then you can go and you can de-select for example, the tracking and the use of cookies and clear your settings. That isn't sufficient. Why is that? Because it needs to be as easy for the user to give consent and as easy to withdraw that consent.

So if it requires one link or one click to give to consent, there should only also be one click to withdraw the consent. This is written in the different types of legislation and guidelines coming from the authorities. So it's actually not debatable. It's not a gray area. It needs to be super easy. It can be done for example, through different types of logo also shields that you implement on your website, but it could also be links. But remember, it's not okay if you don't give your users the ability to withdraw their consent or make changes. It might be that they started off by giving consent to everything, but now they only want to give consent to analytical cookies. Well, then that should be an option.

They should never be able to withdraw or make changes regarding consent to necessary cookies because they're necessary. It's a requirement for you to be able to run your website.

Another thing that you need to have when we're talking about cookies, it is a cookie policy. Why? Well, the reason is you need to give your users information about how you use cookies, why you used the, and more specifically the type of cookies you use. The cookie policy needs to include information about what a cookie is and the reason for it is that you need to be able to prove, and also explain to your users, what a cookie is. Not everybody knows that. Then you need to have a description of the type of cookies that you are using on your website. Here I'm thinking about marketing and analytical, all that type of main categories related to cookies. And also how you're using them. So there needs to be information about... So let's say you're using necessary cookies. Explain what you see as necessary cookies and explain why you're using it. Well you're using it because you need to have your web shop up and running, and you need to be able to remember what people put in their basket, just as an example.

Then you need to explain specifically what third party party cookies are available on your website. And more critically, there also needs to be a link to that third party provider. So let's say that you're using Facebook. There needs to be a link to Facebook's privacy policy. The reason is Facebook is seen as a joint, what we call data controller, meaning you are sharing responsibility with Facebook, for their use of third-party cookies on your website.

It also means that you need to also explain to your users that you've actually looked at Facebook's data processing activities, and that you hopefully found that they're fine and okay. Then you also need to explain how users can control their cookie settings and how they can opt out. And again, remember it needs to be as easy for the user to find a way to change their settings as it was to give the consent. Ideally also make sure that the cookie policy is available through a one link click when the user is landing on your website. So in your cookie banner have a link to your cookie policy. And at the bottom of your website have a link to the cookie policy as well. So once they've given consent, they will able to find the policy at the bottom of your page, alongside of course your terms and conditions, your new privacy policy and all the other legally required documents that you need to have when you're running a webshop.

So here are some concrete examples of different types of cookie banners and cookie walls. When we're talking about cookie walls, it is super important that you guys know what I'm talking about. A cookie wall is like a cookie banner that pops up that users can't reject. They're forced to accept the use of cookies before they're actually able to use your website. These are 100% illegal. We had a ruling last year coming out of the EU courts and they made it very explicit that that was illegal. It also means that a lot of people have been changing their cookie banners and trying to find alternate ways to get consent. But remember, don't use cookie walls where users don't have an option to actually say yes or no. In this regard, you can see it's a cookie wall, but here there's an easy access to giving consent.

But there's also an easy access to say, "No." However, having said that this isn't actually clear cut and totally fine, because can you see, it's clearly way easier to say, "Yes." Than it is to say, "No." Because if you want to say no, you would click on "No, take me to my setting page." And then here you would actually have to make specific choices. So you can say yes for everything in one go, but you can't actually say no to everything in one go. And that is why this one isn't actually compliant here.

Here it is easier. It's in Danish. So sorry guys, for those of you who aren't Danish, but what it says is that you can reject all or you can accept all, or you can make a more specific selection. This is okay because here you could actually say that I am giving the same easy option to say no, as it is for me to say yes. Ideally you would be able to, without a click on the settings, to be able to actually make more specific selections in one go, but this is I think a good example of a more compliant solution.

Here, same thing. It is way more difficult to say no than it is to say yes. And therefore it isn't as easy for the user to know what is actually the ups and downs of this one. I think another thing that you need to make sure when you're looking at this one is that it is not easy to understand what is actually described here. It is fairly complicated. It is very long, and it is impossible on this you have a law degree to actually decipher what is listed in this cookie wall. That's not okay, and I'll come back to that later. But remember when we're talking about the language, it needs to be simple. That's a legal requirement as well because your users need to be able to understand what they're saying yes to and know the consequences of it.

This is again in Danish and sorry guys, for those of you who don't speak Danish or are able to read Danish. But this is non permissible. Because again, you only have one choice and that is say yes to all. You can't say no, or you can't make a more selective decision. And finally, the most noncompliant cookie banner off them all. We use cookies. Accept, and that's it. This is non permissible. You don't have other alternatives than to say no. So this one is just FYI, a no-go. So please don't use this example. It was just to tell you what you shouldn't be doing.

So hopefully you now know that there are many ways of doing it, but this isn't one of them. And by the way, this isn't either. This is the old school, "I've made a little banner myself, and now I think I'm home safe." Well, you are anything but home safe. You might not even be able to see what I'm talking about. But can you see at the bottom of this page? It says, "By using this website, you agree to our privacy policy and terms of service." Okay, there isn't even anything about cookies. But even though if there were information about cookies in this little nice sentence, it is not a consent that is lawful.

It is as simple as that. This is an absolute no-go. So to sum up, what do you need to do? Well, you need to make sure that you have a cookie banner on your website that actually shows the different types of categories of cookies. Here it is marketing cookies, it's preferences, and it's analytical and it's necessary. And you need to explain what you're using these types of different categories for, and the specific cookies that are tied to each category. And it needs to be in a way where the user is actually able to say yes or no, or make changes to their settings. And by the way, they need to be able to withdraw their consent.

Blocking of cookies is therefore essential. It means that necessary cookies can be placed from the get go. You can just do it. There doesn't need to be any type of blocking, but everything else needs to be blocked up until the time where the user gives consent. Easy, right? Maybe not ideal. I totally get it. But right now we're talking about what is the legally right thing to do and what the authorities are right now starting to impose. By the way, the French authorities, a few months ago, made it very clear that they're going to be enforcing noncompliant cookie solutions and non-compliant cookie banners. It means that if you guys have a web shop that is targeted to the French market, make sure that you get it updated. The same goes for the Belgium authorities. They have also made it super clear.

The Irish authorities just came out with new guidelines. It's taking effective in October, and they're going to be enforcing it as well. And here in Denmark, we've seen both the Danish data protection authorities starting to impose or starting to go after companies with non-compliant cookie solutions and banners. And so have the Danish business authorities. And Germany, well, you guys, if you've in the German market, know that they are very strict as well. So if you have an uncompliant solution, I would recommend that you start getting compliant in this area because things are changing compared to how things have been the last few years.

So just to sum up in regards to your cookie banners, it needs to be in a way that people actually understand and worded in a way that people actually understand what you're talking about. It means that the text needs to be easy to understand, and they need to know what they're saying yes to. What is also important to remember is that the language in the cookie banner should be in the same language as your website.

It doesn't necessarily mean that if you are a German company and you are a Danish company and your website is in English, that you need to have a Danish banner. No, you need to have it in English, if that's the language that you are actually writing your website in. And it needs to be catered to your target audience. There are big differences in the way you should be wording it, if you are for example, targeting the legal industry. Then it's okay maybe that it's a bit more overcomplicated and not necessarily very user friendly. But if you are targeting the average audience, make it nice and understandable.

So that actually brings me to the end of the slides. And I will now start taking questions and I've already gotten a few. One of them is that, "Where do we see the biggest fines coming from?" Well right now where we're seeing fines being issued by the authorities is in Belgium. We've seen fines from France. In Denmark we've seen different type of press releases coming out from the Danish authorities. And so has a lot of different authorities around Europe. And I think a lot of companies are more afraid of the bad press than they are of fines.

What we'll do after this session is reach out to you guys and give you access to the recording if you would like it. And if you otherwise have any questions or things that you would like us to maybe expand on or elaborate, well, you can always just contact us. The easiest way is actually just to either send us an email through [email protected] or reach out to me. Feel free to do so. My email is [email protected]

So another question that just, actually three came in, I'll answer those. One of them is, "How important is the categorization of cookies?" Well, it is a super good question. It is actually really critical. It is one of the things you really need to think about when we're talking about being compliant. So think a bit about, if you're using Google Analytics, it's for analytical purposes. And get that categorized as analytical cookies.

The same goes for the other types of categories. So yes, that is super critical. Another question is, "Is it necessary to delete cookies when a user is changing their minds?" Ideally, yes. It can be tricky to do technically, but you should be, if the user makes a decision that says, "I have previously said yes, now I'm saying no." That cookie needs to be blocked and ideally deleted. But there is a difference between deleting a cookie and blocking a cookie and the user isn't asking for the cookie to be deleted, but they're asking for the cookie to be blocked. But I do recommend if it's possible technically with the solution that you guys have, that you also would be deleting it.

And question that is also coming, is that more related to languages. "So if your main website is in English, but you also have available sites in German and French, et cetera, well, should the cookie banner be in those languages as well?" The question for that is actually, yes. The reason is you need to have the cookie banner available in the languages that you are offering on your website, because that means you're catering to an audience. And people in France aren't expected necessarily to be able to understand what is written in the English version. So it should be available in French as well.

So I hope this actually answers your questions and if there's anything else we can help with, well just reach out. It was an absolute pleasure. We're going to be doing more of these types of sessions, so if you guys have any type of feedback, we would love to hear it. If you have ideas for areas that you would like us to cover, feel free to let us know.

We are a legal tech company and we're there for not only focusing on cookies. We also help customers with getting consent for terms and conditions and email marketing and privacy policies. And I will be more than happy to take you through what are the legal requirements when we're talking about having a privacy policy on your website as well. Just as an example, and you basically need to give consent. Just a little teaser, you don't need consent, you just need to show that you actually process their information and you do it in accordance with your privacy policy and just have it when you are actually getting information from your users. So take care and have a fantastic Thursday. Bye.