Bloomberg Law
Nov. 14, 2019, 9:00 AM

INSIGHT: Website Cookies and Privacy—GDPR, CCPA, and Evolving Standards for Online Consent

Amanda R. Lawrence
Amanda R. Lawrence
Buckley LLP
Sasha Leonhardt
Sasha Leonhardt
Buckley LLP
Magda Gathani
Magda Gathani
Buckley LLP

Virtually all companies with high-traffic websites use cookies to track visitors’ online experience, but global best practices in disclosing the use of cookies—and obtaining visitors’ consent to their use—have proven elusive despite intense scrutiny from privacy advocates.

With requirements varying by jurisdiction and geographic reach, companies and industries now find themselves in the position of finding ways to satisfy standards established by the EU’s General Data Protection Regulation, the EU’s ePrivacy Directive, and most recently, the California Consumer Privacy Act. But a recent court decision in Europe provides some guidance on what constitutes visitor consent.

The European Approach

In a case involving Planet49, an online lottery operator, the Court of Justice for the European Union offered some of the first court guidance regarding cookies under both the ePrivacy Directive and GDPR.

The EU’s 2002 ePrivacy Directive—colloquially known as the “Cookie Law”—requires that websites ask users to accept cookies, web beacons, and other tracking files before installing them on the user’s device. Under the pre-GDPR ePrivacy Directive, companies generally relied upon implied consent from a user’s ongoing use of the website.

With the 2018 implementation of GDPR, EU regulators have closely followed the mandate that user consent be “specific, informed, and unambiguous.” Unlike the ePrivacy Directive, GDPR applies to any entity (including U.S. companies) that markets to EU consumers and processes personal data of EU individuals. Because cookies uniquely identify a user, they are “personal data” under GDPR, requiring disclosure and “specific, informed, and unambiguous” user consent.

Both pre- and post-GDPR, Planet49’s consent policy used a default pre-checked box to obtain user consent to receive cookies, and a user had to manually uncheck the box to avoid installing cookies on a device.

In evaluating this policy under both the ePrivacy Directive and GDPR, the court held that pre-checked cookie consent forms violated both EU laws—a conclusion that seemed likely under GDPR but far from clear under the ePrivacy Directive—and further held that “informed” consent requires the website to disclose how long cookies remain on a device and whether third parties can access these cookies.

As a key post-GDPR ruling, Planet49 suggests that EU courts will read the ePrivacy Directive and GDPR consistently whenever possible. However, the Planet49 court explicitly did not address whether consent was “freely given” if the website barred access to users who did not accept cookies.

This highlights that Planet49 resolved one critical, but narrow, issue under these laws, but uncertainty regarding cookie disclosures and the parameters of “consent” awaits companies that target EU consumers.

Approaches in the United States

Unlike the EU which has specific laws governing the use of cookies, in the United States, there are various state and federal laws that include cookies as regulated personal information. One such state law is the CCPA (which applies to companies, subject to certain exceptions, that conduct online transactions with California residents or have other connections to California), which will go into effect Jan. 1, 2020.

The CCPA provides California consumers with certain rights related to their “personal information,” and defines “personal information” broadly to include unique identifiers such as cookies. Although a website can disclose its use of cookies through a home page privacy policy link, some companies are borrowing from GDPR and providing these disclosures through pop-up cookie notifications.

While GDPR requires consent to place a cookie on a user’s device, the CCPA allows cookies but requires the company (i) to provide consumers the option to opt out of the sale of the consumer’s cookie-related data to third parties and (ii) if a third party places cookies on the company’s website, to enter into contracts that protect consumers’ information.

Nevada recently passed a bill similar to the CCPA, requiring website operators that collect personally identifiable information to disclose whether a third party may collect information about the user’s online activities over time and across websites. Other states are watching these developments and may soon enact similar laws.

On the federal level, the Gramm-Leach-Bliley Act also addresses the collection of nonpublic personal information by financial institutions, including cookies. While GLBA generally does not require website online privacy policies to address cookies specifically, financial institutions using cookies must ensure they comply with GLBA in protecting, handling, and transmitting protected consumer information to third parties.

Best Practices

With laws new and old governing consumer privacy—and potentially significant penalties for non-compliance—companies on both sides of the Atlantic should develop effective controls around website cookies:

  • Senior leadership should receive training on these laws and ensure there is a robust compliance management system to address cookie usage.
  • Legal staff should remain abreast of rapidly-changing laws, regulations, and court decisions that may shift the rules regarding cookies.
  • Customer service should monitor consumer complaints to address and identify potential compliance gaps in real time.
  • Business lines should monitor outside vendors to ensure they comply with privacy and cookie laws.
  • Technical staff should consider how changes to websites, systems, and product offerings may affect their compliance with cookie laws and privacy laws more generally.

Consumers now expect company websites to respect their digital privacy by default—and once lost, consumers’ trust is difficult to regain. By investing in a transparent, compliant approach to online data privacy, companies can avoid legal trouble and build lasting consumer relationships.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Amanda R. Lawrence is a partner at Buckley LLP where she assists clients in managing cybersecurity, privacy, information security, and vendor risks. She counsels clients on compliance with privacy and data security laws and standards, including the Gramm-Leach-Bliley Act and Regulation P, the Safeguards Rule, the Fair Credit Reporting Act, the EU General Data Protection Regulation, and the California Consumer Privacy Act.

Sasha Leonhardt is counsel at Buckley LLP, representing a variety of financial services industry clients in government investigations, enforcement actions, transactions, and regulatory matters arising from federal and state consumer protection, privacy, and data security/data breach laws.

Magda Gathani is an associate at Buckley LLP where she assists clients in a wide range of regulatory, compliance, and licensing matters.