Cookie disclaimers, cookie banners, cookie consent, or cookie notices? Is it mandatory for all websites to have privacy/ cookie notices now?
If it’s not mandatory for all websites, who is required to have what type of cookie notices under which privacy laws? The use of cookies to collect personal data and market products and services is commonplace now, but many companies are unsure about how to do it legally while complying with the relevant privacy laws.
In this article, we will cover the basics of what your company’s website needs to remain in compliance with privacy laws related to cookies, including:
- Which privacy laws impact your company’s website,
- How to comply with the CCPA’s cookie requirements, and
- How to comply with the GDPR’s cookie requirements.
Which Privacy Laws Impact Your Business’s Website?
Every website is not required to display a cookie banner or cookie notice, but how do you know whether the cookie rules affect your company’s website?
There are two privacy laws that we are primarily concerned with – the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), although there are other state-specific privacy rules. Each has the potential to affect your business’s website depending on where your consumers are located and how your website uses cookies.
When do the CCPA’s Cookie Provisions Apply to Your Company’s Website?
The CCPA is a state-level privacy law that protects California residents’ data.
If your business has a website that can be accessed by California residents and if it collects the personal information of California residents, the website must 1) inform users what information is being collected and how it will be used and 2) give users an opportunity to opt-out of the sale of their personal information.
How to Comply with the California Consumer Privacy Act (CCPA) Cookie Notice Requirements
To comply with the CCPA’s privacy rules, your business’s website must include:
- A method to opt out of the sale of personal information – for example, a “Do Not Sell My Personal Information” link on a consent banner on the website,
- A privacy policy and cookie policy that explains in detail what personal information is collected, what cookies are used, and how the personal information and cookies are used,
- A link to the privacy and cookie policy on the consent banner, and
- If a user opts out, wait at least 12 months before prompting them again.
If your company’s website is not collecting or selling users’ personal information, the CCPA does not require cookies consent – the GDPR might, however.
When do the GDPR’s Cookie Provisions Apply to Your Company’s Website?
Does the GDPR’s requirements for cookie consent apply to companies that are not located in the European Union?
Article 3 of the GDPR specifies that the Regulation applies to the processing of personal data when:
- The “controller” or “processor” is in the EU, whether the processing takes place in the EU or not, or
- When the subjects of the personal data are located in the EU and the processing of personal data is related to 1) the offering of goods or services or 2) the monitoring of the behavior of data subjects in the EU.
Data controllers are entities that decide how the data will be used, and data processors are entities that use, store, or transfer the data in any way.
So does the GDPR apply to companies located in the US? It does if the company:
- Provides goods or services to consumers in the EU, or
- Monitors the behavior of consumers in the EU (collects, uses, or analyzes data on consumers).
How to Comply with the General Data Protection Regulation (GDPR) Cookie Consent Requirements
If your company’s website uses cookies and 1) has customers in the EU or 2) collects personal data of consumers in the EU, you will need to obtain informed consent before storing cookies on users’ devices or accessing information on users’ devices.
How do you accomplish that? You will need to:
- Display a cookie banner when visitors first arrive on the website that 1) informs users that your website uses cookies, 2) asks for the users’ consent to use cookies, 3) is conspicuous, and 4) links to your company’s detailed privacy and cookie policy,
- Link to a privacy/cookie policy that is specific about the types of third-party cookies used on your site, the third parties that use or manage the cookies on the site including links to their cookie policies, how the cookies are used, and that is available in all languages spoken in countries where services are provided, and
- Block all cookies until consent is given by the user – if there are checkboxes, the boxes should not be pre-checked unless they are for necessary/essential cookies.
This means that cookie disclaimers or cookie notices are not sufficient to comply with the GDPR’s cookie requirements – there must be clear consent by the user before using cookies on or accessing personal information on their devices.
Please feel free to contact any of our Murray Lobb attorneys if you have questions regarding compliance with the CCPA or GDPR’s cookie requirements. We also remain available to help you with all your general business, corporate, construction, and estate planning needs.