What Laws Govern Cookies in the United States?
Since May 2018, the EU’s GDPR has imposed a continent-wide consent requirement for the placement of cookies on a user’s browser. Although the United States does not presently have a comprehensive data protection law analogous to the GDPR, most large U.S. businesses have adopted GDPR-compliant standards, given the possibility that European consumers will visit their websites. As a result, the GDPR’s consent standards have, in some sense, effectively come to apply in North America, and perhaps even worldwide.
The enactment of the GDPR in Europe has not, however, deterred U.S. officials from independent action. In 2019, Senator Josh Hawley introduced the Do Not Track Act, which would require the FTC to create a Do Not Track system analogous to the existing Do Not Call list for telemarketing activity. Although the Do Not Track Act is not a prohibition on the placement of cookies—and is overall far more limited in scope than the GDPR—the act would require website operators to notify internet visitors of their option to click on a link and thereby make themselves exempt from data collection for any purpose not strictly necessary for the provision of online services, a step akin to the GDPR’s consent requirement for cookie placement. And for the avoidance of doubt, the act identifies “targeted advertising” as an unnecessary purpose.
At the state level, meanwhile, California has gone much further, passing data protection legislation in the form of the Consumer Privacy Act of 2018 (CCPA). Like the Do Not Track Act, the CCPA allows internet users to declare themselves exempt from tracking technologies. But unlike the federal act—and much more closely aligned to the European GDPR—the CCPA also requires covered entities to disclose what data is collected (whether through cookies or other technology) as well as what is done with the data. And even more importantly, the CCPA is not merely forward-looking in terms of consumer data rights but actually allows consumers to demand that personal data already collected be deleted.
What Is Next for Cookies?