Read more

Cookie Laws Across the US

Data privacy is a big deal these days on a global scale. Of the nearly 200 countries in the world, 137 of them have some form of data privacy legislation, and consumer awareness of the privacy landscape has increased in keeping with the growth of legislation. One McKinsey study even found that 87% of consumers were unlikely to do business with a company they did not trust to protect their data.

In May 2018, the General Data Privacy Regulation (GDPR) set off a new era of privacy awareness. It set the trend of privacy legislation that provides consumers with the right to know how their data will be used and the ability to opt-in or out of the collection. Companies now have strict limitations on what data they can collect and what they can do with consumer data, including cookies.

What are Cookies?

Cookies are tiny data files that track user behavior in the browser and are used to build customized buyer profiles. They can be used for functions as benign as remembering logins and items in a shopping cart and also for personalized advertising. 

On the one hand, cookies help companies provide that personalized experience consumers crave. But on the other hand, there is such a low level of trust around cookies that many users opt out of them when given the option. 

While the US does not have a federal cookie law, five states have adopted their own: California, Virginia, Colorado, Utah, and Connecticut, all of which go into effect in 2023. While they are all pretty similar, there are a few key differences among them. For example, each cookie law has its own way of defining a consumer, personal information, a sale, and the rights of a consumer.

Here’s a quick roundup of cookie laws in the US and what you need to know.

California Privacy Rights Act (CPRA) 

On January 1, 2023, the California Privacy Rights Act (CPRA) will go into effect, expanding and replacing the California Consumer Privacy Act (CCPA) of 2020. It applies to businesses that transact the personal data of 100,000 California residents, have a gross annual revenue exceeding $25M, or earn more than half their annual revenue through selling the personal data of California residents.

The CCPA defines personal data as any information that “identifies, relates to, describes, and is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CPRA takes it one step further to include sensitive personal information, including but not limited to social security number, race, gender, location, and genetic data.

Still, unless the cookies collect the personal data of minors, the CPRA does not require explicit consent to use cookies. Instead, it allows businesses that meet the criteria to collect cookie data as long as users are given the opportunity to opt-out. That is, businesses must disclose their use of cookies and their purposes and allow consumers the chance to deny participation. This means you can’t load non-essential cookies until the user says you can. Even more, you need to get explicit consent to process, sell, or share the personal information or data you collect.

CPRA is a business-specific offshoot of the California Online Privacy Protection Act (CalOPPA), a regulation that applies to online services that collect personal identifying information about California residents, regardless of the location of the business.

Virginia Consumer Data Protection Act (VCDPA)

Like the CPRA, the Virginia Consumer Data Protection Act (VCDPA)  takes effect in January 2023. It applies to organizations that do business in Virginia or with Virginia residents, control or process the personal data of Virginia residents or earn a certain threshold of their income from the sale of their data. 

The VCDPA (like UCPA and CPA) excludes publicly available and de-identified data from its definition of personal data. 

Like the CPRA, the VCDPA must allow users to opt-out of their data being used for “targeted advertising” – don’t pre-check the box on the cookie banner. Plus, users need to opt-in for you to process their sensitive data, and you can only process the data as disclosed in your privacy policy.

The VCDPA gives consumers the right to:

  • Access, correct, and delete their personal data
  • Get a copy of their personal data
  • Submit a complaint about a company’s data practices
  • Opt-out of sale of personal data
  • Opt out of consumer profiling based on data
  • Not be discriminated against for enforcing their rights.

Noncompliant businesses can face up to $7,500 per infringement.

Colorado’s Privacy Act (CPA)

Colorado’s Privacy Act (CPA),  going into effect July 1, 2023, applies to any data controller that operates in or sells to residents of Colorado, controls or processes the personal data of 100,000 or more consumers per year, or gains some financial benefit from selling personal data while controlling/processing the data of at least 25,000 consumers.

According to the CPA, the consumer — defined as “a Colorado resident acting only in an individual or household context” — has the following rights:

  • To know if their data is being processed
  • To access their data
  • To correct inaccuracies within their data
  • To opt out of processing data for targeted advertising, consumer profiling, and having their data sold
  • To appeal a business’ denial of their request to remove or take some other action with their data.

While cookies aren’t explicitly mentioned in the CPA, cookie data is implied by personal data used for advertising and consumer profiling. 

Using the opt-out consent model, data controllers are required to give the consumer notice about the options available to them, what data of theirs will be used, and what it will be used for. In that vein, data controllers have a duty under the CPA to minimize the data they collect, limiting it to only that which is necessary and relevant to their business operations.

Utah Consumer Privacy Act (UCPA)

Utah’s Consumer Privacy Act (UCPA), effective December 2023, is more business-friendly than the other regulations. It applies to any data controller or processor that does business in Utah or with Utah residents, has over $25M in annual revenue, and processes a certain threshold of data while meeting certain revenue requirements. 

Within the UCPA, the consumer — defined as “an individual who is a resident of the state acting in an individual or household context” — has the right to access, get a copy of, and request deletion of their data. Like in the CPA, consumers have the right to opt out of having their data processed for targeted advertising or sale.

The UCPA does not apply to nonprofits, colleges and universities, covered entities, and certain business associates that do not meet the revenue threshold. The companies that the UCPA does apply to must have a privacy notice that discloses the data your business collects, what you do with it, how consumers can exercise their rights, and what third parties data controllers share the information with.

Connecticut Data Privacy Act (CDPA)

One of the more consumer-friendly privacy laws, the Connecticut Data Privacy Act (CDPA) goes into effect on July 1, 2023. Businesses operating in Connecticut or target Connecticut residents that control or process a certain amount of their data will need to ensure they are compliant. 

Like the others before it, the CDPA also gives consumers the right to know whether a company is using their data, what it is being used for, and the ability to get a copy of, correct, or request deletion of their personal data. Consumers must be able to opt-out of targeted advertising, consumer profiling, and sale of their data. And to process sensitive personal data, consumers need to actively and explicitly opt-in.

The CDPA also requires businesses to limit their collection of personal data. So rather than collecting data for the sake of it, organizations are being asked to be more judicious about what data they actually need to carry out their everyday functions. 

Noncompliant businesses can face up to $5k in fines per willful violation.

Takeaways

While the data privacy laws in the US are similar to one another and reflect the basic principles of the GDPR, they each have particular nuances that businesses and data controllers and processors need to pay attention to. All these laws go into effect in 2023, so there is still some time to get your data collection and cookie consent processes in order. We’ll keep the updates coming! Subscribe to the blog to stay in the loop.