CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
July 6, 2022
As ubiquitous as so-called “cookies” are in the operation of the internet, their use and the rules that govern their use are generally poorly understood. What even *is* a cookie? What are they used for? Can you really get in trouble with legal authorities for using them on your website? What’s allowed and what’s not?
But no one wants to break the law and incur costly penalties that could both lead to fines and the loss of reputation in the marketplace.
This guide will help you understand how cookies are used, which cookie laws are important to follow, and how organizations like yours are managing cookie compliance.
Essentially, cookies are small data files that websites place into the memories of devices that access the site. During the time the device is on the site (and often up until the next time that device accesses the site), the site remembers the device and gathers information about what the device is doing or did in the meantime. In simpler terms, cookies let websites track user behavior when they interact with the website, and sometimes when they interact with other websites.
There are many different ways of categorizing cookies, but there are three primary distinctions that matter the most when it comes to cookie laws:
As we discuss how to legally deploy cookies, you’ll find these distinctions come up over and over again. Whether a cookie is a first-party, necessary, session cookie or a third-party, elective, persistent cookie makes a big difference!
In 2011, the EU passed the ePrivacy Directive—often called the EU Cookie Law—which regulated the placement of digital files on digital devices. While it wasn’t the first data protection law in the world (that’d be Germany’s 1970 Data Protection Act), it was the first to address the data privacy implications of cookies.
Most recently, in 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect, establishing core principles to govern the collection of personal information along with strict penalties for violations of those principles. In combination with the EU Cookie Law, the GDPR classifies any data created by an identifiable person as personal data and requires consent before collection of that data, along with granting people a number of rights (known as data subject rights) to access, delete, correct, and object to the collection of their personal data.
This ushered in a wave of privacy legislation around the globe. Other countries wanted to continue doing business with the European Union and needed to meet its data privacy standards to do so. Furthermore, with the rise of fully digital lives where personal data is extremely valuable and can be extremely sensitive, digital privacy has come further to the front of mainstream conversations.
Other important laws that affect cookie use include:
As of this writing, there is no federal U.S. cookie law (although there has been some progress in advancing the ADPPA, or American Data Privacy Protection Act). However, many states have enacted their own regional U.S. cookie laws. The following are some examples of important U.S. cookie laws.
On July 1, 2023, the CTDPA came into effect. It similarly allows consumers to opt out of targeted advertising, the sale of personal data, and profiling that leads to “significant effects,” such as a different price on a product or different services being offered.
Once the United Kingdom left the European Union, it needed a law to mimic the GDPR in order to continue sharing data with the EU. The UKDPA, enforced by the UK’s Information Commissioner’s Office, is virtually the same as the GDPR.
Short for Lei Geral de Proteção de Dados Pessoais, LGPD is often referred to as the Brazilian GDPR and conveys largely the same rights regarding personal data. Additionally, it similarly penalizes organizations who don’t allow people to access those rights. For all intents and purposes, the EU’s cookie rules are the same as Brazil’s cookie rules.
One of the world’s older and strictest privacy laws, South Korea’s Personal Information Protection Act (PIPA) was enacted in 2011. It imposes significant penalties for the mishandling of personal data. While cookies aren’t expressly mentioned in the act, it is similar to the GDPR in that cookies that collect personal information require consent.
The Personal Information Protection Law (PIPL) passed by China in 2020 is among the most stringent privacy laws in the world. In particular, it requires consent for the collection of personal data, and there are very specific conditions under which you are allowed to move personal data outside of the country’s borders. If your cookies collect personal data and transmit it back to a server in another country, that could be a considerable problem under PIPL.
Major violations of the law can mean a fine of up to 5% of your annual revenue, or roughly $7.5 million, whichever is higher. There can also be fines for individual members of your executive team or employee base of up to about $150k. You may even have to directly compensate affected parties.
While Japan doesn’t address cookies specifically and while the Act on the Protection of Personal Information (APPI) is rarely enforced against non-Japanese organizations, it’s generally believed that data collected by cookies would fall under the APPI’s definition of personally referable information. As a result, you also need consent to transfer that data out of the country.
If you market to the European Union and the broader European Economic Area, the GDPR applies. Similarly, if you market to Brazilians or South Koreans, the LGPD and PIPA apply. If you handle the data of Chinese citizens, the PIPL applies; if you process the data of any individuals living in Japan, the APPI applies.
The U.S. state laws generally only apply to for-profit businesses and have thresholds for the number of residents from whom you collect the information, the amount of revenue you collect annually, or other benchmarks that make them apply. If you are unsure if these laws apply to you or will apply to you, you should consult a data privacy-focused lawyer.
Further, everyone who pays attention to privacy laws generally agrees: We will have more states and countries with cookie laws in the future and they will mostly be in agreement with each other.
As the United Nations notes, there are currently 137 countries with at least some data privacy legislation on the books. Not all of them regulate privacy in the same way or regulate cookies in the same way, but most are coming around to the basic idea that you should ask for consent before collecting data about someone and that you should get some kind of consent (even if it’s opt-out) before you place persistent cookies on a device.
Most organizations try to create a cookie compliance program that assumes all of the privacy laws apply to them if they do business in that jurisdiction at all, as it can be very difficult to know exactly where customers are located when they engage with your website.
With the proliferation of data privacy laws across countries and states, it’s no longer really possible to avoid the need for compliance—that is, unless your digital channel isn’t all that important to your business. If you’ve got a website that you rely on for customers, then the odds are good that you need to comply with one law or another.
These systems are largely operated via so-called “cookie banners” or “cookie notices,” which alert visitors to the fact that cookies will be placed as soon as they land on the site. These also allow visitors to either agree to those cookies (by clicking a button to make the banner go away) or to customize their experience by clicking through to a dashboard and selecting the types of cookies (if any) they are comfortable with.
Some organizations may choose to develop this cookie management system on their own, especially if they are a tech-focused company that has coding and IT skills in-house. However, crafting a cookie notice that complies with not only the GDPR and LGPD and other international laws but also respects user privacy choices in the United States is not only a difficult task, but also presents a moving target. Data privacy regulation and best practices are constantly evolving, meaning compliance is more of a process than a one-off activity.
Fortunately, ready-made cookie disclosures and management systems are available. Osano Consent Manager, for example, is designed to comply with the GDPR, LGPD, and aspects of current U.S. state laws, updated as new privacy laws are passed and come into force.
With the Cookie Consent solution, website operators can choose from several cookie notification options, including:
The GDPR authorizes supervisory authorities to impose various penalties, including:
The CPRA creates a new privacy enforcement agency (known as the California Privacy Protection Agency, or CPPA) as well as empowering the attorney general’s office and municipal attorneys to:
Each instance of improperly processed personal data counts as an infraction, making it quite easy for businesses to incur fines in the millions or tens of millions. The first enforcement action of the CCPA, for example, was against makeup retailer Sephora for $1.2 million.
Other international and state laws impose similarly large fines and penalties.
With the implementation of cookie policies now a relatively straightforward task and the consequences for non-compliance so large, most organizations are rightly making the decision to implement cookie banners and notices that allow them to comply with a broad set of privacy laws.
Given the global nature of business today, the internet is available to just about everyone across the world, and you never know where your next customer will come from. It’s best to make them feel comfortable that you care about their privacy and are doing your best to make sure they have an experience that is legal and trustworthy.
Specific requirements differ from law to law, but generally, if your cookies collect users’ personal information (and most do) and those users are protected by a data privacy law, you will have to comply. Some regulations, such as the CPRA, kick in only after you meet certain thresholds, while others, like the GDPR, apply no matter how many protected individuals you collect data from.
Generally, cookie laws require you to provide notice about data collection, minimize data collection to only what is necessary to achieve a stated purpose, delete or anonymize personal data once that purpose has been achieved, and give consumers the ability to opt into or out of data collection. Some laws specifically regulate targeted advertising, and some require you to provide consumers with granular control over the types of cookies they agree to. Data privacy laws generally also require you to acknowledge certain rights, known as data subject rights—a consumer might exercise their right to request you summarize the data you have collected from them, for example.
Every law is different in one way or another, however; you will want to review the specific guidance surrounding the specific laws that apply to your organization.
Generally, government authorities have the power to levy fines against noncompliant organizations based on the number of infractions they incur. Each law has different penalties. Since every instance of inappropriately processed data counts as an infraction, penalties can become expensive, fast.
Authorities may also order your organization to take certain actions, such as operational changes to avoid future noncompliance or payment to repair consumer damages. Some laws, such as the CPRA, provide a private right of action—meaning individual citizens can sue noncompliant organizations. However, individuals can only sue noncompliant organizations under highly specific circumstances, and such suits are uncommon.
As more and more privacy laws are enacted, it's becoming increasingly difficult to stay compliant while still using cookies to collect data. That's why we've created this FAQ guide: to help you keep your cookie usage legal while still getting the information you need to run your business effectively. Download the guide to answer all your cookie questions.Download Now
Sam is a journalist and head of West Gray Creative, a content services firm based in Maine. In a former life, he was director of content at the IAPP and has run publications in the security, workboat, and 3D reality capture spaces. Currently, he serves as the chair of his local school board, fronts the World Famous Grassholes, and would like to be a professional baseball player when he grows up.