Is Your Website Compliant with Cookie Laws?

Do you know the old saying about how the shoe cobbler always has holes in his boots? As an MSP, you are always thinking about the compliance of your clients, to the point where you might put your own security on the back burner. It’s easy to shove your website to the furthest corner of your to-do list, so let’s take a quick look at a couple of things you definitely should be thinking about.

Today we’re going to be talking about Cookie Laws and how your MSP should handle them.

What are Cookie Laws, and Do Businesses in the US Need to Comply with Them?

You’ve definitely come across websites that give you a little popup that says something along the lines of “This website uses cookies!” and makes you agree to it. This comes from the EU Cookie Law, also known as the ePrivacy Directive. The first EU cookie law came into effect way back in 2002 and was amended in 2009, and with the release of the GDPR (General Data Protection Regulation) in 2016, the importance of data privacy, including cookies, has come into play a lot more.

Everyone is welcome to their own opinion on this, but when it comes to protecting the personal information of a user, the GDPR is some pretty fair but powerful legislation that puts control over personal information into the user’s hands. It doesn’t only cover businesses in Europe, but any business that potentially does business with citizens and entities within the EU.

That being said, the GDPR has been influential, and there are state-level regulations that take a lot of the parts of the GDPR and make it their own, such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA). 

The short answer is this: There are no federal laws in the US that regulate the use of cookies, but certain states consider cookies as personal information and have guidelines around them.

But Aren’t Cookies Basically a Required Part of the Internet?

They sure are. These days, just about every single website uses cookies. If your website has any sort of login functionality (even a backend) or does any sort of metric tracking for analytics, it likely uses cookies. Sure, there are some fancy ways around this, but most MSPs aren’t building and coding their websites by hand just to avoid using standard web practices (nor should they).

These days, cookies are a fact of life, and unfortunately, the average American user doesn’t really understand what cookies are or what they do, so they don’t know if, when, or why they should agree to them or not. It’s likely going to get better, as more and more bigger entities have to comply with the GDPR and therefore cookie policies are showing up more frequently, but it’s not a bad idea for MSPs to pave the way when it comes to educating the public on things like data privacy.

It also puts your business at a bit of a disadvantage. After all, you are now asking each visitor if they want to be tracked or not—of course, you want to track them. That’s how you gain insight into how your website and marketing are performing, and how dare anyone tell you that you can’t collect that data and use it to make informed decisions on your marketing budget!

It’s a double-edged sword.

This takes us back to why it’s so important for MSPs to act as educators for their local community.

Should My MSP Website Have a Cookie Policy?

MSPs in the EU

If you are in the EU or directly work with businesses or individuals within the EU, then absolutely. We’ve always included a free cookie plugin that asks visitors to opt-in to using cookies, and there are plenty of premium tools out there for this as well. Often, our EU-based clients usually already have tools that help them comply with the GDPR outside of their website that includes a script to comply with the cookie laws, so there’s that too.

We recommend reading up on our blog post about the GDPR.

To fully comply with the GDPR, your MSP needs a clear and precise privacy policy, cookie consent, your MSP needs a clear and precise privacy policy and cookie consent.

MSPs in Canada

Canada's privacy laws tend to be more strict than most US states but aren’t as strict as the EU. Currently, Canada’s two main privacy laws are the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada’s Anti-Spam Legislation (CASL). 

According to the PIPEDA, websites are required to obtain consent from users to track, collect, and use their data. There are a handful of exceptions for PIPEDA, like non-profit organizations, but generally, Canadian businesses like MSPs need to follow the PIPEDA.

CASL deals with spam, but it also prohibits the installation of any computer program and software on a user’s device for commercial purposes without the owner’s express consent. This applies to cookies as well. 

Canadian MSPs need to provide clear information on cookies and allow users to opt out if they do not consent to cookies.

MSPs in the United States

This is going to vary from state to state. California, Virginia, Connecticut, Utah, and Colorado have implemented cookie laws. This year (2024), Texas, Oregon, and Montana are kicking off data privacy laws that cover cookies too.

In California, the California Consumer Privacy Act (CCPA) states that consent isn’t required for collecting and using personal information such as cookies, but if you sell that personal information to third parties, you need to give users the right to opt out of the sale.

In Virginia, the Virginia Consumer Data Protection Act (VCDPA) is similar to the CCPA in California, in that you don’t need consent to collect information, but the user needs to have the right to opt out.

In Connecticut, the Connecticut Data Privacy Act (CTDPA) currently applies to businesses that control or process the personal data of at least 100,000 consumers, or at least 25,000 consumers, and derive over 25 percent of their gross revenue from the sale of personal data. Cookie consent is required under the CTDPA.

In Utah, the Utah Consumer Privacy Act (UCPA) applies to any business that operates in or deals with consumers from Utah and has an actual revenue of $25 million, and half of the business’s gross revenue is generated through the selling of personal data of consumers in Utah. It’s likely that this won’t apply to many MSPs in Utah, but it’s still a good idea to have a cookie opt-out option on your website.

In Colorado, the Colorado Privacy Act of 2021 states that you need to display a clear and conspicuous opt-out notice to opt out of data tracking and selling of personal information. Your privacy policy needs to be clear about what you use tracking cookies for and allow an opt-out option.

In Texas, the Texas Data Privacy and Security Act (TDPSA) will go into effect in July 2024. Businesses need to be of a certain size before they have to comply with it, and compliance includes a cookie consent for collecting and processing data.

In Oregon, the Oregon Consumer Privacy Act (OCPA) is also going into effect in July 2024. Businesses are required to provide a privacy notice, obtain consent when processing personal data, and allow opt-out.

In Montana, the Montana Consumer Data Privacy Act (MTCDPA) is similar to the Connecticut law. It’s for businesses that control or process the personal data of 50,000 or more Montana residents each year or derive more than 25 percent of their gross revenue from the sale of data. If you fall under that, you need a cookie consent plugin.

For everyone elsewhere in the US, or anywhere else in the world, it’s still probably a good idea to adopt a cookie policy. In time, it will be a badge of trust and authority as people start getting more accustomed to the businesses they work with, prioritizing privacy when it comes to data collection.

Other States are Going to Follow
Notice a pattern? It’s only a matter of time before other states implement similar policies. While a lot of MSPs probably aren’t going to require a cookie policy, it’s not a bad idea to get ahead of the game. A lot of third-party vendors, especially payment gateways and email providers, are starting to require their clients to have privacy policies, which is half the battle. 

It’s a good idea for any and all MSPs to build out a solid privacy policy and implement a GDPR-based Cookie Policy.

What Does My Website Need to Meet the GDPR and Cookie Laws?

For most MSPs, ramping your website up to meet these standards isn’t that big of an endeavor. The hardest thing will be establishing your privacy policy. We’d love to just give you one to use, but we don’t know how you handle your data once you have it. We do have a template that you can start with, and you should read our blog post about it here.

Once you have your privacy policy, we can set up a GDPR-compliant cookie plugin on your website that displays the cookies your website is using and allows users to opt-in or out. There are simple free plugins that let your users simply opt-in or leave—but we recommend a GDPR-compliant plugin that can have them accept all cookies or only the necessary cookies your website requires (the session cookies, but not the tracking, functional, targeting, or performance cookies). 

We have a few options for these plugins, depending on your website. There’s a small yearly fee for them, but it’s extremely nominal in the grand scheme of things.