An audio summary of this article is available in the player below. Scroll to keep reading.
Listen and subscribe to Womble Perspectives wherever you get your podcasts.
Would you like some milk with those website cookies? We know the common privacy joke. However, website cookies and online tracking technologies (collectively, “cookies”) are increasingly no joking manner as they can create potential exposure and actual liability for U.S. website operators.
In this alert, we remind readers of (1) the regulatory landscape underlying cookies’ consent requirements (this is why you may need to have a cookie banner), and (2) highlight some apparent “faux pas” we see online that suggest some sites may need to revisit their approach on cookies and cookie banners as a legal matter.
Regulatory landscape:
There is no federal law that directly regulates the use of cookies in the US, although the FTC has used Section 5 of the FTC Act to regulate the use of cookies to collect sensitive information—more on this below.
However, as of the date of this article’s publication, there are 19 comprehensive state privacy laws that regulate the use of cookies to track users’ online activities. You may recognize the California Consumer Privacy Act (CCPA) as perhaps the most well-known of these laws, being the first of its kind in the US. Other comprehensive state privacy laws similarly govern the collection and use of personal information through cookies.
Under all these laws, businesses are generally not required to obtain opt-in consent to the use of cookies for the collection and processing of personal information—the US continues to be, by and large, an “opt out” regime. There are a few exceptions where opt-in consent is required, including when collecting sensitive information or minor’s data.
The US continues to be, by and large, an “opt out” regime.
Regulators also are shaping the scope of compliance requirements. The FTC takes a similar position on sensitive information,1 requiring businesses to obtain affirmative express consent (opt-in consent) to the use of cookies for sharing an individual’s sensitive personal information with third parties for marketing purposes. Both the New York State Attorney General’s Office and the California Privacy Protection Agency recently issued guidance for businesses on using website tracking controls and avoiding dark patterns, emphasizing the general need for transparency and clarity to consumers on what tracking is occurring.2 Regulators’ guidance is not necessarily binding law but tends to reflect how they would enforce non-compliance under the laws they administer and merits consideration.
There are also consumer health privacy laws in Washington and Nevada, as well consumer health data privacy amendments to Connecticut’s Data Privacy Act, that prohibit the use of cookies to process consumer health information except with opt-in consent and only if the third parties receiving the information (e.g., the business’s third-party service provider) only process the information for the provision of the services to the business. Both of these laws have a complete ban on the “sale” of consumer health information unless there is prior authorization from the consumer—which, practically speaking, would be nearly impossible to acquire in the cookie context because of the requirements for there to be valid consent.
In all instances, under current comprehensive state privacy and consumer health laws, businesses must provide an easy to implement mechanism for opting out of the use of cookies to engages in data “sales” (as defined under privacy laws), as permissible, and targeted advertisement.
Is a cookie banner needed?
So, the main question remains. Is a cookie banner “needed”? In the US, the answer is… “maybe.” It really all depends on several factors, including the nature of the personal information collected, applicable privacy laws, and risk mitigation appetite (especially in the context of litigation).
Is a cookie banner “needed”? In the US, the answer is… “maybe.”
Here is a non-exhaustive list of instances where a cookie banner may be needed:
- Opt-in consent. If opt-in consent is legally required under applicable privacy laws—such as when collecting and sharing sensitive information or consumer health data—then a cookie banner is likely the right mechanism for providing notice and acquiring prior opt-in consent. This is because for opt-in consent to be valid, in addition to including all the required language in the cookie banner, all non-essential cookies must be “off” by default and only turned “on” after the individual provides valid consent; this is similar to the GDPR approach to cookies.
- Opt-out mechanism. US state privacy laws require companies to provide as easy to implement mechanism for opting out of “sales” and targeted advertising. The cookie banner may be one solution to this requirement, likely when paired with a cookie management tool.
- Litigation risk mitigation. While not legally required, businesses that use cookies for analytics and marketing purposes to engage with the website visitors may prophylactically deploy a cookie banner to mitigate some of the potential litigation risk given the recent wave of consumer litigation against websites for alleged violations of privacy laws, including wiretap and—the privacy law du jour—Song-Beverly. This choice is typically weighed against some of the added complexities that come along with having the banner.
- GDPR compliance. US businesses may be subject to the GDPR and the ePrivacy Directive and use a cookie banner for compliance purposes.
The key thing to remember when assessing whether a cookie banner should be used is that there are both regulatory and business considerations, and that there is no “one size fits all” solution—and certainly not something that should be copied from another website without careful consideration because “everyone has a banner now.” Remember, just because other websites have a cookie banner, it is not reason alone to put up a cookie banner as it could create liability if not carefully implemented. Hence the title of this alert… the cookies that may bite back!
The key thing to remember when assessing whether a cookie banner should be used is that there are both regulatory and business considerations, and that there is no “one size fits all” solution—and certainly not something that should be copied from another website without careful consideration because “everyone has a banner now.”
If using a third-party app, plug-in, or other tools to support cookie banners, you should review those tools carefully as they may or may not be legally sufficient “out of the box.” Often customization is required as a mixed technical and legal matter.
It is always a good idea to look behind the structure and functionality offered through a cookie banner to ensure the user’s choice is implemented properly from a technical side, and that how it is publicly presented does not involve potential “dark patterns” by not providing equal choices (to accept cookies or not) or “nudging” users into accepting cookies.
Common faux pas:
As you assess whether to implement a cookie banner, or perhaps you have launched a banner without outside counsel review, please consider the following list of common faux pas we see across websites and industries. If your site comes within one or more of the descriptions below, you are encouraged to contact your friendly privacy attorney promptly for a cookie banner checkup:
- A website has a cookie banner with only two options: “Reject All” and “Accept All.” Reminder many websites have some necessary cookies that always run in the background and “Reject All” in that circumstance is a potentially misleading and false option because the necessary cookies are not “turned off,” and the choice is inconsistent with both privacy law requirements and false advertising laws.
- A website triggers non-essential cookies upon the user landing on the site even though prior opt-in consent is required (based on privacy laws applicable to it). Remember, if prior opt-in is required, a website must not track anyone until the user has an opportunity to opt in.
- A website has a cookie banner copied from another website. This typically occurs when the site operator doesn’t know if they actually need a cookie banner, but it was placed on the website “just in case” without customization to reflect how the site collects and uses data, without being synced up with the privacy policy posted on the website, and without analyzing privacy laws’ applicability and requirements. Cookie banners are not necessarily fungible and copying one from another site may not help and may in fact create new issues. Tip: A cookie banner should be consistent with and sync with the privacy policy on the website.
- A website cookie banner announces the site uses cookies. That’s it. This kind of notification raises a question about whether the site understands its legal obligations around cookies and if the notice is an awkward or uninformed attempt that misses the mark or a legally unnecessary “copy cat” notice to “look” like other sites. This type of banner could increase potential risk of litigation, or invite regulatory inquiries.
- The cookie banner has broken links that do not work.
- The selected settings are not implemented. The cookies are not turned off when visitors request to be opted out of cookies, likely due to a technical error or glitch.
- The cookie banner lacks transparency and accuracy. The cookie banner is uninformative and fails to give notice of what cookies are used and how to enable visitors to make an informed decision.
- There are “dark patterns.” The cookie banner is beset by dark patterns and requires several click throughs to review all of the banner disclosures and make a selection.
- The cookie banner does not meet accessibility guidelines.
Simple cookies are a thing of the past for many websites. It likely behooves most site operators with a cookie banner to double-check how they are using the banner. Certainly, regulators and plaintiffs’ attorneys are paying attention and can hone in on “low hanging fruit” issues from the comfort of their desk as they browse online.
This article is Part I of a three-part series on cookie banner and consent management tools, arbitration and cybersecurity insurance for cookie-related claims, and the regulatory and litigation landscape governing or driving the use of banners. Join us on Oct. 2 for a webinar on “Navigating Consumer/Mass Arbitration & Privacy Disputes” by clicking here. Also, we’ll offer a hands-on workshop on Oct. 29 to delve deeper into these critical issues – more information to follow soon!
1 See FTC Business Blog post “Companies warned about consequences of loose use of consumers’ confidential data” by Lesley Fair September 18, 2023 available at https://www.ftc.gov/business-guidance/blog/2023/09/companies-warned-about-consequences-loose-use-consumers-confidential-data (last visited September 26, 2024).
2 See “Website Privacy Controls: A Guide for Businesses” by the Office of the New York State Attorney General, last updated July 15, 2024, available at https://ag.ny.gov/resources/organizations/business-guidance/website-privacy-controls (last visited September 26, 2024) and “Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice (Enforcement Advisory No. 2024-2” by the California Privacy Protection Agency, Enforcement Division, available at https://cppa.ca.gov/pdf/enfadvisory202402.pdf (last visited September 26, 2024).