California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
There are a lot of misconceptions surrounding cookie banners and data privacy laws like the California Consumer Privacy Act (CCPA) and the personal information,” which is any information that relates to or is reasonably capable of being linked to a particular person. This includes online identifiers like cookies.
The CCPA does not specifically require a cookie banner, and does not require prior consent for most data processing. It does require businesses to make certain privacy disclosures at the point of collection, but in most cases this can be accomplished by providing a link to a privacy policy.
This may come as a relief to many businesses, as cookie banners can lead to a dropoff in analytics and marketing effectiveness.
None of the U.S. state privacy laws going into effect in 2023 require a cookie banner.
Consumers have a right to opt out of the sale of their personal data and its use for behavioral/targeted advertising. Though targeted advertising is primarily carried out via cookies, adding a cookie banner to your website is not enough to be compliant. In its recently proposed regulations, the California Privacy Protection Agency had this to say on the subject:
A notification or tool regarding cookies, such as a cookie banner or cookie controls, is not by itself an acceptable method for submitting requests to opt-out of sale/sharing because cookies concern the collection of personal information and not the sale or sharing of personal information.
Businesses that engage in targeted advertising cannot rely on their cookie banner for opt-out requests. They will still have to provide an opt-out link on their site, and a process that specifically stops the sharing of consumers’ personal data for use in targeted advertising.
Short answer: Yes.
Technically, cookie banners are required in Europe under a different law called the ePrivacy Directive, but the end result is that businesses that are required to comply with the GDPR must have a cookie banner. Any cookies that are not strictly necessary for the functioning of the website require the visitor’s affirmative consent before being placed. Additionally, visitors must have the opportunity to accept/reject cookies by category, not just an all-or-nothing option.
European Union member states are currently negotiating an updated version of the law—the ePrivacy Regulation—which may change the requirements.
Cookie banners are just one small part of the growing complexity of privacy compliance. Businesses that operate online must now navigate a patchwork of different laws and requirements, an environment that is bound to cause confusion and lead to missteps.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.