Website Legal Forms – Disclose 3rd Party Cookies In Your Privacy Policy

To be successful, ecommerce sites require information about site visitors.

What sites are the top referrers? Which search engine produces the most traffic? How long do visitors remain on-site, what is their pathway through the site, and what pages do they exit from?

One method of collecting this information is often referred to as using 3rd party cookies. If you use 3rd party cookies, are you aware of the privacy concerns, and will you be liable for a privacy policy breach?

What’s A “Cookie” Anyway?

A cookie is a message given to a Web browser by a Web server. The browser stores the message in a text file called cookie.txt. The message is then sent back to the server each time the browser requests a page from the server.

Information gained with cookies helps the Web server track such things as user preferences and data that the user may submit while browsing the site. For example, a cookie may include information about the purchases that the user makes (if the Web site is an ecommerce site), or the cookie may “remember” the user’s contact information so the user will not have to re-key it on future site visits.

1st Party and 3rd Party Cookies Distinguished

There is an important difference between 1st party and 3rd party cookies. If you use 1st party cookies, they are passed to a visitor by your site, and the data generated remains with your site. On the other hand, if you hire an independent company (such as Google with its Google Analytics program) to pass the cookie, that cookie is called a 3rd party cookie.

Privacy Concerns With 3rd Party Cookies

Privacy concerns arise from the fact that the data generated with 3rd party cookies resides on the servers of the 3rd party — not your server. The fact that you do not control these 3rd party sites and their use of this data has raised concerns among many users. For example, users have questioned whether these 3rd party sites aggregate the data among many sites and report ecommerce trends to the media, or whether the 3rd party sites use the data for purposes of cross-website profiling and ad targeting.

And what is your legal obligation to disclose the use of 3rd party cookies? In the European Union, it’s illegal to pass cookies without informing users that you do, what they’re used for, and how they can be avoided, and it’s generally believed that the failure to adequately disclose the details of the use of 3rd party cookies is a violation of EU law.

In the US, there is an evolving debate regarding the same issues, and the answers are less certain.


It’s recommended that if you use 3rd party cookies, you clearly disclose in your privacy policy the distinction between 3rd and 1st party cookies, and how they’re used and avoided. Be careful, however, in amending your Privacy Policy because amendments may not be effective retroactively for data collected with 3rd party cookies prior to the amendment.

About Chip Cooper: Full-time practicing Internet Attorney, SaaS Attorney and Software Attorney. My posts help you Protect Your Online Business with Internet Law updates and Website Legal Forms. Follow me on Google+. Sign up for Google Hangouts notices, and download my FREE book 7 Shocking Legal Gotchas That Can Shut Down Your Online Business In a Single Day… And What to Do About It!

Disclaimer: This information is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.

Leave a Reply