Standing Down Cookies
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
4 hours 41 minutes
welcome everyone to lessen 6.3.
As I promised to you a moment ago. In this lesson, we will review how to stand down cookies.
We will review the technical and organizational controls you can put in place to actually operationalize some of these objectives.
Let's jump right into it.
The learning goals and objectives for this lesson are actually fairly straightforward.
We will review the steps your company needs to take to provide California residents the opportunity to opt out of cookies.
Why? Because that constitutes a sale of personal information to a third party
again. Remember, cookies equal sale of personal information.
You have to keep playing that back into your head.
Then item number two. We will review helpful tools that are already in the marketplace that can help you again maintain CCP a compliance in this space.
Those are our learning goals and objectives.
Before we completely dive in headfirst to everything that there is to know about opting out of cookies.
I'm sure at this point you probably have already looked at some of the cookie banner templates that are available online. If you haven't done so, please do that. Now
you might be saying to yourself,
that doesn't line up with what Jason said A moment ago, he said that there were four requirements of cookie banners.
I'm seeing other things in these templates.
I don't trust him anymore.
I apologize if you see differences in cookie templates, But much of that is probably because you are looking at a cookie template from another data privacy law.
If you look at the right side of your screen, remember the CCP. A Onley requires that businesses provide consumers the ability to opt out of the sale of personal information.
But there are far more restrictive regimes out there.
if you look at the middle of your screen, the Gramm Leach Bliley Act in the Fair and Accurate Credit Transaction Act, better known as Fact up,
requires that companies provide the ability to opt out of all third party data transfers
in Europe. Under the GDP are
consumers actually must be provided the ability to opt into a cookie that is going to transfer data to a third party or even collect the information to begin with.
Everything there is to know about cookies in Europe. It's outside of the scope.
But just remember that in Europe
they do need to establish a legal basis.
They have different requirements over there.
That might be something that you're seeing in the cookie templates.
It's an opt in regime over there.
It's a consent based regime over there
that you need to have a legal basis over there.
That is not what's required over here in the United States.
If you are on Lee trying to build out a CCP a compliance regime, focus on the requirements I mentioned in the last lesson.
to that point, the responsibility of ensuring CCP a compliance rest with you and your company.
I have seen all too frequently an attitude in many conference rooms where, okay, these cookies actually belonged to a third party.
Well, therefore, all the CCP a compliance aspects of that cookie are They're not our responsibility because they're not even ours.
They don't even belong to us.
That is the wrong mentality.
Please forgive me for the aggressive photo here on the left. But the point here is that this is an action item that falls on your plate.
You cannot subcontract away your CCP a compliance obligations to a third party,
I assure you that they're not looking to Marcato to ensure their CCP a compliance.
No, they are going to ensure it themselves.
Why? Because they need to be able to disable ad tech on their own website.
They are responsible for it.
They being the I a p p.
how do we do this?
Fortunately, in 2010 group of industry leaders established this group called the Digital Advertising Alliance.
You might have already heard of them.
They and participating companies all ensured that the cookies and ad tech devices that those companies push out are designed to be opted out off.
If you've ever seen that logo in the middle of your screen where I have the pink arrow, you see that sideways triangle.
I bet you know if you are going to go surfing through the Internet, you would come across cookie banners with that logo.
That means that cookie or the cookie banner is powered by a company that subscribe to the digital advertising alliance, meaning that they will assist you in complying with the c c p a.
Now. A moment ago, I said that the CCP a compliance rest with you.
Remember that angry looking photo with the man pointing you in the last slide?
That is still true,
the D A. Has established a mechanism that you must operationalize but can in fact follow through on to ensure that individuals who visit your website can opt out of cookies.
these companies include brand advertisers, agencies, publishers, ad networks and tech companies.
This encompasses a large piece of the market.
My recommendation to you in this case is if there are going to be cookies on your websites, try to get cookies again. Assuming this decision does not rest with, you get cookies that are part of the D A network because that's going to make CCP a compliance for you
again. It is your responsibility, but it's going to make it infinitely easier. I would humbly subscribe to you having worked through this before in the past,
that is the D A.
They're not the only ones, though, that are helping companies maintain CCP a compliance by making cookies more user friendly.
Big tech has also answered the call
one of the most frequently deployed cookies out there are Google Analytics Cookies.
Included in those devices are opt outs that are built into the platform.
Feel free to go to Google's website.
You can read up more on how they have built and incorporated mechanisms to ensure that cookies can indeed be opted out of by a user visiting your website.
Feel free again toe Pause the video and check out their cookie protocols because
I think that will really help drive the point home.
This also, by the way,
intersects very quickly with the other requirements of the c c p. A.
If you remember, the personal information of a child cannot be sold to a third party unless apparent has opted into it.
Suppose a child is visiting your website.
Your website is using cookies to redirect information and sell information to a third party automatically.
That child all they're doing is exiting out of
or even perhaps accepting all
without really understanding what's happening there.
In that scenario, you are selling the personal information of a child to a third party without the parents consent.
There is already litigation right now for this very violation
It is also an offshoot of the YouTube settlement because again, in that case, Google and YouTube, we're getting ad revenue from in part
add technology that was being sold off to third parties.
It was Children who were visiting certain videos that were, by design, going to be viewed by Children anyway.
cookies cannot be present on your website unless you have a mechanism to opt out of it.
The burden is to ensure that a child's personal information is on Lee being sold via cookies. If there's an opt in basis for that,
please be careful.
If you have a company that is frequently visited by Children, you need to really take a look at the cookies that are on your website.
I think that there's enough there to summarize everything as it relates to cookies and Children.
But feel free to give me a call if you have any questions
This concludes the module on cookies.
I hope at this point I have driven home for you the importance of standing down cookies
again. It's a sail under the CCP A of personal information to a third party.
There are several methods available for standing down cookies.
I reviewed the D A. Add Choice network.
Big tech, including Google, already has solutions to help users opt out of cookies
again. As I mentioned a moment ago,
cookies are particularly important as it relates to the collection of personal information of Children because that is an opt in regime,
not an opt out regime
that concludes Module six, and I'll see you in the next module after a quick quiz question.