Cookie Notices & Digital Transparency

Have you noticed how many websites have popups regarding cookies (“Do you accept cookies from this website?” and “selling my information”)? Welcome to the new era of cookie notices. You are officially notified that you are for sale.

Recently, Apple made headlines for their creative campaigns around privacy. ICYMI…

What’s Driving Cookie Notices

Cookie notices, or more formally “cookie consent agreements”, communicate what cookies websites use, how they use them, and how cookies impact their users. Cookie notices take the form of pop-ups and header or footer notifications. The requirements around cookies originated from initiatives in Europe, specifically the European Data Protection Board’s guidelines on valid consent. The explosion of cookie consent notifications started in 2018 as a result of the General Data Protection Regulation. You may know of “GDPR”, which specifies that consent of the data means any:

freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

GDPR includes provisions that require businesses to protect personal data and privacy of EU citizens for transactions that occur within EU member states. It also regulates the exportation of personal data outside the EU. US organizations may fall within the scope of the GDPR too. For example, if your organization processes personal information of someone residing in the EU for the exchange of products or services, then you most likely must comply.

What Do These Regulations Mean?

Public concern over privacy drove the rise of GDPR in Europe. Now those measures are working their way across oceans. For example, the state of California has the the California Consumer Privacy Act of 2018 (CCPA). The scope and reach of the GDPR is broader than CCPA and the parties regulated are different.

GDPR controls how websites, companies and organizations are allowed to handle personal data, which is anything from names, e-mail addresses, location data, browser history and many other things. GDPR applies to any data controllers and data processors established in the European Union that process personal data in the context of activities of the EU establishment, even outside the EU; or not established in the EU that process EU data subjects’ personal data in connection with offering products or services in the EU, or monitoring behavior.

CCPA empowers Californias with new rights to request businesses to disclose or delete the data they have already collected, or to completely opt out of third-party data sales. It applies to any for-profit entity doing business in California, that has a gross revenue greater than $25 million; annually buys, receives, sells, or shares personal information of over 50,000 consumers, households, or devices; derives over 50 percent of its annual revenues from selling consumers’ personal information.

Opt-Out Rights

GDPR does not include specific rights to opt-out of personal data sales. It includes other rights with the same result. For example, GDPR permits data subjects to opt-out of processing data for marketing purposes or withdraw consent for processing activities.

In CCPA, businesses must comply with a consumer’s opt-out request for the sale of personal information to any third parties. Sites must include a highly visible “Do Not Sell My Personal Information” link. Organizations cannot request reauthorization to sell personal information for 12 months after the consumer originally opted out.

Cookie Notices & Digital Transparency

If you’re a web developer or SaaS provider, it’s important to outline the steps your organization needs to comply with these privacy regulations. Compliance will vary between organizations, so you should take appropriate steps to address how you handle privacy. You’ll need an action plan to meet applicable requirements and a framework for consent management. Then you’ll need tools to manage cookie consent and map to the underlying customer data. You must review and remediate processor risks, plan for incident reporting, and consider how you’ll manage any data breaches. And don’t forget that employees will need training on your data compliance workflow. Compliance means following the requirements, as well as being able to show policies and procedures to ensure protection at all points of client interaction with ongoing reviews on a regular basis.