Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: Cookie regulation in California, Virginia, Utah, Colorado and Connecticut - Towards a harmonised approach

Privacy and consumer data protection laws have been on the rise across the US, with Virginia, Utah, Colorado, California and Connecticut all recently enacting comprehensive privacy legislation. The enactment of these laws has meant data controllers in the US are faced with new obligations, while consumers welcome their elevated data protection rights, aimed at better protecting consumer privacy.

Both the California Privacy Rights Act of 2020 ('CPRA') and the Virginia Consumer Data Protection Act ('CDPA') will come into force on 1 January 2023, whilst the Colorado Senate Bill 21-190 for the Colorado Privacy Act ('CPA') and Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') will take effect on 1 July 2023 and the Utah Consumer Privacy Act ('UCPA') will enter into force on 31 December 2023. Though the aforementioned laws do not expressly refer the use of cookies, many of their mandatory requirements impact organisations' in respect of cookies.

In this Insight article, we  take a look at the convergences and diverges between the privacy laws of Virginia, Utah, Colorado, California and Connecticut in relation to cookies, with a view to mapping out a harmonised approach to compliance.

Signature collection / da-kuk / istockphoto.com

Consent and information

Opt-out/opt-in

The California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA') provides consumers with the right to opt-out as it allows consumers, at any time, to direct a business selling their personal information to third parties not to sell their personal information. Furthermore, the CCPA requires a business that sells consumer's personal information to third parties to provide notice to consumers informing them about the possibility that their personal information may be sold and that consumers have the 'right to opt-out' of the sale of their personal information. According to the CCPA, a business is obliged to provide a clear and conspicuous link on the business's website, titled 'Do Not Sell My Personal Information' that enables a consumer to opt-out of the sale of the consumer's personal information.

Similarly, to the CCPA, the Virginia's CDPA, Utah's UCPA and Connecticut's CTDPA have also adopted an opt-out approach. As a result, the 'Do Not Sell My Personal Information' button which is in compliance with the CCPA requirements may also be applied to the interfaces in order to meet opt-out requirements under the CDPA, the UCPA and the CTDPA. A 'do not to sell' button or link, a 'customise my settings' and an 'accept all' button may also be considered when looking to meet obligations under the CDPA, the UCPA, and the CTDPA.

On the other hand, the Colorado CPA requires an opt-in requirement for the sale of personal data, therefore it is not necessary to enable a 'do not to sell' button or link for the interface provided to Colorado residents.

Providing information to data subjects

All the above-mentioned State privacy laws lay down similar transparency requirements. In this regard, the information that is required for a CCPA cookie banner is broadly aligned with the information required by the CDPA, the UCPA, the CTDPA, and the CPA.

Common information requirements for cookie banners across all the laws require organisations to:

  • describe in detail and with a clear language all the purposes of data processing, the categories of personal data;
  • describe how consumers may exercise their rights;
  • describe the categories of personal data that the controller shares with third parties, if any; and
  • describe the categories of third parties with whom the controller shares personal data.

An additional information requirement exclusively applicable to CCPA/CPRA compliance is the obligation to specify the retention period for each category of personal data.

When to request consent from consumers?

All of the laws require prior consent for processing children's data. Furthermore, under the Colorado CPA and the Virginia CDPA, it is necessary to obtain users' consent to collect sensitive data which includes, racial or ethnic origin, religious beliefs, sexual orientation data, genetic data, biometric data and personal data collected from a known child.

The Colorado CPA also requires consumers' consent for targeted advertising and sale of personal data (e.g. setting third party cookies or trackers).

The Connecticut CTDPA requires a business to obtain consumer's consent if it intends to process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer. Furthermore, controllers are obliged to obtain consumers consent under the CTDPA when processing sensitive data concerning a consumer.

Approaches to address consent obligations under all of the laws in question may include the inclusion of an 'accept all' button (as implemented for the purposes of a CCPA cookie banner) for purposes for which consent is required under CDPA, the UCPA, the CTDPA, and the CPA, as well as a preference centre where users can choose whether to consent to each purpose. In addition, organisations are required to provide a disclosure stating the purposes consumers are consenting to.

How to obtain valid consent?

The CPRA defines valid consent as 'any freely given, specific, informed and unambiguous indication of the consumer's wishes . . . such as by a statement or by a clear affirmative action, [that] signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose through a clear positive action from data subject.'

Virginia, Utah, Colorado and Connecticut have adopted a similar definition of consent in their privacy laws. Additionally, common provisions on consent across the CDPA, the UCPA, the CTDPA, and the CPA require that consent may not be obtained through:

  • pre-ticked boxes (i.e. consent must be obtained through a 'clear affirmative action')
  • the acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
  • hovering over, muting, pausing or closing a given piece of content; or
  • an agreement obtained through the use of dark patterns.

Important concepts

Precise geolocation data

It should be highlighted that the California CPRA, Virginia CDPA, the Utah UCPA, and the Connecticut CTDPA classify 'precise geolocation data' as sensitive information.

Specifically, the Virginia CDPA, the Utah UCPA and Connecticut CTDPA define precise geolocation data as: 'information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet. [It] does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility'.

Likewise, the CPRA states that precise geolocation means 'any data used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations'.

In this regard, collecting sensitive personal data requires an opt-out in California and Utah. On the other hand, it is necessary to obtain the prior user consent in Virginia and Connecticut with respect to sensitive personal data.

Definition of sale of personal data

The CCPA, the Colorado CPA, and the Connecticut CTDPA all define the sale of personal data as the exchange of personal data for 'monetary consideration or other valuable consideration' by the controller to a third party. By contrast, the Virginia CDPA and the Utah UCPA adopt a narrow definition of sale of personal data which includes only 'monetary consideration'.

The Global Privacy Control

The CCPA and Colorado CPA also introduces a Global Privacy Control ('GPC') signal that allows consumers to opt-out by device or browser, instead of being forced to opt-out on each site individually.

In particular, regarding Colorado, until 1 July 2024, a controller that processes personal data for purposes of targeted advertising or the sale of personal data may allow consumers to exercise the right to opt-out through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general. However, after 1 July 2024, this method will become obligatory.

Likewise, the California Attorney General's office has stated that businesses that sell personal information must honour GPC signals.

In addition, the Connecticut CTDPA outlines that a controller must not require a consumer to create a new account in order to exercise consumer rights, but may require a consumer to use an existing account and any such means shall include allowing a consumer, not later than 1 January 2025, to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller indicating such consumer's intent to opt-out of any such processing or sale.

Alexandra From Privacy Analyst
[email protected]