Too many cookies and not enough disclosure

4 August 2021

Cookies of the digital variety are increasingly prevalent, with most websites using some form of cookies to track and process information about website users.  Many website terms and/or privacy policies will include information about the cookies used on the relevant website – particularly if those cookies involve the collection and use of personal information.  In our experience, however, the function and use of particular cookies is often misunderstood and website terms and privacy policies often fail to keep pace with the evolving use of cookies on websites.  As a result, such terms and policies may be out of date and put organisations at risk of not meeting their legal obligations.

What are cookies?

Cookies are small text files, which collect information and are placed on the browser of users who visit different websites.  They are used on the majority of websites and can provide essential functionality, enabling users to navigate websites conveniently and efficiently.  They can also be used to provide useful information to website owners about the use of their websites.

There are two main types of cookies:

  • Session Cookies:  these act as a bookmark, tracking users' movements on the websites (eg your shopping cart) and expire when the user leaves the web page
  • Persistent Cookies:  these track users' preferences, including things like language and location, as well as user log-in details.  These cookies last beyond the session and can be stored on the user's device for a longer period of time.

Cookies can also be distinguished by their origin.  First party cookies are generated by the website the user is currently on and tend to be session or persistent cookies relating to user preferences for that website.  Third party cookies are typically associated with ads and are generated by websites other than the website the user is currently on.  For example, third party cookies are typically placed on websites by an advertiser or social media site, such as Facebook.  Third party cookies often collect users' data across multiple websites. 

Cookies can be used in a range of ways – to provide essential features on websites, to remember past choices made by user, and to track information about website use and provide it to the website owner (often in an aggregated form but also to allow for more effective advertising to individual users).

There are several services (two common examples are Google Analytics and Facebook Business Tools), which use cookies in a combination of ways to provide more sophisticated analytics services that enable websites to develop a comprehensive understanding of users' interactions with the relevant website.  This information can then be used for analytics or marketing purposes.  For example, websites that use Facebook Business Tools can track how many and which people are clicking on their Facebook advertisements and retarget the advertisements accordingly.  These services can also work across multiple devices used by the same user.

What do website owners need to tell their users?

Fundamentally, cookies collect information about website users.  While there is no specific cookies legislation in New Zealand, Privacy Principle 3 of the Privacy Act 2020 imposes obligations on agencies in relation to websites that collect personal information (and will apply if the cookies are collecting users' personal information).  Specifically, the Privacy Act requires that the relevant website must take reasonable steps to ensure users are aware of:

  • What information is being collected
  • The purpose for which it is being collected
  • The intended recipient of the information
  • The name and address of the entity that is collecting and holding the information
  • If the information is required to be collected by law, the law under which it is collected and whether the supply of the information is voluntary or mandatory
  • The consequences if the information is not provided
  • The rights of access to and correction of, information, provided by the Privacy Principles.

For this reason, when a New Zealand website uses cookies that collect personal information, it is legally necessary for the relevant website terms and/or privacy policies to disclose what cookies operate on the site (including third party cookies, which may provide user tracking information to the website owner and any other analytics tools the website uses).  While websites often have these terms/policies in place, in our experience these terms and policies are often out of date and, in some cases, fail to keep pace with what cookies are in place and how they are actually used.

Further, although there is no cookies-specific law in New Zealand, other jurisdictions do have legislation which imposes specific disclosure obligations on websites using cookies.  New Zealand businesses that have a presence in the European Union or United Kingdom, or who target their websites or services to those in the European Union or United Kingdom, should be aware of their obligations under the European Union Directive on Privacy and Electronic Communications (Directive 2002/58/EC) (e-Privacy Directive).  The e-Privacy Directive requires that websites inform users of the use of cookies (including what they are being used for) and that users' consent to the use of those cookies is obtained.  As of early 2021, a new draft e-Privacy Regulation has been proposed and once approved will replace the e-Privacy Directive (for more information see our previous article. 'Privacy: what to watch in 2021'.)

In particular, the e-Privacy Regulation will update the standard of consent required for the use of cookies to the General Data Protection Regulation (GDPR) standard.  This requires that consent be obtained before a website uses any cookies (except 'strictly necessary cookies') and that consent must be 'freely given, specific, informed and unambiguous'.  To meet these obligations, many websites use cookie 'pop-ups' to get explicit consent from users.

If you would like to know more about the enforceability of EU law in New Zealand, we have previously discussed it in this article, Guidelines on the Long Arms of the GDPR.

Furthermore, even where no legislative obligation exists (eg no personal information is being collected and provided to the website), organisations which provide products or services using cookies may by contract impose obligations on websites that use those products or services, to disclose the use of cookies and provide certain information.  For example, Facebook Business Tools and Google Analytics' Terms and Conditions both require that those using the programmes disclose the use of cookies, explain how they work, and get users' consent to the use of cookies. 

Additionally, earlier this year, Apple released its App Tracking Transparency framework, which requires app developers on the Apple store that want to collect users' data and share it with third-parties for the purposes of tracking users, must display a pop-up asking users to consent to the tracking.

So what next?

We recommend that website owners regularly review those sections of their web terms and/or privacy policies which deal with cookies.  In our view, to effectively update these sections, lawyers (and communications team members) will need to engage in some detail with the organisation's IT or digital team to ensure that what is communicated is comprehensive and accurate.  If you are looking to update your cookies policy, Facebook Business Tools has developed a helpful guide to cookie disclosure statements, which also recommends:

  • Disclosing specific information about the use of any third party technologies and their purposes
  • Adding granular controls for non-necessary cookies and explaining to users how to reject their use, and
  • Generally explaining more about the use of cookies.

The guide can be found here.

Of course, if you need legal assistance, our market-leading TMT team is also here to help.

 

Visit our expertise pages

Technology, media and telecommunications   Privacy and data protection