Compliance with data privacy regulations has crystallized cookie consent at the center of governing policies for organizations involved in targeting, marketing, or analytics practices. But why is there buzz around cookies? Is it their ability to store little data files on users’ computers or mobile devices that enables them to collect data about users’ online activities, such as browsing history, IP address, search queries, preferences, etc?
While such practices improve user experience and personalize content, they raise privacy concerns when used to process user data or track users across multiple websites or services without obtaining their prior consent. That’s where the need for enacting stronger privacy laws around cookies becomes paramount.
At their heart, cookie laws balance the needs for businesses with the rights and interests of users. They require businesses to obtain user consent before processing user data in any form. By recognizing and respecting the importance of user privacy, data-driven businesses can comply with regulatory compliance and evade business losses from legal actions, reputational damage, financial penalties, etc.
In this article, we’ll shed light on cookie laws and their key provisions in major economies.
Consent and preference management laws in the EU
The EU leads the world in entitling customers their privacy empowerment and personal data protection. ePrivacy Directive and GDPR are the two laws in the EU that bolster cookie-related consent and preference management. These laws apply across member states on all organizations that deal with personal data of EU citizens, regardless of their location. With different scopes and requirements, these two laws together form a comprehensive data protection framework and aim to protect the privacy and personal data of EU individuals.
It sets out the following key principles for consent:
- Obtaining prior consent from users before collecting sensitive information through cookies;
- Enabling users to refuse or accept the use of non-essential cookies through the use of a banner or pop-up message, including the ability to revoke their consent at will;
- Ensuring adequate security measures are in place to safeguard the confidentiality and integrity of cookies against unauthorized access or misuse.
In 2017, the EU proposed the ePrivacy Regulation (ePR) to replace the existing ePrivacy Directive. Currently being debated, the ePR will likely introduce new rules governing user consent, online tracking, and cookies. Unlike ePD, ePR will not allow websites to use ‘legitimate interest’ as the basis for data collection. Additionally, it will include provisions for metadata, which include information about the timing, duration, and location of electronic communications.
Cookie laws in the United States
- California has the strongest US privacy laws. The California Consumer Privacy Act (CCPA), which came into effect in 2020 and The California Privacy Rights Act (CPRA), in January 2023. The scope of personal information under the CCPA includes digital identifiers such as cookies. By default, it doesn’t require businesses to gain opt-in consent for cookies; only for targeted advertising does the CCPA require obtaining opt-in consent. It requires websites to inform users about the types of cookies set by the site, the purposes for which they are used, the categories of personal information collected through cookies, and with whom they share the information.
- In Nevada, the NPICICA (Nevada Privacy of Information Collected on the Internet from Consumers Act) requires website operators to disclose the type of data they collect and with whom they share that information. It requires businesses involved in the sale of personal data to provide users with an easily accessible opt-out mechanism to refuse the sale of their data.
- A growing number of states are close to enacting their own data privacy laws that will require opt-in mechanisms similar to California’s CPRA. In 2021, Virginia became the second state in the US to enact the Consumer Data Protection Act (CDPA). It requires businesses to disclose their data collection practices and obtain their consent before processing their personal information. Data privacy laws in Utah, Colorado, Virginia, and Connecticut are scheduled to soon come into effect.
Laws for children (COPPA)
Cookie laws in the United Kingdom
After Brexit, the Data Protection Act, together with UK GDPR and Privacy and Electronic Communications Regulations (PECR), governs the data protection landscape of the UK.
Except for national intelligence and security regimes, as the UK GDPR almost mirrors word-for-word the EU version, cookie-related requirements for businesses dealing with personal data of UK individuals remain the same as the EU GDPR.
Provisions about cookies under the Data Protection Act are the same as those under the UK GDPR and EU cookie laws.
PECR contains clauses similar to its EU counterpart (the ePrivacy Directive). It requires websites to provide users with clear and concise information about cookies and explain what they do and their purposes. Additionally, websites must obtain prior consent from users before placing cookies on their devices. The consent given by users must be freely given, explicit, and withdrawable. For failing to comply with PECR, the Information Commissioner’s Office can impose a fine of up to £500,000.
Respecting the privacy rights of individuals is critical, and that’s why cookies are not something to get away with easily. Penalties by enforcement agencies can serve as a valuable reminder for following the rules related to cookies. It’s important to note that the above list is not exhaustive, and the data protection landscape is ever-changing. It’s crucial for organizations to keep updated on the laws governing cookies in the territories in which their business operates, follow the best practices for trust development with customers, and carry out operations with integrity and respect. That is how they can work towards creating a safer and more secure online world for everyone.
Identify and understand your visitors with Cassie’s cookie solution
If you have multiple websites and digital platforms, then Cassie is the cookie management system for you.
Cassie specializes in cross-domain and cross-device consent, so you can collect visitors’ consent across multiple subdomains.
Choose Cassie for the most flexible cookie solution on the market and get a deeper insight into your visitors.
Flexible for global operations
Cassie’s multi-lingual and jurisdictional cookie module will ensure you always align with the various regulations.
Why clients choose Cassie for their compliance needs
We are experts at helping global businesses achieve compliance whilst building long-term customer relationships.
We ensure we always stay current with any and all legislation changes. Our unparalleled knowledge of global legislation gives us the ability and confidence to anticipate if and how new legislations will impact you.
Cassie makes sure that when you are compliant, you stay compliant.