«

»

Dec
02
2011

Best Practices for Using Cookies

Joanne Furtsch, CIPP, CIPP/C
Director of Product Policy 
@privacygeek

Websites today are rarely a single-party affair. On any given website consumers typically interact with a number of third parties who collect data about them, whether they realize it or not. When third parties collect consumer data through technologies that are not readily apparent to consumers, like cookies, this creates privacy risks resulting from consumers’ inability to make informed decisions about their data.  This type of data collection has caught the attention of government regulators on both sides of the Atlantic and now more than ever companies need to better understand how they use cookies and what third-parties collect data on their site (and how they collect and use this data).

Follow these best practices when using cookies:

  1. Use a unique Domain Name per technology (e.g. HTTP cookies, Web beacons, JavaScripts, and Flash LSOs) to separate any online behavioral advertising practices from those that are not online behavioral advertising.
  2. Use the same cookie name per opt-out mechanism.  For example, the opt-out cookie set for the DAA opt-out mechanism has the same name as the cookie set for the NAI opt-out mechanism.
  3. Retain data only as long as needed to carry out its business purpose, or as long as legally required.
  4. Where possible, use session cookies instead of persistent cookies.  Give users a choice, where appropriate, to accept a persistent cookie (like a log-in cookie)
  5. When using persistent cookies, set an expiration date consistent with the shelf life or usefulness of the data you collect.
  6. Cookies used to manage opt-out preferences need to have a minimum expiration date of five years to adequately honor users’ preferences.
  7. Your opt-out mechanisms need to be tested regularly to verify that they function properly.
  8. Audit the use of cookies on your site and how you use cookies on third party sites.
  9. Verify that the use of cookies is consistent with your privacy policy or the privacy policy of the third party site where your cookies are placed.
  10. Verify that third parties setting cookies on your site are authorized to do so.
  11. Understand what types of third parties set cookies on your site and the purpose of those cookies.
  12. Verify that third parties aren’t collecting data in a manner inconsistent with your privacy policy.
  13. Understand what data is being captured on the cookie.  Cookies shouldn’t store sensitive information such as credit card numbers.

Notice

  1. Disclose in your privacy policy what information cookies and other technologies collect, and how that information is used.
  2. Disclose how users can exercise choice over your company’s use of cookies (e.g. opt-out of tracking) and clearly explain what opt-out choices are available.
  3. Multi-site trackers should require their publishers and sites within their network to disclose in their privacy policies that a third party will be tracking a user’s activity on that and other websites, as well as provide a link to an opt-out mechanism.
  4. Where possible, provide notice outside of the privacy policy using tools such as the Ad Choice Icon.

TRUSTe is looking for feedback on these best practices.  Please contact me at jfurtsch@truste.com with comments or questions.


@privacygeek

Comments