USA: Cookie regulation in California, Virginia, Utah, Colorado, and Connecticut - towards a harmonised approach
Over the past few months, there has been an increased interest in consumer privacy laws across the US, with the states of Virginia, Utah, Colorado, California, and Connecticut having recently enacted comprehensive privacy legislation that will enter into effect in 2023. The enactment of these laws means that organisations in the US are subject to new privacy obligations, while consumers welcome their elevated data protection rights, aimed at better protecting consumer privacy.
In this Insight article1, we examine the convergences and divergences between the privacy laws of Virginia, Utah, Colorado, California, and Connecticut where they affect cookies, with a view to mapping out a possible harmonised approach to compliance.
Consent and information
The California Consumer Privacy Act of 2018 ('CCPA') provides consumers (i.e. California residents) with the right to opt-out as, pursuant to Section 1798.120 (a) of the CCPA, a consumer has the right to opt out of the 'sale' of their personal information at any time. The concept of 'sale' under the CCPA is very broad: under the CCPA, selling includes renting, releasing, disclosing, or transferring the consumer's personal information to a third party either for a business purpose or for what the CCPA calls 'other valuable consideration' (e.g. any benefit derived from the disclosure of personal information).
The CPRA enters into effect on 1 January 2023, updating and extending the requirements of the CCPA. While the CCPA already allows consumers to opt-out of the sale of their personal information as described above, the CPRA augments that right — subject to certain exemptions — by extending the opt-out requirements to the 'sharing' (for cross-contextual behavioural advertising purposes) of personal information and allowing consumers the ability to opt-out of the use and disclosure of their sensitive personal information. For example, while the CCPA required organisations to include a 'Do Not Sell My Information' link for consumers to opt out of the sale of their personal information, the CPRA requires such link titled 'Do Not Sell or Share My Information' to be included. The concept of 'sharing' of personal information under the CPRA is limited to cross-contextual behavioural advertising purposes where no monetary or other valuable consideration is involved. While the change may appear relatively minor, it would nevertheless cover many websites that rely on targeted advertising.
Similarly, to the CCPA, Virginia's CDPA, Utah's UCPA, Colorado's CPA, and Connecticut's CTDPA have also adopted an opt-out approach. As a result, the 'Do Not Sell or Share My Personal Information' link or button required for the CCPA/CPRA would also meet opt-out requirements under the CDPA, the UCPA, the CPA, and the CTDPA.
Providing information to data subjects
All the above-mentioned state privacy laws lay down similar transparency requirements. In this regard, the information that is required for a CCPA/CPRA cookie banner is broadly aligned with the disclosure requirements found in the CDPA, the UCPA, the CTDPA, and the CPA.
Common information requirements for cookie banners across the privacy laws require organisations to:
- describe clearly the categories of personal information collected (including whether sensitive personal information is collected), as well as the purposes for which such personal information is collected;
- describe the privacy rights available and how individuals may exercise their privacy rights (e.g. their right of access or right of deletion);
- describe the categories of personal information that the controller sells or shares to third parties, if any;
- describe the categories of third parties with whom personal information is shared; and
- describe the categories of third parties with whom the controller shares personal information.
In addition, the CPRA also adds the obligation to specify the retention period for each category of personal information. The draft Colorado Privacy Act Rules contain a similar requirement, stating that 'to ensure that the Personal Data are not kept longer than necessary, adequate, or relevant, Controllers shall set specific time limits for erasure or to conduct a periodic review'.
When to request consent from consumers?
The processing of personal information concerning a known child requires the verifiable parental consent of the child's parent or lawful guardian, in accordance with the Children's Online Privacy Protection Act of 1998 ('COPPA').
Under the CPRA, Colorado's CPA and Virginia's CDPA, it is necessary to obtain users' consent to collect sensitive data, which includes racial or ethnic origin, religious beliefs, sexual orientation data, genetic data, biometric data, and personal information collected from a known child.
Colorado's CPA also requires consumers' consent for targeted advertising and sale of personal information (e.g. setting third party cookies or trackers).
Connecticut's CTDPA requires a business to obtain consumer's consent if it intends to process personal information for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal information is processed, as disclosed to the consumer. Furthermore, controllers are obliged to obtain consumers consent under the CTDPA when processing sensitive data concerning a consumer.
How to obtain valid consent?
The CPRA defines valid consent as 'any freely given, specific, informed and unambiguous indication of the consumer's wishes . . . such as by a statement or by a clear affirmative action, [that] signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose through a clear positive action from data subject.'
Virginia, Utah, Colorado, and Connecticut have adopted a similar definition of consent in their privacy laws. Additionally, common provisions on consent across the CDPA, the UCPA, the CTDPA, and the CPA require that consent may not be obtained through:
- pre-ticked boxes (i.e. consent must be obtained through a 'clear affirmative action');
- hovering over, muting, pausing, or closing a given piece of content.
Both the CPRA and Colorado's CPA prohibit an agreement obtained through the use of dark patterns. A dark pattern is defined as 'a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.' Draft rulemaking in California and Colorado provide examples as to what types of practices may constitute dark patterns, including the use of distracting pop-up windows, nagging, misleading questions, emotional manipulation, offering default options that are not privacy friendly, giving greater weight to an option over others through interface design, or deeming the inaction of a consumer as consent. Draft rulemaking also requires organisations to take into account the unique characteristics of the target audiences when designing user interfaces, even if such a design or practice is commonly used.
Precise geolocation data
California's CPRA, Virginia's CDPA, Utah's UCPA, and Connecticut's CTDPA classify 'precise geolocation data' as sensitive information.
Specifically, Virginia's CDPA, Utah's UCPA, and Connecticut's CTDPA define precise geolocation data as 'information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet. [It] does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility'.
Likewise, the CPRA states that precise geolocation means 'any data used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations'.
In this regard, collecting sensitive personal information requires an opt-out in California and Utah. On the other hand, it is necessary to obtain the prior user consent in Virginia and Connecticut with respect to sensitive personal information.
Definition of a sale of personal information
The CCPA/CPRA, Colorado's CPA, and Connecticut's CTDPA all define the sale of personal information as the exchange of personal information for 'monetary consideration or other valuable consideration' by the controller to a third party. This is likely to include any benefit derived from the disclosure of personal information. In the first public CCPA enforcement action, the California Attorney General announced a US$1.2 million settlement including injunctive relief terms, which held that 'both the trade of personal information for analytics and the trade of personal information for an advertising option constituted sales under the CCPA'.
By contrast, Virginia's CDPA and Utah's UCPA adopt a narrow definition of sale of personal information that includes only 'monetary consideration'.
The Global Privacy Control
The CCPA and Colorado's CPA also introduces a Global Privacy Control ('GPC') signal that allows consumers to opt-out by device or browser, instead of being required to opt-out on each site individually.
In particular, regarding Colorado, until 1 July 2024, a controller that processes personal information for purposes of targeted advertising or the sale of personal information may allow consumers to exercise the right to opt-out through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general. However, after 1 July 2024, this method will become obligatory.
Likewise, the California Attorney General's office has stated that businesses that sell personal information must honour GPC signals.
In addition, Connecticut's CTDPA outlines that a controller must not require a consumer to create a new account in order to exercise consumer rights but may require a consumer to use an existing account. However, any such means shall include allowing a consumer, no later than 1 January 2025, to opt-out of any processing of their personal information for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent by a platform, technology or mechanism indicating such consumer's intent to opt-out of any such processing or sale.
Alexandra From Privacy Analyst
Paul Lanois Director
Fieldfisher, Palo Alto
1. This article was originally published in June 2022, and updated in November 2022.