Cookie Law: Usa's Compliance Or Exception?

does cookie law apply to usa

Cookies are small data files that websites place on devices that access them, allowing websites to track user behaviour. While there is no federal cookie law in the United States, some states have enacted their own legislation governing cookie usage, such as California's Consumer Privacy Act (CCPA) and Virginia's Consumer Data Protection Act (CDPA). These laws consider cookies as personal information and require businesses to disclose their use and provide consumers with certain rights and protections. With the rise of digital privacy concerns, it's important for businesses to understand the legal landscape surrounding cookie usage to ensure compliance and maintain trust with their customers.

lawshun

California Consumer Privacy Act (CCPA)

In the United States, there is no federal law regulating the use of cookies. However, some state-level laws, such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA), consider cookies as personal information.

The CCPA grants California residents more control over their personal information and how it is used and shared. It gives them the right to know what personal data is being collected about them, whether it is sold or disclosed and to whom, and the right to say no to the sale of that data. It also allows them to access and request the deletion of their personal data. Additionally, the CCPA prohibits businesses from discriminating against consumers for exercising their privacy rights.

The CCPA applies to any business that collects consumers' personal data, conducts business in California, and meets at least one of the following criteria:

  • Annual gross revenues exceeding $25 million
  • Purchase, receipt, or sale of personal information of 100,000 or more consumers or households
  • Deriving more than half of its annual revenue from selling consumers' personal information

While the CCPA does not require businesses to obtain opt-in consent for cookies, it mandates that they disclose the use of cookies and the data collected through them, as well as their purposes. When cookies are employed for targeted advertising, it may be deemed a "sale" under the CCPA, necessitating businesses to obtain consent for their use.

The CCPA, in comparison to other privacy laws like the GDPR, lacks clarity about its geographic range. It is important to note that the CCPA does not require a physical presence in California. As long as a business is active in the state and meets the requirements, it falls under the purview of the CCPA.

lawshun

Virginia Consumer Data Protection Act (CDPA)

There is no federal law regulating the use of cookies in the US. However, state-level laws like the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA) consider cookies as personal information.

The CDPA, which came into effect on January 1, 2023, allows consumers to opt out of targeted advertising, the profiling of their data, and the sale of their personal data. As cookies can be used for these purposes, their use is regulated under the CDPA.

The CDPA gives consumers the right to access their personal data and request that it be deleted by businesses. It also requires companies to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes. The law also contains some restrictions on the use of de-identified data, or data modified to no longer directly identify individuals from whom the data were derived.

Entities conducting business in Virginia must satisfy one of two thresholds to fall within the statute’s scope, and both thresholds address a minimum number of affected consumers. To be subject to the law, entities must control or process:

  • The personal data of at least 100,000 consumers in a calendar year, or
  • The personal data of at least 25,000 consumers, while deriving over 50% of gross revenue from the sale of that data.

The CDPA defines personal data as any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information.

The CDPA defines sensitive data as a category of personal data that includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
  • The personal data collected from a known child
  • Precise geolocation data

The CDPA exempts certain entities, including:

  • Any body, authority, board, bureau, commission, district, or agency of the Commonwealth or of any political subdivision of the Commonwealth
  • Any financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act
  • Any covered entity or business associate governed by HIPAA’s privacy, security, and breach notification rules
  • Any nonprofit organization
  • Any institution of higher education

lawshun

Connecticut Data Privacy Act (CTDPA)

There is no federal cookie law in the United States. However, many states have enacted their own regional cookie laws, including Connecticut.

The Connecticut Data Privacy Act (CTDPA) came into effect on July 1, 2023. The CTDPA gives Connecticut residents certain rights over their personal data and establishes privacy protection standards for data controllers that process this data.

The CTDPA applies to people who conduct business in Connecticut or produce products/services for Connecticut residents, and who, in the previous calendar year:

  • Controlled or processed the personal data of at least 100,000 consumers; or
  • Controlled or processed the personal data of 25,000 or more consumers and derived over 25% of gross revenue from selling personal data.

The CTDPA also applies to all Consumer Health Data Controllers who do business in Connecticut, regardless of their size or nature of data processing activities. Service providers (called "processors") that maintain or provide services involving personal data on behalf of covered businesses are also subject to the CTDPA.

The CTDPA gives Connecticut residents the following rights:

  • The right to access personal data collected about them.
  • The right to correct inaccuracies in their personal data.
  • The right to delete their personal data, including data collected through third parties.
  • The right to obtain a copy of their personal data in a portable and readily usable format that allows transfer to another controller.
  • The right to opt out of the sale of their personal data, the processing of personal data for targeted advertising, and profiling that may have a significant impact.

To comply with the CTDPA, controllers must:

  • Provide notice about the types of personal data being processed, the purpose of processing, whether data is shared with third parties, and information about how consumers can exercise their rights.
  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the specific purpose for which it is processed.
  • Obtain consent before processing a consumer's sensitive data.
  • Respond to requests to exercise consumer rights granted under the CTDPA.
  • Conduct assessments before processing personal data in a manner that presents a heightened risk of harm to consumers.
  • Use reasonable safeguards to secure personal data.
  • Not discriminate against consumers who exercise their rights under the CTDPA.

The Connecticut Attorney General has the authority to enforce violations and may issue fines of up to $5,000 per violation. The CTDPA is one of the more consumer-friendly state privacy laws, as it lacks a revenue criterion for applicability.

lawshun

No federal law, but state-level laws

While there is no federal law regulating the use of cookies in the US, several state-level laws do exist that consider cookies as personal information. These include the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (CDPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA).

The CCPA, which came into effect in 2023, requires businesses to disclose their use of cookies and the data they collect, as well as the purposes for which this data is collected. It also grants consumers the right to opt out of the "sale" of their personal information, which can include the use of cookies for targeted advertising. The CPRA, which updates and extends the requirements of the CCPA, further augments this right by extending opt-out requirements to the "sharing" of personal information and allowing consumers to opt out of the use and disclosure of their sensitive personal information.

Virginia's CDPA grants consumers the right to opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling. As cookies can be used for these purposes, their use can be regulated under this law.

The CTDPA, which came into effect on July 1, 2023, allows consumers to opt out of targeted advertising, the sale of personal data, and profiling that leads to "significant effects," such as a different price for a product or different services being offered.

Utah's UCPA, which will enter into force on December 31, 2023, also requires organisations to familiarise themselves with its requirements regarding the use of cookies.

While there is no federal cookie law in the US, the existence of these state-level laws demonstrates a growing interest in consumer privacy laws across the country. Organisations operating in these states should ensure compliance with the relevant laws to avoid potential fines and other penalties for non-compliance.

lawshun

Global Privacy Control (GPC)

While there are no federal laws regulating the use of cookies in the US, several states have adopted their own cookie laws, including California, Virginia, Colorado, Utah, and Connecticut. These laws generally require businesses to disclose the use of cookies and obtain user consent, with certain differences in how they define consumers, personal information, and sale.

In this evolving landscape of privacy laws, Global Privacy Control (GPC) offers a simple solution for users to implement a universal opt-out signal, enhancing their control over their personal data. GPC is a browser signal or extension that allows users to indicate their privacy preferences when navigating the internet. It is designed to transmit a user's privacy preferences, such as opting in or out of cookie usage, data sharing, data sale, and targeted advertising, to every website they visit.

GPC is supported by a consortium of privacy-focused organizations, including Brave, DuckDuckGo, the Electronic Frontier Foundation (EFF), the National Science Foundation, Mozilla, The New York Times, and The Washington Post. It was developed in response to the California Consumer Privacy Act (CCPA), which envisioned the concept of a universal opt-out signal. GPC is available as a setting or extension in major browsers and is also supported by browser extensions.

To use GPC, users need to download a browser or extension that supports the signal. They can then turn on the GPC signal for all websites or individual websites. When a website that supports GPC is visited, it will automatically register the user's request to opt out of personal information sales.

GPC is increasingly recognised by global privacy laws as a valid mechanism for honouring opt-out requests. For example, under the California Privacy Rights Act (CPRA), businesses are mandated to treat opt-out preference signals as valid requests to opt out of the sale or sharing of personal information. Similarly, the Colorado Privacy Act (CPA) requires businesses to allow consumers to exercise their rights to opt out of the processing of their personal data for targeted advertising or sale through a "universal opt-out mechanism" from July 1, 2024.

GPC provides a straightforward way for users to manage their privacy preferences and ensure their data is not sold or shared without their consent. By adopting GPC, businesses can demonstrate their commitment to respecting users' privacy choices and build trust with their customers.

Frequently asked questions

No, there is no federal cookie law in the USA. However, some states have laws that regulate cookie usage, such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

The California Consumer Privacy Act (CCPA) is a state law in California that regulates the use of personal information, including information collected via cookies. It requires businesses to disclose their use of cookies and the data collected through them, and gives consumers the right to opt out of the sale of their personal information.

The California Privacy Rights Act (CPRA) is an update to the CCPA that came into effect on January 1, 2023. It classifies online activity data as personal data and gives California residents more rights over their data, such as the right to request access to their personal data and the right to opt out of its collection, sale, and sharing.

Yes, other states such as Virginia, Utah, Colorado, and Connecticut have also enacted comprehensive privacy legislation. For example, Virginia's Consumer Data Protection Act (CDPA) gives consumers the right to opt out of targeted advertising, the sale of personal data, and profiling.

Yes, if your website uses cookies, you need a cookie policy to comply with relevant laws such as the CCPA and CPRA in California, and similar laws in other states. A cookie policy informs visitors that your site uses cookies and outlines how you use them and if you share data with third parties.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment