What are Cookies anyway?
[Experienced website owners and developers may want to skip ahead] To step back a bit, “cookies” are small text files that store data on your device your computer, smartphone, or other device, which are sent to a specific server (normally belonging to the website the user is accessing). Cookies allow the site or app to remember things like your login, prior searches, or items you left in an online shopping cart) and thereby improve the user’s experience and future interactions. At the same time, for consumer and privacy advocates, some Cookies make it far too easy for websites and apps to track a user’s every online move and use their browsing histories for the site or app owner’s own gain.
Good question. One for which I will respond with a very attorney-like “Yes and No.”
EU Cookie Law
Back in 2011, the European Union adopted Directive 2009/136/EC (a/k/a, the “Cookie Law”) as part of the EU’s effort to expand online privacy for its citizens. The Cookie Law affects all websites based in the EU or targeting users in the EU and requires website operators to promptly alert users of the presence of Cookies, as well as explain the specific types of Cookies being employed.
More importantly, users must be able to refuse or accept the placement of Cookies on their devices. Therefore, when you run across those banner or pop-up notifications in your browsing, it is basically that site or app complying with the Cookie Law.
Does my U.S. website or app have to comply with the Cookie Law?
As with so many things in the law, there is not an entirely black and white answer.
First, the low hanging fruit; if you’re based in the EU or obviously directing your activities towards citizens of the EU (whether or not they’re actually within the EU or not), then the Cookie Law almost certainly applies to your website or app.
The grey area comes in for sites and apps that don’t necessarily fit this description and are wittingly (or unwittingly) directing their goods or services over the Internet and likely beyond the territorial borders and citizens of the United States and to the EU.
The other consideration is, even if your business might be able to skirt complying with the EU Cookie Law and GDPR on cookies, it probably won’t be able to avoid directing itself, or having users from, one of the other largest economies in the World: California.
The California Consumer Protection Act
Having gone into effect in 2020, California’s CCPA introduces stricter provisions for companies collecting, using, or processing the “personal information” of individuals.
Under the definitions section of CCPA, a “Unique identifier” or “Unique personal identifier” includes “a device identifier; an IP address; cookies, beacons, pixel tags, mobile ad Identifiers, or similar technology” which can be used to recognize a (California) consumer, a family, or a device that is linked to a consumer or family, over time and across different services.
These themes include, among other things, transparency, data subject’s right to information and access, opt-in/opt-out rights, as well as data minimisation or outright deletion.
- Disclose what types of Cookies you (or any third parties) are using on your site or app
- Disclose to users why it is that you use these Cookies, and
- Notify your users of their right to opt-out of having Cookies placed on their devices.
Ben Bhandhusavee is the Managing Attorney for BHANDLAW, PLLC, a startup, technology, and e-commerce law practice advising founders and management teams on company startup, corporate and technology transactions, e-commerce, as well as Internet privacy concerns. The firm serves corporate and individual clients throughout Arizona, the United States, and internationally. Our offices are conveniently located along the Camelback corridor in Phoenix’s financial district. For more information about our Internet Data/Consumer Privacy practice, feel free to reach out using the contact form on the right or call us at (602) 222-5542 to schedule a meeting. Connect with Ben on LinkedIn or Avvo.