Too many cookies and not enough disclosure
4 August 2021
What are cookies?
Cookies are small text files, which collect information and are placed on the browser of users who visit different websites. They are used on the majority of websites and can provide essential functionality, enabling users to navigate websites conveniently and efficiently. They can also be used to provide useful information to website owners about the use of their websites.
There are two main types of cookies:
- Session Cookies: these act as a bookmark, tracking users' movements on the websites (eg your shopping cart) and expire when the user leaves the web page
- Persistent Cookies: these track users' preferences, including things like language and location, as well as user log-in details. These cookies last beyond the session and can be stored on the user's device for a longer period of time.
Cookies can also be distinguished by their origin. First party cookies are generated by the website the user is currently on and tend to be session or persistent cookies relating to user preferences for that website. Third party cookies are typically associated with ads and are generated by websites other than the website the user is currently on. For example, third party cookies are typically placed on websites by an advertiser or social media site, such as Facebook. Third party cookies often collect users' data across multiple websites.
Cookies can be used in a range of ways – to provide essential features on websites, to remember past choices made by user, and to track information about website use and provide it to the website owner (often in an aggregated form but also to allow for more effective advertising to individual users).
What do website owners need to tell their users?
Fundamentally, cookies collect information about website users. While there is no specific cookies legislation in New Zealand, Privacy Principle 3 of the Privacy Act 2020 imposes obligations on agencies in relation to websites that collect personal information (and will apply if the cookies are collecting users' personal information). Specifically, the Privacy Act requires that the relevant website must take reasonable steps to ensure users are aware of:
- What information is being collected
- The purpose for which it is being collected
- The intended recipient of the information
- The name and address of the entity that is collecting and holding the information
- If the information is required to be collected by law, the law under which it is collected and whether the supply of the information is voluntary or mandatory
- The consequences if the information is not provided
- The rights of access to and correction of, information, provided by the Privacy Principles.
If you would like to know more about the enforceability of EU law in New Zealand, we have previously discussed it in this article, Guidelines on the Long Arms of the GDPR.
Additionally, earlier this year, Apple released its App Tracking Transparency framework, which requires app developers on the Apple store that want to collect users' data and share it with third-parties for the purposes of tracking users, must display a pop-up asking users to consent to the tracking.
So what next?
We recommend that website owners regularly review those sections of their web terms and/or privacy policies which deal with cookies. In our view, to effectively update these sections, lawyers (and communications team members) will need to engage in some detail with the organisation's IT or digital team to ensure that what is communicated is comprehensive and accurate. If you are looking to update your cookies policy, Facebook Business Tools has developed a helpful guide to cookie disclosure statements, which also recommends:
- Disclosing specific information about the use of any third party technologies and their purposes
- Adding granular controls for non-necessary cookies and explaining to users how to reject their use, and
The guide can be found here.
Of course, if you need legal assistance, our market-leading TMT team is also here to help.
Visit our expertise pages