In June of 2015, the marketing firm Turn Inc. was sued for allegedly tracking the browser history and app usage of "thousands or millions" of Verizon Internet subscribers in California without giving these users notice of the tracking or obtaining their permission or consent to be tracked.
Turn Inc. placed supercookies on the mobile devices and computers of the Verizon Internet subscribers to accomplish this discreet tracking.
Supercookies serve a similar function as regular cookies but are frowned upon by advocates of online privacy because they are very difficult to both detect and remove from a user's device once placed on a device.
Because users had no knowledge of these cookies being used by Turn, there was no way that users would know to go to Turn's website to attempt to turn off the tracking if they wished to.
Even worse, however, is the fact that since the cookies used were supercookies, even if users did find and remove these cookies, Turn's code would still not be removed from the user's browser.
Additionally, if a user did somehow know to go to Turn and request the tracking be stopped, Turn was not obligated to actually stop the tracking.This is an important case for owners of websites that place cookies on their users or visitors devices because it showcases what you must do before using any cookies at all, and how to handle the issues of disclosure, consent, and revocation of cookies in a legally compliant way.
Because the internet is such a broad space of information, it's rightfully assumed that any website in the world can potentially be accessed by someone in California or the EU.
This means that cookies notices are a standard component of websites and mobile apps everywhere these days.
This can be done by requiring a user to check a box next to a sentence that says something about the user consenting to have cookies used, or click something that makes it clear that the user understands that clicking will be taken as consent.
Note in the example below how a user must check a box that coincides with the statement, "I accept cookies from this site" as well as click the "Continue" button.
The alternative way of obtaining passive consent is less favored and will likely be slowly phased out of being acceptable. This method counts inaction as consent.
For example, a way to obtain passive consent would be by telling a visitor to a website that by continuing to browse the site, cookies will be placed and consent will be assumed.
Here's a good general example from Engine Yard of how to obtain more active and actual consent and agreement to your Terms of Service.
The more information you provide to your users, the better. Users will be able to have more knowledge about what they are consenting to, and how cookies are actually working for their benefit.
The Cookie information is separate from the General Privacy information on the BBC website. Each section and sub-section of the Privacy and Cookies section are clearly separated, and keywords are linked to additional information. A linked summary section is on the right side of the screen to simplify and outline each section.
Include information on how a user can limit, edit, or delete which cookies are stored on their device.
When Turn Inc. left out this information and discreetly placed cookies on users' devices, they immediately violated privacy protection laws and put themselves into non-compliance.