Privacy laws are continuing to emerge. This includes privacy laws necessitating the use of cookie notices. Because laws are often complex even for attorneys, and because inquiries into privacy matters often involve reviewing a variety of factors, it is important to work with experienced legal counsel on privacy compliance, including on cookie issues.
For example, there are different types of cookie notices, including a disappearing or notice-only banner, an opt-out notice, and an opt-in consent. There are also laws in various countries, states, and regions that require different types of disclosures, including laws in the European Union and throughout the United States. Further, companies will want to balance compliance with emerging privacy laws against ongoing business objectives, such as maintaining conversion rates and maintaining the user experience.
As an example of just one state law, the California Consumer Privacy Act or “CCPA” has several requirements for companies that “sell” information, which impacts the analysis for cookie disclosures. Because the CCPA defines the term “sell” very broadly (i.e., including any selling, renting, releasing, disclosing, disseminating, making available, transferring, or communicating of personal information to a third party for monetary or other valuable consideration), this raises questions about whether third-party marketing or other cookies constitute a “sale” of information under the law. Without definitive guidance, companies have interpreted the law in different ways. To make matters more complex, the CCPA outlines an exception to a “sale” if the consumer-directed the business to intentionally disclose the personal information (assuming other requirements for the exception are satisfied). Some have interpreted this to mean that opting into cookies (such as through a cookie opt-in notice) is a direction from consumers to use the cookies and thus the cookies do not constitute a “sale” under the law. Nonetheless, California’s new law, the California Privacy Rights Act or “CPRA,” which becomes fully effective in 2023, has additional requirements for companies “sharing” personal information and specifically addresses “cross-context behavioral advertising.” In other words, laws are still emerging and evolving in this area.
Kronenberger Rosenfeld regularly assists clients with privacy compliance, including advice on whether a cookie notice is needed and, if so, how to balance the scope and type of notice with business objectives. If you need guidance with expanding privacy laws, please contact our firm.