Privacy Law Updates

by

PRIVACY LAW UPDATES

Jay Parkhill
Parkhill Venture Counsel, P.C.

COOKIE POLICIES: A PRACTICAL GUIDE

Cookie banners are ubiquitous and confusing. Every time we visit a new website we get a popup asking us to Accept Cookies, Reject Cookies, Manage Cookies or Do Not Sell my Personal Information. All the notices are well intentioned for sure, and are legally required, but they are obtrusive, hard to understand and mostly we end up wishing they would just go away. They also tell us that disabling cookies may cause websites to function poorly. As an experiment then, I decided to reject cookies on every website, both to find out if anything would really break, and also so I could take a look at the consent mechanisms. Here are the results of that experiment.

A few notes on terminology before diving in: "cookies" technically refers to small files that a website stores on a computer. Cookies store information about a person’s visit to a website, which allows the site to track things like a person’s browsing history, login information and other metrics. Sites can also use tracking code embedded in tiny images on a website, and other technologies, to do the same thing. Those are technically different from cookies but they accomplish the same purpose, so this article will use the term cookies to loosely refer to all technologies that can be used to track visits to a website, or across websites.

Why Are Cookie Banners Required?

Of course, tracking user data is valuable to site operators and advertisers but when we visit a site it can be difficult or impossible to know what information is being collected about us. Cookie notice and consent banners are intended to provide transparency in this regard.

The EU’s e-Privacy Directive (originally adopted in 2002) was the first major law to require notice and consent regarding cookies. Cookie notices started becoming more common in the early 2010s, and got an extra push when the EU adopted the General Data Protection Regulation in 2016. Collectively, these laws require that websites: (i) notify users before placing cookies, and (ii) allow users to opt out of the placement of cookies that aren’t required for the site to operate.

US states began adopting their own privacy laws beginning with the 2018 California Consumer Protection Act (now called California Privacy Rights Act or CPRA). As of this writing 13 states have adopted comprehensive privacy laws and most contain

[Page 42]

restrictions applicable to cookies. Unlike EU law however, most US state laws don’t require notice and consent before placing cookies. Instead, US laws say website operators must: (i) provide a "notice at collection" before personal data is collected, and (ii) allow users to opt out of the sale of their personal data, or its use for targeted advertising. It’s important to know that "sale" includes any sale or sharing of personal data that generates value for the site operator.

These different approaches align with a key difference between EU and US privacy principles. In the EU personal data protection is considered a human right (so a person has strong rights to control the use of their personal data), whereas in the US privacy is regulated as a commercial right (meaning a person can control how their personal data is used in a commercial setting).

Accept Cookies vs Do Not Sell My Personal Information

Some websites show banners that have an option to accept or reject cookies, and some also have an option that says Do Not Sell My Personal Information. It’s a bit confusing to see two different possible actions, and to understand how selecting one or another option will affect a user’s privacy rights or experience on the website.

The difference between EU and US law is the reason both options exist. As discussed above, EU law requires websites to tell users what cookies are used on a site, and let users opt out of the site’s use of cookies to collect their personal data. US law requires sites to let users opt out of the sale of their personal data. This means a user could opt in to the use of tracking cookies, and opt out of the sale of the personal data collected.

Rejecting Cookies

Many, but not all, websites allow US visitors to reject cookies. A website operator can treat EU and US visitors differently however, so when a person visits from the EU the site must give an option to reject certain cookies but when the person visits from the US, the site can provide a notice of cookie collection but no option to reject. This is why some websites show a cookies notice with a "decline" option and others simply show the notice where "accept" is the only option.

If a user wants to decline cookies, there are usually two options. First, the user could simply close the cookies notice window without taking any specific action. In general this *should* be interpreted as rejection of cookies but EU and US law allow different interpretations. EU law requires that users affirmatively consent to cookie collection. US law requires a notice of collection and right to opt of sale of personal data, but doesn’t specifically require affirmative consent to cookie collection.

The clearer way to reject cookies is to click the "reject" or "decline" button. When a user clicks that the site typically opens a preferences pane allowing users to choose which cookies to accept. There are several possible categories but they can be simplified as: (i) essential cookies without which the site wouldn’t work, such as cookies that save a user’s login or shopping cart items, (ii) performance cookies that the website itself uses to manage the service, such as site analytics, and (iii) third party cookies such as advertising trackers and embedded social media content (e.g. Instagram posts). Essential cookies can’t be rejected but under EU law users can reject the other two types. Under US law, a user who clicks Do Not Sell My Personal Information would most likely opt out of the placement of ad cookies and opt in to the other two types (noting that the site operator could use the first two cookie types to collect personal data, but it couldn’t sell or share the data).

Do Sites Stop Working if a User Rejects Cookies?

Not really, at least in this writer’s experience. Ads often don’t load. Embedded Twitter, Facebook and Instagram content often doesn’t load either, but

[Page 43]

most sites’ core services seem to work, at least from this user’s perspective.

A more nuanced question is—if a user rejects cookies once does the site operator need to respect that forever, or can it ask again? The answer lies in the fact that the site operator needs to store a cookie in order to record the user’s rejection of cookies. This sounds a bit counterintuitive but storing a cookie in the user’s browser is the least intrusive way for the site to remember that the user opted out.

This of course raises another question—are sites required to store cookies for any minimum or maximum amount of time? No law provides specific rules for this, but agency guidance is that the storage period must be proportionate to the intended outcome. This means that when a user opts in to cookie collection the site operator can’t preserve that opt-in state forever, and at the same time when a user opts out the site operator is not required to preserve the opt-out forever either. In other words, no matter what options a user selects, websites are likely to offer them the same options over and over—accept/reject cookies and Do Not Sell My Personal Information. The unfortunate result is that attempts to provide transparency and choice simply turn into consent spam.

Isn’t There a Better Way?

There should be, but it’s not quite here (yet). The CPRA drafters recognized the need for a better system and wrote requirements for a Global Privacy Control into the law, which went into effect in 2021. Global Privacy Control allows users to set their privacy preferences in the browser or via browser extensions rather than having to manage every website individually. Websites are supposed to check for an opt-out signal and automatically record a user’s privacy preferences. A prior version of this concept, called Do Not Track, has existed since the early 2010s but websites are not required to follow it, and many don’t. CPRA included a legal requirement that websites respect user’s GPC settings, and by calling it a global privacy control the drafters clearly hoped the setting would become a worldwide standard.

It’s still a work-in-progress solution for a few reasons however. First, since CPRA only covers opt-out from the sale of personal data websites are only required to honor record the do not sell opt-out, rather than all cookie collection. Second, EU law prioritizes transparency as well as opt-in choice, so it’s at least customary from an EU perspective to present a cookies banner to customers rather than automatically recording a user’s browser-based choices and closing the banner. Third and perhaps most important, users have to know about the GPC option and turn it on. GPC is built into some browsers but is turned off by default, and must be installed as an extension for other browsers. Still, the GPC requirement is only 1.5 years old as of this writing and it may yet become a standard for managing privacy controls without obtrusive and not-very-informative popup banners.

The views expressed in this article are personal to the author and do not necessarily represent or reflect the views of the author’s firm, the Executive Committee of the Intellectual Property Law Section, the California Lawyers Association, or any colleagues, organization, or client.

© 2024 Jay Parkhill.

Jay Parkhill is the founder of Parkhill Venture Counsel, P.C. He is a vice-chair of the IP Section’s Licensing and Technology Transactions Group. He has worked with early- and growth-stage technology clients for more than 20 years on licensing, commercial transactions, privacy law and other matters.

[Page 44]