Everything Tech Marketers Need to Know About Cookie Compliance

Everybody knows that cookie notices are an important part of keeping your tech company’s marketing strategy in legal compliance. However, not everyone knows which ones to use, or how.

With so many types of cookies and cookie notices out there, we’re not surprised that many companies come up with half-baked cookie language. 


It can be especially confusing when you want to be compliant in both the United States and the EU, meaning that you have to conform to multiple standards, most notably the GDPR.

Bearing that in mind, let’s talk about how tech marketers such as yourself should REALLY be using cookie notices.

How do cookies actually work?

Cookies are crumbs of data stored in small text files that track website visitors and contacts. 

The text files gather these crumbs of information by staying behind on a website visitor’s browser. Web pages don’t inherently have memory. They use cookies as a sort of patch that lets them retain and convey information.

Cookies have a reputation for being pesky privacy invaders, and users are typically wary of them. Cookies, though, are actually super useful for both tech marketers and end-users.

For example, cookies allow visitors to stay logged in on a site as you move around its pages. They also enable you to set display preferences that the page will “remember” every time you visit it.

In marketing, cookies watch the pages between sites, collecting information about a visitor’s interests. You can then use that information to tailor ads to your visitors—this is called behavioral advertising.

With cookies, tech marketers can curate highly personalized and richly interactive experiences with visitors.

Why do end-users distrust cookies?

Even though marketers love cookies and they can benefit end-users, individuals don’t always see it that way, and they’re protective of their personal data.

Individuals have every right to be careful with cookies, as they do pose some risk to their data security.

Among the biggest offenders are third-party cookies. Third-party cookies are cookies that AREN’T created by the website someone is browsing (those are called first-party cookies).
In other words, third-party cookies have a different host domain than the cookie in the browser bar when it was downloaded.

They come from unknown sources, usually linked to on-page ads. What’s worse, you may not even know about them!

Here’s a statistic to keep you up at night—72% of all website cookies are loaded in secret by other third-party cookies. AND 18% of all website cookies are Trojan horses, aka cookies hidden inside other cookies…sometimes 8 layers deep!

To do your best to avoid unintentionally spamming your users with third-party cookies, always be diligent when partnering with outside vendors and other third parties. Don’t be afraid to ask questions about their cookie policy, because it affects both you and your customers.

What does the law say about cookie notices?

As you formulate your cookie policy, always keep in mind the GDPR requires that at the VERY LEAST you:

  1. Notify your visitors in PLAIN LANGUAGE that your website uses cookies for certain purposes.
  2. Provide them with a way to explicitly consent to being tracked by cookies

Note: Under the GDPR, the only cookies exempt from this law are those that are necessary for your website to function.

You should also be aware of the Cookie Law, known more formally as “ePrivacy Directive 2002/58/EC.” This legislation, which actually came out before the GDPR,  works alongside it. Its purpose is to regulate the use of personal data by service providers, websites and other companies (i.e. how they handle it, how they use it and why).

In the US, laws and regulations can vary a lot, so we recommend you look to the CCPA (California Consumer Privacy Act) for guidance.

While the CCPA doesn’t require that you use opt-in notices for cookies, it does say that you need to be ready to disclose what data your cookies are collecting and what you’re doing with the data. The CCPA also establishes the right to opt out of the sale of personal data that you may have collected with your cookies. 

What’s the best way to use cookie notices?

According to our survey, right now, only 58% of tech companies have a cookie notice in place, but 43% are actively working on adding one. Whether you’re in the former or latter, you need to make sure that you’re using cookie notices correctly.

The most popular tactic is a simple “accept” or “decline” option, but 14% of companies take this a step further and allow users to specify the exact type of cookies they want to allow or disallow.

But what’s really the best way? Let’s break it down into, “just OK, better and best.”

Just OK—telling people they’re being tracked

This is an OK start, but it’s not enough. Not all cookie notices are created equal…Did you know that if you’re just telling people you use cookies, you’re still not fully compliant in California or the EU? 😬

GDPR non-compliant cookie notice

Good—letting people accept/decline

Great progress! If you offer users a simple “accept” or “decline” option, as most tech companies do, you’re moving in the right direction. Also, you’re technically in compliance with the GDPR. Congrats!

cookie notice accept or reject

Great—letting people opt into specific cookies

Though only 14% of our respondents do this, the BEST way to “do” cookie compliance is by letting people opt into specific cookies. 

Examples of these cookies include but aren’t limited to: analytics cookies (domain, initial timestamp, current timestamp, last timestamp, session number, etc.), functionality cookies, chatflow cookies, advertisement cookies, and cookies from third-party systems.

GDPR compliant cookie notice

Bonus tip—You also need to make sure that you have cookie banners in every language your customers may speak. For example, include a French-language banner for Canadian contacts.

How do I manage cookie settings in HubSpot?

If you’re working in HubSpot, you can start the process of getting compliant by making sure that the cookie consent banner/cookie policy banner is toggled “on.” (This should be set on by default, but always make sure.) This feature won’t automatically put you in compliance, but it’ll help you get there.

One of the many things we enjoy about HubSpot is the fact that it offers you a myriad of ways to configure your cookie banner. You can customize it for different domains and URLS. AND you can display different cookie categories options on your site, and have users activate or deactivate each category.

Not only that, if you use HubSpot CMS for your website or have landing pages, HubSpot lets you mix and match analytics cookies, functionality cookies, necessary cookies and advertisement cookies, giving users the ability to customize their preferences. We think that's pretty neat!

Cookie laws are vast and confusing, but if you start with simple steps and the help of platforms like HubSpot, we know you’ll create effective, compliant cookie notices on your website. Huzzah!


DISCLAIMER: We’re pretty smart tech marketers, but lawyers we are not. 👩‍⚖️ For that reason, we’re obligated to tell you that the legal information in this blog is not intended to be taken as legal advice. You may neither rely on this document as legal advice nor as a recommendation of any legal understanding.


Interested in even more legal compliance stats and strategies? Download our free “Marketing Legal Compliance in the Real World" report to see how your compliance tactics stack up against other tech and software companies.

Download "Marketing Legal Compliance in the Real World"