Effective 13 November 2020
Data privacy laws in various jurisdictions regulate the use of “cookies” (defined below) on websites. Veralto OpCos are responsible for complying with all applicable cookie requirements in their maintenance of external-facing websites.1 This policy sets forth specific requirements and recommendations to assist OpCos in complying with law, data protection authority guidance, and commercial expectations.
For the purposes of this policy, “cookies” are small bits of text or other information that a web-site may store on computer browsers or other devices when accessing the site, which may collect online identifiers provided by natural persons’ devices, applications, tools and protocols, such as internet protocol addresses or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. Cookies include pixel tags, web beacons, MAC addresses, advertising IDs, device finger-printing, and account handles.
In countries covered by the General Data Protection Regulation, cookie requirements are especially stringent and detailed. This document distinguishes between general cookie expectations and those specifically applicable under GDPR. OpCos may choose to follow the GDPR rules globally, but should make sure to follow them in websites directed at customers in the European Union, European Economic Area (EU plus Iceland, Norway and Liechtenstein) and the United Kingdom (“European Websites”).
Information We Collect
Some cookies are necessary for a website to work properly, while others are optional to enhance the user experience and for other purposes. OpCo marketing teams should maintain a list of all websites under their responsibility, the types of cookies that those websites use, what the cookies collect, and the purpose of using those cookies. OpCos should categorize website cookies into the groups listed below.
- Necessary cookies: Necessary cookies (also known as essential cookies) enable core functionality of a website such as security, network management and accessibility. These cookies may be disabled through individual browser settings, but doing so may impact the functionality and usability of the website.
- Personalization cookies: Personalization cookies allow the website to identify prior users and tailor the website experience to match user needs and preferences.
1 For purposes of this guidance, the term “website” also includes any application or other technology that employs cookies on a user’s device.
- Analytical cookies: Analytical cookies aid in improving the website by collecting information on how users interact with the site. This includes third party analytical tools, such as Google Analytics and LinkedIn Analytics.
- Advertising/marketing cookies. These cookies track user activity and sessions so that the website can deliver a more personalized service and provide relevant advertisements.
- Social media cookies. These cookies enable the user to allow you to share certain content form the website on social media like Facebook and Twitter
It is important to note that for European Websites, only necessary cookies can be deployed without explicit user consent. Other cookies may be used only where the use has given affirmative consent, and the user should be offered the opportunity to grant or withdraw consent separately for each category of cookies. Each OpCo is responsible for ensuring that cookies are used only with user consent where that is required. Contact the Privacy Pivot if you are unsure whether a specific non-EU country has requirements for cookies.
Every external-facing website should meet these requirements at a minimum:
- Banner:An easily noticed banner should greet the user when a new device/user accesses the page.
- Explanation:The banner should include a button for the user to accept the notice and dismiss the banner.
- No cookies without acceptance:No cookies other than necessary cookies may be deployed as to a user until the user has accepted the notice.
The following requirements should be followed for European Websites (see above for definition), and are recommended as leading practices for broader use:
- Prominent banner: The cookie banner should be prominent. A good rule of thumb is that the banner should cover at least ¼ of the page.
- Non-necessary cookies “off” by default: Non-necessary cookies should not be placed on a user’s device unless the user specifically activates them.
- Category-specific consent: The interface should provide the user the option to turn on or off categories of non-necessary cookies on a category-by-category basis (i.e., analytics cookies and advertising/marketing cookies should have separate “on/off” buttons).
- Save and close: A button should be provided to save the user’s cookie choices and close the interface.
- Ready accessibility: The cookie consent interface should remain easily accessible at all times. This may be done via a “cookie preferences” link at the bottom of the web page, or through a persistent cookie icon (described further below under “Additional practices to consider”). Upon clicking the link or icon, the original consent interface shall appear with the same specifications and selections previously made by the user.
- One year consent limit: Any permissions granted by the user are to remain for no more than 1 year since the last time the user selected “save and close” or the cookie icon; after this period of time has elapsed, the user must be prompted to make selections in the consent interface again. (Note that data protection authorities in some countries may recommend a shorter period; currently, Ireland and the Netherlands recommend six months.)
- Consent to changes: The banner and pop-up interface must also resurface immediately before the placement of any new non-necessary cookies that were not previously accepted by the user.
Additional practices to consider:
- Include a brief description of cookie categories in the banner. This requires more text, but underscores that a user choosing to accept cookies has given informed consent. Brief text similar to the category descriptions above could be used.
- Provide more granular cookie information. If a user selects a cookie category, this would allow the user to access more information about each cookie in the category – i.e., name, description, provider (for cookies provided by third parties like Google) and duration.
- Use a persistent icon. In place of a link, a distinct and noticeable icon for cookie settings may be set on all webpages in the domain. The icon should be static so that it remains in place regardless of scrolling or any alteration of the browser text size or similar settings. The website of the UK Information Commissioner’s Office (ICO) uses a persistent icon (see www.ico.org.uk) and Cepheid has also adopted this practice (www.cepheid.com).
- Include a “reject” button on the banner. This allows the user to easily reject all non-necessary cookies. This has been suggested by some data protection authorities, but is not widely seen in commercial practice.