Answer
Dec 15, 2020 - 08:51 AM
IANAL (I am not a lawyer) but my understanding is that if your website is an ecommerce site that only sells products to consumers and does not run ads (what a court may consider 'behavioral advertising' and sale of personal information, broadly defined) it is sufficient to disclose the cookie notice in your site's privacy policy i.e. you don't have to get explicit consent from a site visitor. Few site visitors read privacy policies but you would have met your disclosure requirement.
California is the most restrictive state in the US through their CCPA (California Consumer Protection Act) and here are some answers to frequently asked questions related to cookies courtesy of Bryan Cave Leighton Paisner LLP.
DOES THE CCPA REQUIRE A COOKIE BANNER WHEN A COMPANY USES FIRST-PARTY SESSION COOKIES?
No. The CCPA defines “personal information” to include (among other things) a “unique identifier.”9 The phrase “unique identifier” is, in turn, defined as follows: “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.
For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.
[see the full answer at the link above]
DOES THE CCPA REQUIRE THAT A COMPANY OBTAIN CONSENT FROM A WEBSITE USER BEFORE PLACING COOKIES ON THEIR BROWSER?
No. The CCPA does not expressly require that a company obtain consent from a website user before placing cookies on their browser. While consent is not expressly required, as discussed in FAQ. 8, in order to mitigate the risk that the use of third party behavioral advertising could be considered a “sale” many businesses may seek consent from users before deploying third party behavioral advertising cookies.
DOES THE CCPA REQUIRE THAT A COMPANY ALLOW CONSUMERS TO OPT-OUT (E.G., TOGGLE OFF) ESSENTIAL COOKIES?
No. As is discussed in FAQ. 2, some cookies perform essential functions for the operation of a website, like remembering which products are selected for purchase and placed into a shopping cart.
If those “essential” cookies are placed by a business directly (e.g., first-party essential cookies) the CCPA does not require that a business provide consumers the ability to turn them off.
If those essential cookies are placed by a third party on behalf of a business, so long as the third party is considered a “service provider” under the CCPA (i.e., the contract with the third party has use, disclosure and retention prohibitions), the CCPA also does not require that a business provide consumers the ability to turn them off.
The net result is that under the CCPA businesses typically do not have to give consumers control over essential cookies.
California is the most restrictive state in the US through their CCPA (California Consumer Protection Act) and here are some answers to frequently asked questions related to cookies courtesy of Bryan Cave Leighton Paisner LLP.
DOES THE CCPA REQUIRE A COOKIE BANNER WHEN A COMPANY USES FIRST-PARTY SESSION COOKIES?
No. The CCPA defines “personal information” to include (among other things) a “unique identifier.”9 The phrase “unique identifier” is, in turn, defined as follows: “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.
For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.
[see the full answer at the link above]
DOES THE CCPA REQUIRE THAT A COMPANY OBTAIN CONSENT FROM A WEBSITE USER BEFORE PLACING COOKIES ON THEIR BROWSER?
No. The CCPA does not expressly require that a company obtain consent from a website user before placing cookies on their browser. While consent is not expressly required, as discussed in FAQ. 8, in order to mitigate the risk that the use of third party behavioral advertising could be considered a “sale” many businesses may seek consent from users before deploying third party behavioral advertising cookies.
DOES THE CCPA REQUIRE THAT A COMPANY ALLOW CONSUMERS TO OPT-OUT (E.G., TOGGLE OFF) ESSENTIAL COOKIES?
No. As is discussed in FAQ. 2, some cookies perform essential functions for the operation of a website, like remembering which products are selected for purchase and placed into a shopping cart.
If those “essential” cookies are placed by a business directly (e.g., first-party essential cookies) the CCPA does not require that a business provide consumers the ability to turn them off.
If those essential cookies are placed by a third party on behalf of a business, so long as the third party is considered a “service provider” under the CCPA (i.e., the contract with the third party has use, disclosure and retention prohibitions), the CCPA also does not require that a business provide consumers the ability to turn them off.
The net result is that under the CCPA businesses typically do not have to give consumers control over essential cookies.
Add New Comment