By Jodi Daniels

When you think of your favorite cookie, you might picture a recipe that you’ve had since childhood. It’s tasty, nostalgic and part of its charm is that it hasn’t changed in 20+ years.

But while an unchanging tradition is ideal for your beloved baked goods, it’s a recipe for trouble when it comes to website cookies.

Website cookies aren’t stagnant things that you can set and forget. With changing regulations, consumer sentiment and technological advancements, businesses need to mitigate risk with a regular cookie audit.

While audits are usually no one’s idea of fun, a cookie audit for your business doesn’t have to be complicated.

Here are five steps you can take to execute an effective cookie audit for your business.

1. Identify and categorize the cookies you already have.

First and foremost, know what you’re working with. Catalogu existing cookies on your website (all of them) and separate them by type:

As you catalogue, check that they’re all labelled correctly. Lumping them all together as “strictly necessary” won’t give insight into your cookie practices… and could lead to overstepping compliance requirements (just because you might think it’s necessary for your business doesn’t mean privacy laws do).

Cookie consent software is helpful here. They can automate cookie discovery and categorization, making the process faster and easier. (It’s not entirely hands-off, though—you still need to regularly review the results and ensure proper categorization!)

2. Review what data privacy jurisdictions apply to your business.

Once you have an accurate cookie inventory, review which jurisdictions apply to your organization. Remember, ignorance is not absolution from the law.

Different countries and states have wide-ranging consumer privacy requirements for businesses, and these laws have different thresholds and policies for website cookies. Broadly speaking, though:

• Under GDPR’s jurisdiction, users need to opt-in to cookies

• Under the many state-level privacy laws in the United States, users need to opt out of cookies

But, as we said, this is broadly speaking.

For businesses that operate out of or serve clients or customers in Colorado, California, Connecticut and a growing list of other states, regulations require a universal opt-out requirement for cookies (also known as global privacy control).

California’s cookie policies are particularly involved. Under California law, businesses must include a link that says “Do Not Sell/Do Not Share My Personal Information” on the home page (usually done with a link in the footer) or companies can use the Your Privacy Choices icon (don’t forget to use the words and the icon).

3. Reexamine the purpose and efficacy of your cookies.

You’ve categorized your cookies (thanks to Step 1). But have you looked at what information your cookies are collecting?

This evaluation extends beyond noting business purposes. It impacts your jurisdictional privacy obligations. (Refer back to Step 2.) For example, do your cookies collect health data? Are they targeting based on health data? This could pose regulatory concerns regarding HIPAA, the FTC and states like Washington with its new consumer health privacy legislation.

You should also look at where this data goes. What third parties have access to it?

Just as importantly, have you made your consumers aware of this? If it’s not in your privacy notice, get it in there.

4. Build/test/review your cookie consent banner.

Depending on applicable jurisdictions, you may need a cookie consent banner on your website. Even if it isn’t strictly required, cookie consent banners can increase the trust between you and your consumer by creating transparency surrounding your data collection practices.

If you’re building a cookie banner, it needs to make sense. It should be:

• Visible

• Easy to understand

• Accurate

Your cookie banner should also:

• Include proper language that describes the purpose of cookies

• Include options to exercise rights

• Link to your privacy notice

• Be formatted without “dark patterns,” e.g., font/color/box shape discrepancies that push the consumer to “accept” rather than “reject” cookies. These can show up in numerous forms, but they’re uniformly detrimental to exercising privacy rights.

If you’ve got cookie banners in place, that’s great. However, they should also be part of your cookie audit.

Make sure your established cookie banner and cookie consent settings are up to date. If you add or remove cookies from your website, update accordingly (this includes your cookie consent software and your cookie policy, not just your cookie banner).

Test your banner to make sure the tech works correctly. If it says “reject,” does it block cookies from firing? Walk through each step of the process as if you were the consumer. Make sure cookies are getting blocked if the user opts out. If your banner isn’t functioning correctly, troubleshoot the issue to prevent any perception of deceptive business practices.

5. Document everything and review the results with your team.

Throughout your cookie audit, document your findings, issues, solutions and any changes required.

As you make changes to your privacy practices, make sure they are reflected in your privacy policy; your privacy policy should contain an up-to-date description of your data activities that is accurate to your current practices, not aspirational.

Once your cookie audit is complete, create an internal standard and controls for cookie practices. This can be used for a consistent approach for future cookie audits.

Consumer data privacy isn’t a requirement for a single department or team. It often involves teams like legal and compliance, marketing, HR, IT, web development, and, of course, executive leadership. Ensure that anyone who works with consumer data is kept up to date with any changes in your cookie policy and any new requirements they must follow.

Clear and transparent communication between your departments—and between you and the consumer—will help mitigate risk and build trust. It’s just good business.

Feature Image Credit: GETTY

By Jodi Daniels

Follow me on Twitter or LinkedIn. Check out my website.

Jodi Daniels is a privacy consultant and Founder/CEO of Red Clover Advisors, one of the few Women’s Business Enterprises focused on privacy. Read Jodi Daniels’ full executive profile here.

Sourced from Forbes

Write A Comment