Navigating Cookies at Sentry: A Legal Perspective
You may have noticed that the banners asking you to accept “cookies” whenever you visit a website have gotten bigger and more annoying over time, especially if you browse the internet in Europe. This is in response to laws and regulations that are meant to protect users from being tracked unless they agree to be tracked. The requirement in Europe is that if you want to use cookies, subject to a few narrow exceptions, the purposes must be disclosed with granularity and agreed to in detail.
Most companies meet this requirement with a big modal that requires you to toggle a bunch of boxes. While compliant, it makes for a poor user experience and doesn’t address the core problem, which is that it’s not very nice to be followed around on the internet so that people can advertise to you.
We knew that we had to comply with the cookie laws, but we hated subjecting our users to these pop ups. The best we could have done was make them a little less ugly, but there was no way to make them unobtrusive, because obtrusion is kind of the point. People can’t really agree unless they know that they are agreeing. Which means it has to be in your face.
So Sentry took a more radical approach. If we can’t use certain cookies without the pop-ups and banners, then how about not using those cookies at all?
Here’s a recap of the legal requirements and the challenges we overcame by taking the road less traveled.
The legal requirements
When is a cookie a cookie?
When we talk about cookies, we don’t just mean the small text files that get downloaded on a user’s device when they access a website, i.e., what is traditionally considered an internet cookie. We also mean any other technology that stores or gains access to information on a user’s device, including web beacons, pixels, and SDKs. This is because European cookie laws and U.S. privacy laws cover tracking technology broadly.
We also don’t just mean advertising cookies, a category which receives the most public attention, drawing the ire of privacy advocates and regulators alike. European and U.S. laws can apply to all cookies, including the cookies that remember your preferences, power your video player and chat box functionalities, and collect general website traffic data.
In conducting our evaluation, Sentry considered all these types of cookies.
What do European and U.S. laws require?
European and U.S. laws generally require user notice (i.e., disclosures) and consent (opt-in for Europe, opt-out for the U.S.) for cookies. The well-settled approach for European compliance is a multi-layered cookie banner linking to a notice with specific information on the cookies used and a preference center that allows users to accept or reject cookies in detail. For U.S. compliance, an opt-out mechanism is generally needed, and can be embedded into the cookie banner.
(There are exceptions, not all cookies require user notice and consent. More on that later.)
Below are some examples of how websites tackle these requirements, ranging from the UK’s data protection authority website to luxury goods and retail gardening websites:
Breaking from the privacy facade
From a theoretical standpoint, cookie banners are a sound privacy practice. It provides internet users with the option to allow or deny certain cookies and associated tracking. In real-world application, however, the banners create a lot of noise and nuisance for internet users who are bombarded with banners at every digital turn. For some, the default mode becomes “accept all” or “reject all” (if that is even presented as an initial option) just to move forward. This begs the question as to whether these banners actually empower privacy choices, or whether they are just privacy theater.
So instead, Sentry starts with the presumption that website visitors prefer not to be tracked unless there’s a genuine need – think authentication, security, or fraud prevention; and that if we had a consent banner in place, all of our website visitors would choose to “reject all” or “opt-out”.
Taking the road less traveled
In order to remove our cookie banner, the first step was to identify all of the cookies we use. We looped in a technical team to find an adequate scanning tool and run scans on our domain. We learned that scanning tools are not perfect. Our technical team struggled with their limitations, and just when we thought we had a handle on the cookies, a few more surprise additions cropped up.
Next, we had to evaluate each cookie. Any cookie retained would have to fit within the few narrow exceptions available under applicable law. That includes meeting the rigorous European standards for “essential” cookies, i.e., cookies that are strictly necessary to provide the website. To make a determination we needed sufficient information on each third-party cookie, including what data was collected and for what purpose. It also required working with the third-party providers that power parts of our website to determine what cookies could (or could not) be disabled.
While we conducted this assessment on the legal side, our marketing and data teams worked to explore creative solutions to mitigate the impact of lost data and functionality from cookies being removed. You can read more about our marketing team’s perspective here. The legal team was pulled in as-needed to assess proposed alternatives, including some of the new “cookieless” tools that are now available.
Once we landed on a short list of retained cookies, our technical team moved forward to cull all other cookies from our website. Then we were finally able to remove our cookie banner. But our work did not end there. We needed to ensure continued compliance with our new stance on cookies. To that end, our technical team explored implementing a technical block on our website. However, they found that, based on our tooling and specific implementation, it wasn’t a complete solution for preventing unapproved cookies from being added. To bridge the gap, coordinating with our technical team, we explored various monitoring tools and ultimately landed on using website scanning technology.
It’s a wrap
Sentry could have taken an easier path to legal compliance. We could have stayed with the cookie banner, retained all of our cookies, and made zero changes to our existing business processes. Instead we took the more challenging path, not because it’s required by law, but because we believe it’s worth it for our users’ digital privacy experience.
This was admittedly not the path that I expected us to take. At almost any other company, as privacy counsel, I would be expected to help maximize business flexibility within the confines of laws. So it is both a unique and refreshing experience to be a part of a company that chooses to prioritize and raise the standard for user privacy.