USA: Cookie regulation in California, Virginia, Utah, Colorado and Connecticut - Towards a harmonised approach
Privacy and consumer data protection laws have been on the rise across the US, with Virginia, Utah, Colorado, California and Connecticut all recently enacting comprehensive privacy legislation. The enactment of these laws has meant data controllers in the US are faced with new obligations, while consumers welcome their elevated data protection rights, aimed at better protecting consumer privacy.
In this Insight article, we take a look at the convergences and diverges between the privacy laws of Virginia, Utah, Colorado, California and Connecticut in relation to cookies, with a view to mapping out a harmonised approach to compliance.
Consent and information
The California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA') provides consumers with the right to opt-out as it allows consumers, at any time, to direct a business selling their personal information to third parties not to sell their personal information. Furthermore, the CCPA requires a business that sells consumer's personal information to third parties to provide notice to consumers informing them about the possibility that their personal information may be sold and that consumers have the 'right to opt-out' of the sale of their personal information. According to the CCPA, a business is obliged to provide a clear and conspicuous link on the business's website, titled 'Do Not Sell My Personal Information' that enables a consumer to opt-out of the sale of the consumer's personal information.
Similarly, to the CCPA, the Virginia's CDPA, Utah's UCPA and Connecticut's CTDPA have also adopted an opt-out approach. As a result, the 'Do Not Sell My Personal Information' button which is in compliance with the CCPA requirements may also be applied to the interfaces in order to meet opt-out requirements under the CDPA, the UCPA and the CTDPA. A 'do not to sell' button or link, a 'customise my settings' and an 'accept all' button may also be considered when looking to meet obligations under the CDPA, the UCPA, and the CTDPA.
On the other hand, the Colorado CPA requires an opt-in requirement for the sale of personal data, therefore it is not necessary to enable a 'do not to sell' button or link for the interface provided to Colorado residents.
Providing information to data subjects
All the above-mentioned State privacy laws lay down similar transparency requirements. In this regard, the information that is required for a CCPA cookie banner is broadly aligned with the information required by the CDPA, the UCPA, the CTDPA, and the CPA.
Common information requirements for cookie banners across all the laws require organisations to:
- describe in detail and with a clear language all the purposes of data processing, the categories of personal data;
- describe how consumers may exercise their rights;
- describe the categories of personal data that the controller shares with third parties, if any; and
- describe the categories of third parties with whom the controller shares personal data.
An additional information requirement exclusively applicable to CCPA/CPRA compliance is the obligation to specify the retention period for each category of personal data.
When to request consent from consumers?
All of the laws require prior consent for processing children's data. Furthermore, under the Colorado CPA and the Virginia CDPA, it is necessary to obtain users' consent to collect sensitive data which includes, racial or ethnic origin, religious beliefs, sexual orientation data, genetic data, biometric data and personal data collected from a known child.
The Colorado CPA also requires consumers' consent for targeted advertising and sale of personal data (e.g. setting third party cookies or trackers).
The Connecticut CTDPA requires a business to obtain consumer's consent if it intends to process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer. Furthermore, controllers are obliged to obtain consumers consent under the CTDPA when processing sensitive data concerning a consumer.
Approaches to address consent obligations under all of the laws in question may include the inclusion of an 'accept all' button (as implemented for the purposes of a CCPA cookie banner) for purposes for which consent is required under CDPA, the UCPA, the CTDPA, and the CPA, as well as a preference centre where users can choose whether to consent to each purpose. In addition, organisations are required to provide a disclosure stating the purposes consumers are consenting to.
How to obtain valid consent?
The CPRA defines valid consent as 'any freely given, specific, informed and unambiguous indication of the consumer's wishes . . . such as by a statement or by a clear affirmative action, [that] signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose through a clear positive action from data subject.'
Virginia, Utah, Colorado and Connecticut have adopted a similar definition of consent in their privacy laws. Additionally, common provisions on consent across the CDPA, the UCPA, the CTDPA, and the CPA require that consent may not be obtained through:
- pre-ticked boxes (i.e. consent must be obtained through a 'clear affirmative action')
- hovering over, muting, pausing or closing a given piece of content; or
- an agreement obtained through the use of dark patterns.
Precise geolocation data
It should be highlighted that the California CPRA, Virginia CDPA, the Utah UCPA, and the Connecticut CTDPA classify 'precise geolocation data' as sensitive information.
Specifically, the Virginia CDPA, the Utah UCPA and Connecticut CTDPA define precise geolocation data as: 'information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet. [It] does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility'.
Likewise, the CPRA states that precise geolocation means 'any data used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations'.
In this regard, collecting sensitive personal data requires an opt-out in California and Utah. On the other hand, it is necessary to obtain the prior user consent in Virginia and Connecticut with respect to sensitive personal data.
Definition of sale of personal data
The CCPA, the Colorado CPA, and the Connecticut CTDPA all define the sale of personal data as the exchange of personal data for 'monetary consideration or other valuable consideration' by the controller to a third party. By contrast, the Virginia CDPA and the Utah UCPA adopt a narrow definition of sale of personal data which includes only 'monetary consideration'.
The Global Privacy Control
The CCPA and Colorado CPA also introduces a Global Privacy Control ('GPC') signal that allows consumers to opt-out by device or browser, instead of being forced to opt-out on each site individually.
In particular, regarding Colorado, until 1 July 2024, a controller that processes personal data for purposes of targeted advertising or the sale of personal data may allow consumers to exercise the right to opt-out through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general. However, after 1 July 2024, this method will become obligatory.
Likewise, the California Attorney General's office has stated that businesses that sell personal information must honour GPC signals.
In addition, the Connecticut CTDPA outlines that a controller must not require a consumer to create a new account in order to exercise consumer rights, but may require a consumer to use an existing account and any such means shall include allowing a consumer, not later than 1 January 2025, to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller indicating such consumer's intent to opt-out of any such processing or sale.
Alexandra From Privacy Analyst