S3 E23: Solving Website Cookie Configuration and Compliance Challenges

Audio version

Solving Website Cookie Configuration and Compliance Challenges

Transcript

Jordan Eisner (00:15)

Welcome to another episode of Compliance Pointers. I’m here with Michael Nadeau from our data privacy team here at Compliance Point. Michael, good to have you on.

Michael Nadeau (00:26)

Appreciate it, appreciate it. Yep, we’ll do this, so we’ll see how I do.

Jordan Eisner (00:27)

First time, you’re going to do just fine. And this is an important topic, I think, and one that I know personally, you’ve helped a lot of our clients with are very knowledgeable about knowledgeable about. I have I’ve seen the aha moments with clients or the really, when you’ve done work with them. So I think this is going to be good. We’re going to be talking about cookies. And not those type of

Michael Nadeau (00:58)

Yeah, no, chocolate chip. These are the ones that no one really knows what’s happening with.

Jordan Eisner (01:08)

That’s right. So everybody hears about it and they’re probably listening or watching this podcast right now and going, oh great, here’s another one about cookies. But we’re going to get detailed here. We’re going to talk technical. We’re going to talk about the things you can see from a website pretty quickly just by browsing it from where you are in terms of how they’ve configured their cookies, what they’re tracking, who they’re sharing with, so on and so on. There’s a lot really that you can tap into just from browsing their website.

There’s a lot you can tell about the technology they’re leveraging and how they’re leveraging and are they doing it the right way? And that mix with your regulatory background really makes you pretty powerful for organizations that are falling into the common pitfalls of cookies where they buy a solution. I think it’s turnkey. They plug it in and it’s not even doing what they’re paying it to do, not because it can’t do it, but because it’s not configured correctly, right? Would you drink?

Agree with that assessment? So brief background on Michael for our viewers and listeners. He’s an 11-year vet at CompliancePoint. He’s an actual vet who served in the Air Force. Thank you, Michael. And his background is really more information security, cybersecurity-focused. However, if you’re listening or watching and you’re familiar with data privacy laws and regulations and requirements. There’s a security nature to it for sure.

And Michael is very technical too. So while he’s a senior consultant on our privacy team, he really leads and is our go-to for technical implementation for the security components architecture. If you even will, and configurations with organizations using privacy management software or not.

Anything I missed?

Michael Nadeau (03:04)

No and i think you summed it up

Jordan Eisner (03:06)

Spent some time in middle Georgia.

Michael Nadeau (03:10)

Yeah, kind of grew up, I don’t know, 15 minutes from each other in the middle of nowhere, which is quite close.

Jordan Eisner (03:17)

Right 15 minutes from each other, but  yeah, it was interesting to learn. Yeah, later on how close we did actually go to high school together. So not together apart. Yeah, alright. So like I told you. No script, we’re just winging it.

What’s a cookie?

Michael Nadeau (03:37)

A cookie is on your browser. It stores information about your session. And then based off of that, can actually, when you revisit the website, it can say, this is Michael revisiting the website. And it can do certain services like, let’s say you put a password in or a username. It can identify that, well, he’s visited previously. He’s put a username and password. Let’s instead of next time he visits the website instead of, you know.

Making a mentor the username and password. I’ll just prepopulate it because I stored it in a cookie. That’s one instance of it, but it really has been used in various ways, which these are where the privacy laws came from, such as like retargeting people doing analytics. So it’s really capturing information about you as a user and then doing something with it as a. Yes, as a website.

Jordan Eisner (04:27)

Website visitor, right? There’s some good reasons to your point. Password retention is assuming they practice good security methodology, but password retention, you know, convenience of things you want to look at a site like there’s a lot of positives to it too, but you know human nature is human nature. It’s very valuable. Your activity and what you do when you go on sites and how long you’re on and what are the things you go to and how you click through it and that’s that’s very valuable to partners or others, not necessarily just the organization you’re visiting, but who they’re working with. Right.

Michael Nadeau (05:06)

There are people out there that make money off of data. And what’s a good way to collect data? they’re browsing the web. Let’s see how much information we can collect on them and then sell that data.

Jordan Eisner (05:17)

So how about just a summary? So now we know what cookies are. GDPR, CCPA, other state data privacy law says what about cookies? Generally, maybe not all of them, all the different nuances, but what’s the general understanding that if I want to abide by your average data privacy law, this is what I need to do around cookies?

Michael Nadeau (05:41)

Now, to sum it up, it’s really all about being transparent about what cookies are on your website and making sure you respect users’ privacy choices. Now that can vary from GDPR to state laws. There’s these things called opt-in and opt-out requirements. So for example, when you’re in the EU, if you visit a site, the business is required to make sure that you opt into the use of the cookies before placing those cookies.

In the US it’s a little bit different, but it’s all about being transparent to the users about the use of cookies on that website, as well as giving them a preference on what cookies they want to allow versus not to allow.

Jordan Eisner (06:24)

Right. And I’m sure that everybody that’s listening or watching this has seen a cookie banner, has gone to a website and said, by continuing or by clicking OK, you’re agreeing to our cookies policy. And where you’re talking about opt in versus opt out really depends on the regulation or where you are in Europe.

What you’re saying is you can’t just default start tracking the cookies and doing what you want with your cookies without their consent. You need their consent to do that when they first visit your website. Whereas here, with you in the US, you can start doing all that sort of stuff. You need to make the disclosure. You need to make it known to them that they’re doing it allow them to opt out to it. But you can do it by default. Do I have that right?

Michael Nadeau (07:16)

That is right. Now there’s something under CIPA. They’re using wiretapping litigation law as a loophole to come after businesses. Right now there is a bill…

Jordan Eisner (07:28)

Okay, so that’s right. So that’s the opt out. Now you’re getting to this next piece and this is where we’re getting into the importance of ensuring you’re configuring it right before we talk about CIPA.

Cause I want to get to that. What just knowing that with the opt in opt out nature and using a privacy management software and using their cooking module. And there’s several out there. I’m sure most of our listeners are familiar. OneTrust, Osano, Ketch probably has one. Other organizations. CIPA aside, what do you see mistakes organizations are making? Whether, you know, and we’re talking mainly opt out here in the U S. are making with how they’re implementing their cookie solutions or how they’re maybe doing it themselves.

Michael Nadeau (08:20)

Yeah. So with these cookie solutions, typically you get the cookie solutions and I like to break them into two phases of implementation. You have the cookie banner in the preference center phase where you’re getting the cookie banner up. So when users visit, they can see the cookie banner or they can interact with the preference center. The second phase is the actual blocking piece of it. And the blocking piece is very, very important.

We talked about an opt-in regime. Technically, when someone visits the site, you need to be blocking all the cookies before they opt in. And then for opt-out, if you’re in the US, if someone visits the site, you must honor those preferences by blocking the cookies. A lot of times, organizations are good at that phase one. If they selected. Organizations are very good at that phase one portion of it of actually serving the banner because these tools make it very easy to do the settings on the back end. They give you a script. You place that script on the website. Boom. You have your cookie banner. You have your preference center. And to businesses, they think they’re ready to go.

But these cookie consent solutions, there’s also a second phase where they actually have to go in and configure the blocking. And that’s the big piece that a lot of the organizations miss is that it’s not like they do it on purpose, they’re just unaware that there’s actually two phases here. It’s not just like a plug and play, put this on your website, you have a banner, you have a preference center, you’re good to go. You need to make sure you’re doing the blocking piece as well.

Jordan Eisner (09:56)

And I’m going to put you on the spot here. Why do you think that is? Why do you think that phase one? OK, got it. Whatever. Off the shelf. Put it in. Good. We’re putting the cookie solution to block them if they request it. Why is phase two in the configuration actually do that and execute on it? Why is that a miss for so many organizations?

Michael Nadeau (09:58)

Okay, think a lot of these cookie consent tools advertise themselves as a plug and play. I don’t think they really want to advertise. A lot of times the amount of work that goes in on the back end to actually do the blocking piece. And then sometimes it’s also just. The organization may not have the resources to do it, and they may get the banner up, the preference center, and then they have to go into the face too and they realize it’s a lot more in depth than that plug and play and they just don’t really have the resources or.

Jordan Eisner (10:49)

Or they give up on it, they’re pulled in different direction, or they don’t have the expertise, or it’s about, I see a lot ownership within the organization. Well, that’s a privacy issue. No, well, we need development or website or IT or whomever to manage it. Well, we got plenty of other fires we’re putting out. Okay, so that brings us to CIPA though, because you might be asking yourself, OK, so we’re doing part one. Maybe phase two is not happening. nobody is being, I shouldn’t say nobody. Thus far, there have not been a lot of fines issued out against organizations from states for not honoring an individual’s cookie preferences.

Jordan Eisner (11:45)

Not to say that there can’t be or there won’t be, or that there shouldn’t be, you know, if it’s occurring. But what’s really I’ve found, and you’re going to correct me or agree with me here, over the last several months or even going back, you know, years under these wiretapping laws, organizations are claiming damages or whatever they need to be right under the sip of the other sort of things to use not just privacy regulations as they’re in today, but also older laws to bring lawsuits against organizations saying, you’re not properly honoring my cookies. Am right? Is that what you were gonna get at earlier when you brought up CIPA? So now detail that, now it’s a good time.

Michael Nadeau (12:31)

Yeah, it’s kind of crazy because yeah, the the state privacy laws came along and they said literally say that like it’s an opt out regime and then you have professional litigators coming along and using an old wiretapping law to say, you’re collecting cookies on me without notifying me first or allowing me to opt in and they get put underneath scrutiny from an older law, which.

Opt in versus an opt out environment is completely different in an opt in environment is so much harder to implement than an opt out environment, so it has a lot of implications for the businesses doing it, especially if you’re a business just operating in the US, because under the state privacy laws, it’s easier to do the opt out and has less effect on your cookies. But with the simple law being used as a loophole, now your organization is not only getting fined, but you’re also having to change your whole entire consent model. You’re losing the analytics, all the cookie data on top of it. So it’s very interesting. you know, they are using this old law as a loophole. And I think the regulators are seeing this because there is a bill in draft regulations that is trying to get rid, like they’re trying to amend it so that professional litigators can’t use that loophole anymore underneath the CIPA law.

I think regulators are aware of it and they’re trying to fix it, but right now organizations just don’t have, they don’t know how to fight it or this hasn’t actually gone all the way through like a use case to where businesses can rely on that to say, okay, well, no, CIPA don’t apply to us.

Jordan Eisner (14:16)

Okay, that’s helpful. I also have heard of, and I usually get it backwards. It’s either trap and trace. Yeah, it’s trap and trace, right? Yeah. Is that the same thing? Simper, is that something else? Cause I there was like.

Michael Nadeau (14:34)

I’m not sure.

Jordan Eisner (14:35)

You’re not sure. Okay. You’ve heard the term trap and trace, right?

Michael Nadeau (14:38)

I have heard the term trap and trace.

Jordan Eisner (14:41)

Maybe, that’s what they’re talking about with the litigation. So, okay, we’ll move on to the next point then. In closing, what do you recommend companies do? Given the wiretapping law, given the phase two failures we’ve seen in so many organizations,

What do you recommend companies do when they’re onboarding these solutions or where they’re building themselves? know, where’s the disconnect and how can it be solved before it’s too late or before it’s a issue that’s costing organizations?

Michael Nadeau (15:17)

Yeah, and there’s a lot of recommendations, but I think the first one is definitely making sure you select the right cookie consent solution. Well, you as an organization, you might have a lot of websites that you manage. Those are all managed under different website platforms, and sometimes these cookie solutions aren’t compatible with all those website platforms. So make sure you pick the right solution there. Make sure you come to the table with the right questions.

Next is understand scoping as a business, like scope your websites appropriately. So look at your websites and see the audience that you’re serving so you know what laws you have to comply with. The next one is once you do have that cookie consent solution.

This is key, I would make sure you understand everything within the vendor documentation about how to implement and make sure you understand that there is vendor documentation and you’re just not following steps on what you think is supposed to be happening, but you’re actually following all the steps that the vendor is specifying to you.

And then I would say with the CIPA stuff, make sure you get a trusted advisor or some type of outside counsel or a legal opinion on how you should be handling that. Because there are a lot of CIPA claims, but like you said earlier, or we said earlier, under the privacy law, it’s an opt-out regime, but these CIPA claims are coming around. So just make sure you understand the risk and get some type of professional opinion on how to mitigate that risk. If that means going to an opt-in regime, completely nullify that, do that, or if you just want to say, hey, we were complying with the state privacy laws and we don’t want to comply under the CIPA loophole, then take that option as well.

Jordan Eisner (17:12)

Good summary. And I’ll be the one to make the shameless plug here. You also can use a consulting firm to help you implement it and configure it correctly, whether that be us or others. You know, we’re not the only one out there, but CompliancePoint and ⁓ Michael himself have ⁓ specialized and helped many organizations with this very issue. So if you’re listening or watching and this is a problem you’re having.

Michael Nadeau (17:14)

Thanks.

Jordan Eisner (17:41)

Reach out, we’d be happy to have a conversation. You can find us at compliancepoint.com. can email us at connectacompliancepoint.com. Michael, when’s the last time you were on LinkedIn?

Michael Nadeau (17:51)

You know what I’ll say today my cookie information is on LinkedIn.

Jordan Eisner (17:55)

So you can try reaching out to Michael. It might be better to reach out to me. I check it at least daily. But yeah, please, we’d love to have a conversation. And Michael, I appreciate you coming on, sharing some of this. I think it’s topical. I think it’s important information. Hopefully, people get some value out of this conversation today. And you’re going to have to come back on here another time.

Michael Nadeau (18:18)

Alright.

Jordan Eisner (18:21)

Be well, everybody.