“Don’t eat all the cookies.”
“What cookies?”
“The cookies that I placed there for a reason.”
“Oh, those cookies. I ate them …”
The cookies we are talking about are the ones visitors accept with a click of the button when they first visit a website: you know, those pesky consent banners that pop up and state privacy and cookie policies. They are there for a reason—namely, they exist because of data privacy laws in the United States (and the European Union) designed to protect users’ personal information. But how do U.S. laws specifically affect your digital marketing efforts? Attorney Sharon Toerek, founder of Toerek Law, who practices intellectual property and marketing law, emphasizes the importance of knowing the data privacy regulations that apply to U.S. businesses.
New regulations, including the most recent ballot-approved California Privacy Rights Act (CPRA), as well as Google’s plan to eliminate third-party cookies altogether and Apple’s stricter privacy requirements, are putting the onus back on businesses to transform the way in which they not only collect, use and share customer information for marketing purposes but also how they educate consumers of their privacy rights and communicate their privacy practices.
Today, it is not enough to display an “Accept Cookies” button and a link to your Privacy Policy on your website—although it is the first step in the right direction to comply with the ever-increasing U.S. data privacy regulations.
Personal information, privacy and cookies
Before we discuss the specifics behind those data privacy laws, let’s start by defining a few key terms. First, personal information includes any contact information, identifiable details, financial information, medical information as well as usage details—all of which can be collected, managed and shared via cookies and other digital means.
Privacy is defined as the consumer’s right to determine how their personal information is used.
Next, what is a cookie? Simply put, it is information that a website places on a user’s computer/device through a browser. We won’t explain the different types (you can “Google” them); but suffice it to say, each type has a purpose—from web analytics to data personalization, from secure connections to protection from script attacks, and the list goes on.
Common uses of browser cookies
Not all cookies are bad; cookies can be very useful: like remembering your login credentials every time you visit the website or your credit card number at checkout, autofilling forms with name, email, mailing/billing address—you get the idea. Persistent cookies are used to track visitor behaviors (the pages you visit, the items in your shopping cart, etc.) on a website as well as across websites. In general, cookies provide for a better user experience and the ability to hone marketing messages based on preferences and habits.
However, the use (or misuse) of these cookies and the collecting, sharing and/or selling of personal information for purposes other than intended first-party use could be considered intrusive and an invasion of privacy, especially when it comes to third-party cookies and behavioral advertising. In addition, serious identity data breaches have occurred, all of which have led to the rise of regulations to protect personal information, prevent deceptive practices, etc.
Evolving data privacy regulations
Although there is no uniform federal law, many states, including California, Massachusetts, Colorado, Virginia and Delaware, have enacted privacy regulations with varying degrees of data protection. California is leading the way in the United States, enacting its California Consumer Privacy Act (CCPA) in 2018 and California Privacy Rights Act, or commonly known as CCPA 2.0.
“California is the most notable; they have very specific data privacy regulations, and those are being accepted as the gold standard of data privacy practices,” Toerek says, intellectual property and marketing law attorney and founder of.
This law is applicable to for-profit entities, including contractors, that collect personal information from California residents and meet any of the following thresholds: have at least $25 million in gross annual revenue; buys, sells or receives personal information of at least 50,000 California consumers, householders or devices for commercial purposes; or derives more than 50% of its annual revenue from the sale of personal information.
What you need to know to comply with data privacy regulations
Generally, data privacy regulations establish the rights of the consumer regarding the personal information collected and the right to know, delete, opt-in or out of the collected personal information and the selling of that information. Specifically, the CPRA established six rights for consumers:
- the right to know (request) personal information collected by the business, from whom it was collected, why it was collected and, if sold, to whom;
- the right to delete personal information collected;
- the right to opt-out of the sale of personal information;
- the right to opt-in to the sale of personal information of consumers younger than age 16;
- The right to non-discriminatory treatment for exercising rights;
- Right to initiate a law suit for data breaches.
The CPRA also added two more rights:
- The right to correct inaccurate personal information;
- The right to limit use and disclosure of sensitive personal information.
What does this mean for businesses and your digital marketing efforts?
The CPRA isn’t officially effective until Jan. 1, 2023; however, a look-back clause for compliance enforcement went into effect Jan. 1, 2022. In other words, any businesses who have California residents in their customer databases must have data privacy practices established right now.
“If you are working with the data of an individual or consumer who lives in California, you need to follow their regulations—CCPA and the more modern version of CCPA [CPRA],” Toerek said.
That is why those consent banners have been evolving to include cookie settings or preferences to opt-in or out of tracking, collecting, sharing and selling specific personal information. However, simply having a consent banner on your website is not enough. It’s more than that.
Read Toerek’s advice on the three critical keys to have in place before running a digital marketing campaign.
If you need help with that, reach out to us at helloindy@westcomm.com or follow us on LinkedIn for more insights. If you have questions about marketing law or need legal assistance, you can contact Sharon Toerek on LinkedIn or at legalandcreative.com.
