More and more often, clients are asking us: “Do I need a cookie policy on my website?”
We’d like to be able to site clear regulatory guidelines concerning cookie policies and data protection, but in the current environment, the most accurate answer that we have concerning cookie-related questions begins with, “that depends.”
For government and public sector sites, however, there appears to be a bit more clarity in the current environment, as data privacy policies are primarily addressing for-profit entities.
The answer takes into consideration the state in which you operate, the geographic reach of your audience, your annual revenue, whether you are a for-profit organization or a government agency or university, whether you collect personal data from visitors, the percentage of your total profit that you derive from the sale of clients’ personal data, and a lot more.
Data Privacy: All Over the Map
At this point, there are no Federal statutes or regulations concerning cookie policies or data protection, even though Congressional consideration and debate concerning data privacy dates back to 2000. In midst of Federal inaction on the topic, states are taking the lead.
According to LegiScan hundreds of bills and amendments designed to strengthen cyber security, guard against data breeches, and ensure transparency regarding personal data are currently pending.
As legislation is moving forward at a rapid pace, fees for noncompliance (within states such as California that have enacted consumer privacy legislation) can be steep. A far greater threat, however, is the fallout that can result from a data breech or mismanagement of data gathered from site visitors.
Even if your website is not currently required to comply with a state statute governing privacy protection for visitors, the hive of legislative activity concerning cookie policies and data privacy laws is a clear indicator that current trends need to be top of mind and factored into web strategy and content planning considerations.
Among the world’s first data privacy regulations focused on consumer protections, the EU’s GDPR went into effect on May 25, 2018. Unlike the current state-by-state data protection picture in the U.S, the GDPR covers data protection for all EU residents.
The focus is on both protection of personal data from potential hackers, and data privacy policies that ensure both choice and full transparency into how personal data is collected and used.
Recognizing the inherently global nature of internet activity in the current environment, the GDPR has a wide reach, covering organizations anywhere in the world that process data of EU residents.
Consent must be “freely given, specific, informed and unambiguous.”
Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
Data subjects can withdraw previously given consent, and their decisions must be honored.
There must be documentary evidence of consent.
GDPR Cookie Consent and Compliance
GDPR rules call for clarity, guarding against the types of “terms and conditions” documents that actually have little chance of actually being read, much less understood.
Usage if cookies is contingent upon users giving explicit consent on a website’s consent banner concerning the collection and use of their data.
Consent requires a description of the extent and of purpose the data in terms that are easily understood, along with the ability to easily find, change or withdraw previous consent.
California Takes the U.S. Data Privacy Lead
Within a month of the enactment of the GDPR in Europe, the California Consumer Privacy Act (CCPA), was signed into law, and went into effect January 1, 2020.
Like the European Union’s data privacy and protection rules, the CCPA sets forth consumer privacy rights and business obligations with regard to the collection and sale of personal information.
The CCPA requires that businesses inform visitors to their websites about the personal information they collect, as well as how the information will be used. The CCPA also grants consumers a high degree of control over how and whether their data can be shared.
As is also stipulated in the GDPR, consumers have the right to access and delete the personal data that a business uses. They also have the right to opt out of the sale of their personal data to third parties.
Businesses are allowed 45 days to respond to the requests for information, with the option to extend by another 45 days with notification.
What's the Scope of the CCPA?
For-profit organizations that gain access to the personal information of California consumers, are required to adhere to the CCPA if they meet one or more of the following criteria:
Gross annual income in excess of $25 million.
Buys, sells, shares, or receives the personal information of 50,000 or more California consumers, households, or devices annually.
Proceeds from the sale of California residents’ personal data exceeds more than 50 percent of annual revenue.
Government agencies and non-profit organizations are generally exempt from CCPA provisions.
Due to the close proximity of the passage of the two regulations and the similar intent, it’s realistic to assume that the CCPA was modeled after or is a rough equivalent of the GDPR. The fact is, there are significant differences.
The CCPA only applies to California residents and does not extend outside of the U.S. The GDPR applies to the personal data of EU residents regardless of where it is processed.
The CCPA is more limited in scope, applying only to companies that have more than $25 million in annual revenue or more than 50,000 users from California. The GDPR, on the other hand, applies to any organization that handles the personal data of EU residents.
The GDPR sets out detailed requirements for what organizations must do regarding consumer protections, along with stricter penalties for non-compliance. The CCPA leaves many aspects open to interpretation without clear guidance as to how they should be met.
Under both regulations, the right to opt out is mandatory for cookies that sell personal data. The GDPR also requires opt-in consent for the use of cookies.
CCPA fines or penalties for violations range from $2,500 for an unintentional violation to $7,500 for an intentional violation. Fines are based on statutory laws and imposed by the state court. Penalties for severe GDPR violations can amount to 20 million Euros or 4 percent of annual revenue, whichever is greater, and fines are imposed EU member state Data Protection Authorities.
Data Privacy Legislative Momentum
Following California’s 2018 passage of the CCPA, Virginia was the next to follow with the passage of the Consumer Data Protection Act (CDPA) in March 2021.
The Act defines key aspects of data privacy, sets forth individuals’ rights, and identifies types of organizations that are exempt, including state and local government organizations, financial institutions covered by the Gramm-Leach-Bliley Act (GLBA), organizations subject to Health Insurance Portability and Accountability Act, non-profit organizations, and higher education institutions.
Utah, Colorado, and Connecticut have joined the ranks of states with legislation on the books governing cookies and data protection, and nearly 20 other states have legislation pending concerning consumer data privacy protections.
Data Privacy Best Practices
While the majority of states have yet to enact data privacy regulations, and there is little near-term expectation for data privacy regulation at the Federal level, all organizations can benefit from an awareness of the current legislative landscape, along with the following four recommendations:
Understand that any information that identifies or can be associated with a particular individual or household needs to be protected.
Ensure that your organization has a Privacy Policy in place that is written in a manner that is easily understood and describes how personal information is collected, stored and shared.
Specify the rights that individuals have concerning their personal data, make it easy to opt out of the sale of their information.
Ensure that a link to your Privacy Policy is easily accessible from your website.
Even if compliance with online privacy regulations does not appear to be a legal requirement for your website at this point, proactive privacy protection policies can help to build trust.
Promet Source closely monitors the legislative landscape concerning data privacy legislation as it pertains to compliance considerations for our clients’ websites.
If you have specific questions or are interested in moving forward with a website that ignites new digital possibilities – as well as ensures compliance – give us a call.
