Joanne Furtsch, CIPP, CIPP/C
Director of Product Policy
Follow these best practices when using cookies:
- Use the same cookie name per opt-out mechanism. For example, the opt-out cookie set for the DAA opt-out mechanism has the same name as the cookie set for the NAI opt-out mechanism.
- Retain data only as long as needed to carry out its business purpose, or as long as legally required.
- Where possible, use session cookies instead of persistent cookies. Give users a choice, where appropriate, to accept a persistent cookie (like a log-in cookie)
- When using persistent cookies, set an expiration date consistent with the shelf life or usefulness of the data you collect.
- Cookies used to manage opt-out preferences need to have a minimum expiration date of five years to adequately honor users’ preferences.
- Your opt-out mechanisms need to be tested regularly to verify that they function properly.
- Verify that third parties setting cookies on your site are authorized to do so.
- Understand what types of third parties set cookies on your site and the purpose of those cookies.
- Understand what data is being captured on the cookie. Cookies shouldn’t store sensitive information such as credit card numbers.
- Multi-site trackers should require their publishers and sites within their network to disclose in their privacy policies that a third party will be tracking a user’s activity on that and other websites, as well as provide a link to an opt-out mechanism.
TRUSTe is looking for feedback on these best practices. Please contact me at firstname.lastname@example.org with comments or questions.