To be successful, ecommerce sites require information about site visitors.

What sites are the top referrers? Which search engine produces the most traffic? How long do visitors remain on-site, what is their pathway through the site, and what pages do they exit from?

One method of collecting this information is often referred to as using 3rd party cookies. If you use 3rd party cookies, are you aware of the privacy concerns, and will you be liable for a privacy policy breach?

A cookie is a message given to a Web browser by a Web server. The browser stores the message in a text file called cookie.txt. The message is then sent back to the server each time the browser requests a page from the server.

Information gained with cookies helps the Web server track such things as user preferences and data that the user may submit while browsing the site. For example, a cookie may include information about the purchases that the user makes (if the Web site is an ecommerce site), or the cookie may "remember" the user's contact information so the user will not have to re-key it on future site visits.

There is an important difference between 1st party and 3rd party cookies. If you use 1st party cookies, they are passed to a visitor by your site, and the data generated remains with your site. On the other hand, if you hire an independent company (such as Google with its Google Analytics program) to pass the cookie, that cookie is called a 3rd party cookie.

Privacy concerns arise from the fact that the data generated with 3rd party cookies resides on the servers of the 3rd party --- not your server. The fact that you do not control these 3rd party sites and their use of this data has raised concerns among many users. For example, users have questioned whether these 3rd party sites aggregate the data among many sites and report ecommerce trends to the media, or whether the 3rd party sites use the data for purposes of cross-website profiling and ad targeting.

And what is your legal obligation to disclose the use of 3rd party cookies? In the European Union, it's illegal to pass cookies without informing users that you do, what they're used for, and how they can be avoided, and it's generally believed that the failure to adequately disclose the details of the use of 3rd party cookies is a violation of EU law.

In the US, there is an evolving debate regarding the same issues, and the answers are less certain.

It's recommended that if you use 3rd party cookies, you clearly disclose in your privacy policy the distinction between 3rd and 1st party cookies, and how they're used and avoided. Be careful, however, in amending your Privacy Policy because amendments may not be effective retroactively for data collected with 3rd party cookies prior to the amendment.

Copyright © 2008 Chip Cooper

This article is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.

WANT TO USE THIS ARTICLE IN YOUR EZINE OR WEBSITE? You may, as long as you reprint the article in its entirety with live links and include this blurb with it:

Chip Cooper is a leading intellectual property, software, and Internet attorney who advises software and ecommerce businesses nationwide. Chip's 25+ years of experience include 20 years as Adjunct Professor of Computer Law at Wake Forest University School of Law. Visit Chip's digicontracts.com site and download his FREE report, "12 Sure-Fire Ways Your Website Can Get You Sued", and also learn about his "Do-It-Myself" and "Do-It-For-Me" service options.