By On Your Terms co-founder Claire Bodle
July 2023
We’ve all seen those annoying pop-ups or banners on websites asking for our consent to place cookies or similar tracking technologies on our devices.
But, what are cookies?
Does your business collect cookies and do you need one of those pop-ups on your website?
Are the requirements different if you have customers based outside of New Zealand?
What are cookies?
When someone visits your website, and you collect information such as their login details, the products they click on or how long they are on your site, those bits of information are stored as files known as ‘cookies’. When the visitor returns to your site, cookies may enable them to log in more easily or see the items they are most interested in first (tailoring their experience on your website). Cookies can also collect data about total website traffic and user preferences.
There are five common types of cookies:
- essential cookies – required for websites to remember user selections, such as what items are added to their cart
- performance cookies – used to track the most popular content on a website
- functionality cookies – used to remember user preferences, including language and location choices
- advertising cookies – used to collect data across multiple websites to target ads based on a user’s preferences, and
- analytics cookies – used to collect data about website performance, including the number of views.
How do I know if my website is collecting cookies?
If customers can log in, add items to their cart, or you receive website performance updates, your website is likely to be using cookies. If you aren’t sure, you can check with the platform hosting your website, or use an available web browser developer tool - for example, you can access the Google Chrome developer tool by right-clicking on the page, selecting ‘inspect’, then ‘application’ and ‘cookies’.
What do I need to do if I am collecting cookies? Do I need a cookies ‘pop up’?
Where your cookies collect personal information of your website visitors (ie, anything that can identify a person such as a name or email address, you have obligations under the NZ Privacy Act 2020 (the Act) to tell your visitors you are collecting their information and how you intend to use it.
However, the Act doesn’t require you to obtain express customer consent to use cookies, or to have a cookies consent pop-up on your website. For more information regarding your obligations under the Act and other New Zealand consumer law see our Guide to Consumer Law in New Zealand.
To comply with your obligations under the Act, you can either provide the required information to your website visitors (and obtain their consent) as part of your privacy policy, or, if you don’t have a privacy policy, you could use a cookies consent pop-up.
All New Zealand businesses selling products or services online (and therefore collecting customer details) should have a privacy policy. If you would like to purchase an On Your Terms Privacy Policy click here for our Website Essentials Bundle. It’s best practice to have your privacy policy on your website for users to view.
If you choose to have a cookies consent pop-up, this will need to tell users how and why you are using cookies to collect their personal information and give them the option to accept or reject this use. You may also choose to provide a link to your privacy policy (or cookies policy) as well.
What if I have overseas customers?
Your website can be accessed from anywhere in the world, and you may supply goods or services to customers outside of New Zealand. This means overseas legal requirements may also apply to your business.
Some overseas privacy law, such as the EU General Data Protection Regulation or ‘GDPR’ and the ePrivacy Directive, have stricter requirements than NZ privacy law.
To comply with the GDPR, businesses must obtain users’ consent before using any cookies (except ‘strictly necessary’ cookies), provide specific information about the data each cookie tracks (and its purpose) before consent is obtained, document and store consent received from users, allow users to access a service even if they refuse the use of certain cookies, and make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
If EU residents can purchase products or services from your website, or you use cookies to monitor or track EU visitors to your website, you will need to make sure you comply with the EU privacy law requirements by using a cookie consent pop-up to obtain the express consent of those visitors.
Key Points
- Cookies are small data files that websites use to identify visitors. Cookies are typically used to remember user preferences, analyse website traffic and to provide personalized content.
- If your business sells goods or services to EU residents, or monitors their behaviour, you must comply with the GDPR by having a cookies consent pop-up to obtain visitors’ express consent to your use of cookies.
- Otherwise, you don’t need a cookie consent pop-up but you will likely need a privacy policy.
On Your Terms makes it faster, simpler and more affordable for New Zealand starts ups and small businesses to access top-quality legal solutions and connect with legal experts. We’re on a mission to make legal information accessible and understandable.
Claire Bodle
Co-Founder / On Your Terms
Claire Bodle is a co-founder of On Your Terms and has been a business and technology lawyer for over 15 years, both in private practice and in-house. She is excited to be a part of the future of law.