US Cookie Laws

Although the US lacks a comprehensive privacy law on a federal level that regulates the use of cookies, some states have taken it upon themselves to pass their separate privacy laws that contain provisions related to cookies. These have followed the trend from GDPR, though may not be as comprehensive as EU cookie laws. Additionally, for minors, there is the Children’s Online Privacy Protection Act (COPAA), which puts together rules related to the handling of sensitive personal data of children under the age of 13.

Cookie laws in the United States

Laws for children (COPPA)

The Children’s Online Privacy Protection Act, enacted in 1998, is a federal law that protects children’s online privacy. It places strict restrictions on the use of cookies by websites catering to children under 13. Websites covered by COPPA must obtain verifiable parental consent before collecting children’s data through cookies or other tracking technologies. It also requires website operators to post a privacy policy containing information in relation to what data is collected, how it is used, and how it is shared. If COPPA is violated, the Federal Trade Commission (FTC), which is responsible for enforcing COPPA, can impose a penalty of $43,280 per violation.

Which regions Have cookie laws?

• California has the strongest US privacy laws. The California Consumer Privacy Act (CCPA), which came into effect in 2020 and The California Privacy Rights Act (CPRA), in January 2023. The scope of personal information under the CCPA includes digital identifiers such as cookies. By default, it doesn’t require businesses to gain opt-in consent for cookies; only for targeted advertising does the CCPA require obtaining opt-in consent. It requires websites to inform users about the types of cookies set by the site, the purposes for which they are used, the categories of personal information collected through cookies, and with whom they share the information.
• The California Online Privacy Protection Act (CalOPPA) also applies to information collected through cookies. It requires operators of commercial websites and services to post a privacy policy on the website, indicating information on what types of data are collected, how they are used, and with whom they are shared. This law does not specifically ask for opt-in or opt-out consent for cookies but requires websites to be transparent about their use of cookies.
• In Nevada, the NPICICA (Nevada Privacy of Information Collected on the Internet from Consumers Act) requires website operators to disclose the type of data they collect and with whom they share that information. It requires businesses involved in the sale of personal data to provide users with an easily accessible opt-out mechanism to refuse the sale of their data.
• In Maine, the Act to Protect the Privacy of Online Customer Information (APPOCI) governs the use of cookies. It defines personal data broadly and covers information that may be collected through cookies, such as IP address, browsing history, etc. This law applies only to internet service providers. It requires them to obtain express opt-in consent before processing user data and provide users with conspicuous and clear notice of their data collection and sharing practices, including mechanisms to opt-out of sale or sharing. Additionally, it prohibits ISPs from refusing service, charging different prices, or providing a different quality of service if the user chooses to opt out.
• A growing number of states are close to enacting their own data privacy laws that will require opt-in mechanisms similar to California’s CPRA. In 2021, Virginia became the second state in the US to enact the Consumer Data Protection Act (CDPA). It requires businesses to disclose their data collection practices and obtain their consent before processing their personal information. Data privacy laws in Utah, Colorado, Virginia, and Connecticut are scheduled to soon come into effect.

The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a landmark privacy law in California, United States, enacted to enhance consumer privacy rights and protection. Enacted in 2020, this law grants Californian residents robust protections, including the right to understand what personal data businesses gather, the ability to opt out of the sale of their data, and the entitlement to access and request the deletion of their information.

The CCPA and CPRA pose significant risks for businesses that fail to obtain cookie consent on their website, potentially leading to substantial fines and penalties. Violations can result in fines of up to $7,000 per violation per customer. For instance, neglecting to obtain cookie consent from 1,000 Californians could incur fines totaling up to $7,500,000.

The Attorney General is also empowered to compel businesses to cease CCPA and CPRA violations and take corrective measures. This authority enables the Attorney General to mandate actions such as deleting unlawfully collected personal information or providing consumers with mechanisms to opt out of the sale of their data.

The Virginia Consumer Data Protection Act (VCDPA)

Enacted in March 2021, the Virginia Consumer Data Protection Act (VCDPA) aims to bolster consumer privacy rights and protections by imposing obligations on businesses that handle personal data in Virginia. While not as stringent as the EU’s General Data Protection Regulation (GDPR) concerning cookies, the VCDPA shares similarities with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), aligning with the broader trend of US states enacting privacy legislation.

Unlike some regulations, the VCDPA operates on an opt-out basis for cookie consent. Businesses must respect users’ opt-out preferences; however, explicit user consent is required in specific scenarios:

• When processing sensitive personal information
• When collecting children’s personal information
• When processing personal data for purposes beyond the originally intended scope

Penalties for VCDPA violations are set at $2,500 per violation and $7,500 per intentional violation per incident. In addition to monetary fines, the VCDPA grants the Virginia Attorney General authority to seek injunctive relief, enabling legal action in state courts to halt or prevent violations of the VCDPA. These penalties can quickly add up, so it is vital that a business’ website adheres to a strong cookie policy.

The Connecticut Data Privacy Act (CTDPA)

The Connecticut Data Privacy Act (CTDPA) grants specific rights to Connecticut residents regarding their personal data while establishing responsibilities and privacy standards for entities that process such data. Designed to safeguard individuals’ privacy in personal contexts like online browsing or in-store purchases, the CTDPA sets guidelines for data controllers that process personal data.

Moreover, service providers handling personal data on behalf of covered businesses fall under the purview of the CTDPA, ensuring comprehensive privacy protections across various data processing entities in the state.

In regards to cookie consent, the legislation mandates that businesses secure informed consent from users before using specific types of cookies and other tracking technologies. The CTDPA operates under the opt-out approach, allowing data processing unless consumers opt-out, though it is important to obtain consent, especially for targeted advertising or concerning children (complying with COPPA)

Utah Consumer Privacy Act (UCPA)

The Utah Consumer Privacy Act (UCPA) came into effect on December 31, 2023, providing Utah consumers with several essential rights concerning personal data. Under the UCPA, individuals have the right to verify whether businesses are processing their personal data. If such processing is occurring, consumers can access this data and request its deletion. Moreover, Utah residents now possess the critical right to opt out of data sales by companies and refuse the use of their personal data for targeted advertising.

While the UCPA does not explicitly address the use of web cookies and tracking technologies, it does regulate personal data processing. Consent under the UCPA mandates an affirmative action by consumers, indicating their voluntary and informed agreement to allow personal data processing. However, the legislation does not specifically make reference to web cookies and tracking technologies.

It’s noteworthy that, akin to other US privacy laws, obtaining consumer consent remains imperative for processing children’s data under the UCPA.

Colorado Privacy Act (CPA)

From July 2023, the Colorado Privacy Act (CPA) went into effect. This broad consumer privacy legislation provides Colorado residents with the right to opt out of targeted advertising, the sale of their personal data, and certain types of profiling.

Under the CPA, businesses are not required to obtain opt-in consent for using cookies to collect and process personal data. The only two exceptions are where the cookies or tracking collect sensitive personal information or the data of a known child.

Rather than general opt-in, the law requires businesses to provide consumers with an opt-out mechanism. This allows consumers to prevent the sale of their data and object to online targeted activities.

How to comply with US cookie law

Businesses can comply with US cookie laws by taking several key steps:

1. Provide Clear Notice: Businesses should provide a clear and easily accessible notice to users about the use of cookies on their website, such as a cookie banner. This notice should explain what cookies are, how they are used, and how users can manage their cookie preferences.
2. Obtain Consent: Obtain consent from users before setting non-essential cookies on their devices. This consent should be informed, freely given, specific, and based on clear affirmative action from the user via a cookie banner.
3. Offer Opt-Out Mechanisms: Provide users with options to opt out of non-essential cookies, such as through cookie consent banners or pop-ups that include options for users to accept or reject cookies.
4. Respect Do Not Track Signals: Honor browser settings that indicate a user’s preference not to be tracked, such as “Do Not Track” signals.
5. Provide Privacy Policies: Maintain comprehensive privacy policies that outline how cookies are used on the website, along with other data processing practices. Data privacy policies should be easily accessible to users.
6. Regularly Update Practices: Regularly review and update cookie usage practices to ensure compliance with evolving laws and regulations.
7. Implement Data Security Measures: Implement appropriate technical and organizational measures to safeguard user data collected through cookies, ensuring its confidentiality, integrity, and security.

By following these guidelines, businesses can demonstrate their commitment to respecting user privacy and complying with US cookie laws. Different states in the US will have differing laws to follow, some of which have been outlined above, so it is vital to remain on top of continually evolving legislation.

What are the penalties for not complying with US cookie laws?

Penalties for non-compliance with cookie laws can vary depending on the specific legislation involved and the nature of the violation. In general, penalties may include:

• Fines: Violating cookie laws may result in monetary fines imposed by regulatory authorities. The amount of the fine can vary widely depending on the severity of the violation and the applicable law.
• Legal Action: Non-compliance may lead to legal action, including lawsuits filed by affected individuals or class-action lawsuits representing groups of affected individuals.
• Reputation Damage: Failure to comply with cookie laws can damage a company’s reputation and erode trust among customers and users, potentially leading to lost business opportunities and damage to brand reputation.
• Injunctions and Remedies: Regulatory authorities may seek injunctions or other legal remedies to compel businesses to comply with cookie laws and rectify any violations.
• Increased Regulatory Scrutiny: Persistent non-compliance may result in increased regulatory scrutiny and oversight, including audits and investigations by regulatory authorities.

Overall, the consequences of non-compliance with cookie laws can be significant, both financially and reputationally. While the laws are generally not as stringent as GDPR cookie consent and UK cookie law, these policies will only be getting stricter. It is essential for businesses to understand and adhere to applicable cookie laws to avoid potential penalties and maintain trust with their users and customers.

You might also like to read: