(And How We Protect Our Visitors)

At a glance

This is our internal guide for using cookies and trackers the right way,by putting our users first.

• You must get approval before adding any new cookie, pixel, or tracker to our sites.

• We follow a global "opt-in" rule. We never track visitors until they say "yes".

• All non-essential cookies must be "off by default."

• The "Don't" list is just as important as the "Do" list. Please read the table in section 8.

• When in doubt, ask the Privacy team first: [email protected].

 

1. Purpose

This guide explains how we use website cookies. Our main purpose is to build trust by protecting our visitors' privacy. That means being transparent and giving them a real choice before we use any tracking tools. Following these rules helps us do the right thing for our users and meet global privacy laws (like GDPR in the EU and CCPA in the US).This is a core part of our commitment to security and high standards (like ISO 27001 and SOC 2).

 

2. Who this applies to

This guide is for everyone who works on our websites:

• All full-time and part-time OnDigital employees

• All contractors and freelancers

• All third-party vendors who work on our websites

 

3. A quick dictionary

• Cookie: A tiny text file a website saves on a visitor's device. It acts like a 'memory keeper' to remember their preferences (like language) or what's in their cart.

• Tracking Technology: This is the catch-all term for cookies, web beacons, pixels (like from social media), and any other script that gathers user data. This guide covers all of them.

• Personal Data: Any info that could identify a real person. This isn't just a name or email. It also includes 'online identifiers' like an IP address or a cookie ID.

• Consent: This is when a user gives us a clear 'yes' before we set any non-essential cookies.1111 We must make this an active choice (an 'opt-in'). We can never use pre-checked boxes or assume they're okay with it.

• First-Party Cookie: A cookie we (OnDigital) set for our own site's basic functions. For example, a cookie that keeps a user logged in.

• Third-Party Cookie: A cookie set by another company through our site. This is common for ads or social media 'like' buttons.

 

4. Our promise to our users

To protect our visitors and build trust, we promise to:

• Be open and honest: We will always explain what trackers we use and why in simple language.

• Put choice first: We treat every visitor with the highest standard of privacy. We will not set any tracking cookies unless they actively click "Accept".

• Make 'no' easy: Our "Reject All" option will always be as clear and easy to find as the "Accept All" button.

• Keep it secure: We will use security best practices (like Secure and HttpOnly flags) to protect the data in our cookies.

• Check our work: We will audit our websites every three months (quarterly) to make sure we're keeping this promise.

 

5. Your role in protecting our users

We all share the duty of protecting our users. Here's your part:

• Ask first. Always get written approval from the Privacy team ([email protected]) before you add any new cookie, tracker, or pixel to any OnDigital site.

• Work with the team. Partner with the IT and Development teams to make sure any new tool is correctly added to our Consent Management Platform (CMP).

• Respect the system. Never try to bypass our consent tool or load a script before a user says "yes."

• Speak up. Report any unapproved cookies or compliance issues to the Privacy team immediately.

• Read the list. Please read and follow the "Do / Don't" table in section 8.

 

6. The 6-step safety check

This is our safety process for adding any new cookie or tracker. No exceptions.

1. You have a need. A team (e.g., Marketing) wants to add a new tool, like a new analytics script.

2. You submit a request. You email the Privacy team ([email protected]) with the tool's name, its business purpose, and a link to its privacy policy.

3. We assess the tool. The Privacy team reviews the tool. We check what data it collects, what cookies it sets, and if the vendor meets our security and privacy standards.

4. The Privacy team approves or denies. The team gives a "yes" or "no" within 5 business days. If approved, the tool is added to the "Approved Cookie Inventory."

5. You implement (correctly). The Development team adds the tool's script. It must be set up to load only through our Consent Management Platform (CMP).

6. We update the CMP. The IT team adds the new cookie to the correct category (e.g., "Marketing") in the public-facing cookie banner. This allows users to consent to it.

 

7. Putting it into practice

 

Example 1: Marketing wants a new social media pixel

• Scenario: The marketing team wants to add a new pixel to track ad conversions.

• What to do:

1. The marketing lead does not add the pixel to the site.

2. They email the Privacy team with the request, explaining the business need.

3. They wait for the Privacy team to approve the vendor and the pixel.

4. Once approved, they work with a developer to have it implemented through the CMP.

Example 2: A developer finds an "unknown" cookie

• Scenario: A developer is working on the website and sees a cookie in their browser's developer tools that they don't recognize.

• What to do:

1. The developer immediately reports this to the Privacy team.

2. This triggers a mini-investigation (see Section 10). The team will find out where it came from and remove it if it is not approved.

 

8. Do / Don't

 

9. See a problem? Get help.

If you find a problem, have a question, or see a cookie that doesn't look right, please report it.

• Contact: [email protected]

• What to include: A link to the page, the name of the cookie (if you know it), and a screenshot (if you can).

• Response: We will acknowledge your report within 1 business day and begin an assessment. You will never get in trouble for reporting a privacy or compliance concern. We want you to report them.

 

10. What happens if we mess up

If a non-compliant cookie or process is found, we don't panic. We act:

1. Report: The issue is reported to the Privacy team.

2. Assess: The Privacy team and IT lead an assessment. How did this happen? What data was collected? Who was affected? We check if this is a legal "data breach".

3. Act: The non-compliant cookie or script is removed immediately. If a vendor was at fault, we contact them.

4. Learn: We find the root cause. We update our process, provide new training, or update this guide to make sure it does not happen again.

 

11. A bit more on the "why"

• Our "Everyone is in the EU" rule: We follow a strict "opt-in" model for all users, everywhere. It's the simplest way to respect everyone's privacy and comply with all global laws, from the EU's GDPR to the UK's PECR and South Africa's POPIA.

• For our US visitors: Laws like California's (CCPA/CPRA) give users the right to "opt-out of the sale or sharing" of their data. Our "Reject All" button takes care of this, making it simple for them to say "no thanks."

• Google Analytics: We use Google Analytics. This is an "Analytics" cookie. It is turned OFF by default. It only loads after a user clicks "Accept" on Analytics cookies in our banner.

 

12. The only exception

• The only exception to this "ask first" rule is for "Strictly Necessary" cookies. These are the cookies the site can't work without (e.g., a login token or a shopping cart).281

• The Privacy team (led by the Policy Owner) must approve any "Strictly Necessary" classification.

• Seriously, there are no other exceptions. All other cookies require prior opt-in consent.

• To request an exception or get a cookie classified, email [email protected].

 

13. Who owns this (and when we check it)

• Policy Owner: Privacy and Compliance Team

• Contact: [email protected]

• Review Frequency: This guide is reviewed every 12 months or when a major privacy law changes.

• Next Review Due: 1-November-2026

 

14. Version history

 

Disclaimer: This policy provides general guidance and is not legal advice.