What Laws Govern Cookies in the United States?
Since May 2018, the EU’s GDPR has imposed a continent-wide consent requirement for the placement of cookies on a user’s browser. Although the United States does not presently have a comprehensive data protection law analogous to the GDPR, most large U.S. businesses have adopted GDPR-compliant standards, given the possibility that European consumers will visit their websites. As a result, the GDPR’s consent standards have, in some sense, effectively come to apply in North America, and perhaps even worldwide.
The enactment of the GDPR in Europe has not, however, deterred U.S. officials from independent action. In 2019, Senator Josh Hawley introduced the Do Not Track Act, which would require the FTC to create a Do Not Track system analogous to the existing Do Not Call list for telemarketing activity. Although the Do Not Track Act is not a prohibition on the placement of cookies—and is overall far more limited in scope than the GDPR—the act would require website operators to notify internet visitors of their option to click on a link and thereby make themselves exempt from data collection for any purpose not strictly necessary for the provision of online services, a step akin to the GDPR’s consent requirement for cookie placement. And for the avoidance of doubt, the act identifies “targeted advertising” as an unnecessary purpose.
At the state level, meanwhile, California has gone much further, passing data protection legislation in the form of the Consumer Privacy Act of 2018 (CCPA). Like the Do Not Track Act, the CCPA allows internet users to declare themselves exempt from tracking technologies. But unlike the federal act—and much more closely aligned to the European GDPR—the CCPA also requires covered entities to disclose what data is collected (whether through cookies or other technology) as well as what is done with the data. And even more importantly, the CCPA is not merely forward-looking in terms of consumer data rights but actually allows consumers to demand that personal data already collected be deleted.
What Is Next for Cookies?
Separate and apart from the changing legal requirements, web browsers and online advertisers have voluntarily begun to phase out their use of cookies, particularly third-party cookies. They have done so partly because of consumer concerns—and, of course, to stay ahead of the law—but also in response to the diminishing effectiveness of cookies as increasing numbers of consumers adopt ad-blocking applications or simply clear their browsers. But the discontinuation of cookies does not mean the end of advertisers’ efforts to learn the shopping habits and preferences of potential customers. In addition to turning to obvious sources of consumer behavior information like loyalty programs, companies have begun testing new technologies, such as “fingerprinting.”
Like cookies, fingerprinting seeks to assign an identifier to persons browsing the internet in order to assess individual behavior. Instead of placing a file on users’ devices, however, fingerprinting seeks to assess the digital characteristics of the website visitor—e.g., IP address, operating system, browser type, and time zone—in order to determine his or her unique online signature. To be sure, the fingerprinting method is no less a form of tracking technology than cookie-based data collection, but because it relies on the inherent attributes of the web user rather than an externally placed “tag,” it is harder to detect or block. As the use of cookies declines and consumer awareness grows, we may see an increased focus on this new type of technology.