Countless hours are being spent categorizing cookies and other tracking technologies to work with consent management platforms, part of a purpose-built industry aiming to help companies deal with the increasingly complex and fragmented global privacy landscape. Companies labor over the minutiae of tracking technology disclosures, banner designs and preference center settings - elements that often go unnoticed by website visitors but that are scrutinized by plaintiffs' counsel, privacy activists and regulators. Even meticulous compliance with one legal regime can result in litigation or regulatory enforcement under another. So, how did we get here?

A Little Cookie History

In the earliest days of the Internet, people could simply visit a webpage and move on. Each visit was a separate, anonymous event. Unsurprisingly, early website owners were curious about the people viewing their pages - how many unique visitors, how they got there, which pages they viewed, how much time they spent on the website, whether they were new or repeat visitors, and so on. Created by Lou Montulli in 1994, the first Internet cookies were mainly used for practical purposes, allowing website visitors to keep multiple items in an online shopping cart rather than requiring them to complete each purchase as a separate linear transaction. From these humble beginnings arose the empire of annoyance that has become the bane of privacy professionals worldwide.

By design, the cookie was a flexible tool suited to various potential use cases. It functions by storing tiny text files on a user's computer; these files exchange data with the website, and that data exchange can reveal a variety of details about website visitors - details that can be captured by the website owner or by third-party cookie providers. A mere two years after cookies emerged from the oven, how they might be misused and potential consumer privacy risks were already being discussed by the media. For instance, a February 12, 1996 Financial Times article reported that technology was already in place to "... allow Web site owners to gather an alarming range of information on people who look at their Web pages from PCs at home." That article concluded:

In the long term, this is a good thing, for it will tailor advertising more closely to what consumers want. But at stake is the issue of privacy, which needs to be debated. The only consolation is that breaches of privacy using this technology are unlikely to have any life-and-death consequences. The worst thing that most companies will do, after all, is try to sell you something.

Meanwhile, an industry group called the Internet Engineering Task Force (or Network Working Group), which included our cookie baker, Lou Montulli, was developing an initial set of standards to establish boundaries around the use of cookies. These standards, published in 1997, suggested features ostensibly intended to protect privacy, such as options for completely disabling cookies and discarding cookie information at session termination as well as restrictions on third-party cookie use. In short, this initial set of standards concluded that "privacy considerations dictate that the user have considerable control over cookie management." This advice was largely ignored by an industry looking to capitalize on cookie data.

By the end of the 20th century, cookies had already become a powerful advertising tool. Today, the data collected by cookies and tracking technologies is an entrenched source of revenue helping to sustain freely available Internet use. Each cookie placed is estimated to be worth approximately $2.65, which equals more than $11 billion in annual revenue from cookie-based ads in Europe alone. Another study looking at the potential loss of revenue from a demise of third-party cookies found that first-party data and contextual advertising would need to make up a shortfall of around $10 billion in ad revenue if third-party cookies were discontinued.

Regulating Cookies - The European Union Leads the Way

In July 2002, the European Union (EU) responded to the exponential growth in online communications and popularity of the Internet by passing the Directive on Privacy and Electronic Communications, commonly called the ePrivacy Directive. The directive, which had to be implemented as law in each EU Member State, covered topics such as network security, confidentiality of communications, access to stored data, processing of network traffic and location data, and unsolicited commercial communications. The ePrivacy Directive was amended in 2009, introducing, among other updates, strict regulations on the use of cookies and similar technologies. An ePrivacy Regulation to replace the ePrivacy Directive has been in the works since at least 2017 to update and harmonize the law across Member States. In the interim, the European Data Protection Board has clarified that the ePrivacy Directive remains applicable to newer tracking technologies.

Probably the most visible effect of the ePrivacy Directive as amended was the precipitous uptick in intricate cookie banners displaying information about tracking technologies on websites and requesting consent from website visitors to various categories of these technologies used on each website - but why? The ePrivacy Directive states only that:

... the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information ... about the purposes of processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

In short, cookies and similar technologies require informed consent unless they are used for transmitting communications or are strictly necessary to provide the service. The Member States have taken various approaches to implementation of the ePrivacy Directive, frequently identifying information that must be provided for informed consent and what "strictly necessary" means in this context, but the consent requirement remains a simple opt-in for any cookies or similar technologies that are not strictly necessary.

Let's then layer the EU's General Data Protection Regulation (GDPR) on top of this. The GDPR, which came into effect in 2018, and as a regulation does not require the same type of Member State implementation, does not set forth cookie-specific requirements or restrictions. The GDPR does, however, set parameters for obtaining valid consent, which must be freely given, voluntary, specific, informed and unambiguous. Users must also be able to withdraw consent easily. Still nothing about categorizing cookies.

Somewhere along the line, consent management platforms and/or the companies that use them appear to have surmised that they might get more people to opt in to at least some cookies if they offered a variety of flavors; this led to categorizing cookies as performance, functional, advertising, targeting, analytics and similar. For example, maybe a website visitor is not OK with advertising cookies but thinks functional cookies sound reasonably harmless. Then the company, and its third-party vendors, gets more data. Consent management platforms have continued to build on this model to the point that it is increasingly difficult for a website operator to have a cookie banner or offer cookie preferences without going through what can be a tedious, time-consuming and error-prone process of categorizing each and every cookie used on a website.

The increasingly complex choices and pop-up cookie banners are an ongoing source of frustration for users, and their ubiquity makes them less effective, as website visitors primarily aim to get past them as quickly as possible. Additionally, the use of European-style cookie categories and banners is becoming a compliance and litigation risk in the United States, where they aren't required and don't align with applicable legal requirements but have gained popularity nonetheless.

Regulating Cookies - The United States Can't Keep It Simple, Either

Many companies assume that the European Union has the strictest privacy compliance requirements and, by meeting these requirements, they are likely compliant elsewhere. But the United States, with its novel approach to consumer privacy rights and its litigious plaintiffs' bar, presents a unique challenge. At a high level, cookie use in the United States is permitted with some exceptions as long as consumers can opt out of the sale of personal data, targeted advertising or cross-context behavioral advertising (or "sharing"), and profiling. Each of these terms carries specific, nuanced meanings under the various state privacy laws, and the definitions do not necessarily align with common use or even across the state laws.

Additionally, the sale, share/targeted advertising and profiling categories created in the U.S. state privacy laws do not layer onto the consent management platform categories fabricated for European Union compliance. For example, it is possible to have a cookie that is considered a "sale" or "share" under the California Consumer Privacy Act but "strictly necessary" under the ePrivacy Directive. This means that an opt-out would be permitted in California, but the cookie would not require consent for use (or the associated right to withdraw consent) in the European Union. Another wrinkle is that this right to opt out in the United States must extend to any personal data that is collected by a company when used in a way that permits the right to opt out, which can extend beyond the choices commonly presented in a European-style cookie banner.

Outside the state privacy laws, older U.S. laws, especially those with a private right of action, are being reinterpreted for new technologies. Take, for example, the California Invasion of Privacy Act, which restricts wiretapping without consent. Plaintiffs' attorneys have filed thousands of complaints asserting that this 1967 law covers everything from chatbots to AI features to pixels and cookies.

Add to this the fact that cookie disclosures that are perfectly compliant in the European Union may contain potentially misleading statements from a U.S. perspective, and you have a perfect storm of noncompliance issues in the United States. For example, do you offer a "reject all" option? If so, you must functionally permit the rejection of all cookies - even the ones that make a website functional or secure - or risk having a potentially misleading disclosure. Earlier this year, the New York Attorney General made it clear that misleading statements and interfaces can be subject to consumer protection laws, which also frequently include a private right of action.

In the United States, pop-up cookie banners have become more of a response to plaintiffs' counsel than a legal necessity. Current state privacy laws do not require these banners, and the banners often fall short - for example, by failing to obtain appropriate consent prior to setting cookies or not meeting legal compliance obligations if the banners do not allow consumers to opt out of offline personal data collection.

What Should Companies Do?

Many global companies want a unified solution, but the current cookie recipe makes this incredibly complicated. On the one hand, a company needs to assess each tracking technology, how it works, and its use or purpose, to determine if consent is needed, and then figure out how to obtain that consent. On the other, the company must consider all the types of personal data it may collect, and how that data may be used, to determine if an opt-out is required. Without better legal alignment between privacy compliance regimes, there is no ready solution. Consent management is complex, and most companies do not have the ability in-house to develop and implement compliant tools. Accordingly, they are reliant on third-party vendors, which sometimes seem to be invested in perpetuating even more complexity. Absent ready solutions, however, companies should consider: