With 15+ unique state privacy laws and more on the way, developing a privacy strategy is a daunting task for even the most seasoned privacy professionals. Cookie and other tracking consent policies can be especially challenging to develop since some privacy laws provide different rules for how and when consent must be acquired. Brands want to be compliant across all states and beyond, but keeping up with what constitutes compliance is a job in and of itself.
As Kyle Comstock, a privacy expert at Seamless.AI® explains, “the industry continues to see increasing amounts of litigation in the realm of cookies, scripts, pixels, and web beacons. A successful consent strategy supports privacy compliance while also driving the business forward; these are not mutually exclusive pursuits.”
The best and most efficient strategy is to offer as proactive, comprehensive, and transparent a consent model as possible. Understandably, this can be a challenge to execute: brands rely on cookies and tracking scripts to create a smooth web experience for users and to track and optimize marketing spend.
We’ve examined each state privacy law closely and grouped them into three basic categories of compliance requirements. Brands that hope to maintain reliance on cookie and tracking scripts for most users can ensure their consent approach is compliant by supporting all three policies outlined below. However, you’ll find that if your brand is open to a little less cookie reliance, you can simplify, stay compliant, and build more consumer trust using just two of the policies listed.
The opt-in notice
For users protected under the General Data Protection Regulation (GDPR), a notice to opt-in to tracking or cookie usage must appear immediately upon site load and before any tracking begins. The notice should offer clear and distinct choices for different types of tracking, such as by distinguishing between marketing cookies and functional cookies. Users must also be able to withdraw consent later, for example through an easily discoverable privacy policy.
Enable an opt-in notice for the EU, the UK, Brazil, South Africa, Thailand and Quebec to maintain compliance with their regulatory bodies. However, you may want to consider an opt-in notice in certain U.S. states as well.
In Colorado, Connecticut, Montana, Virginia, Tennessee, Indiana, Florida, Washington, and Canada, an opt-in process is also required for processing certain sensitive data. In many (though not all) of these states, any personal data concerning children can constitute sensitive data. If your company relates to healthcare or financial concerns, you may reasonably expect website visitors who are minors, or you specifically track sensitive data, we recommend leveraging an opt-in notice in these states.
Opt-out models
Every state with a comprehensive privacy law requires businesses to offer users an opt-out of certain forms of tracking. Even regions that require an opt-in notice for processing sensitive data (listed above) also require businesses to offer an opt-out of targeted advertising based on other, non-sensitive types of personal data.
In these “opt-out” regions, you can set cookies and other trackers by default, but you must give people a way to opt out. For many states, this includes an immediate opt-out communicated by Global Privacy Control (GPC) signals, if sent. GPC compliance is becoming increasingly common in new U.S. regulation, so we recommend planning to respect these signals for any user who fits in this policy.
State regulations vary in their specific expectations for how and when an opt-out from tracking is presented to the user. For the highest support of cookies & other tracking while staying compliant, utilize the “basic” approach below when possible, and the “advanced” when necessary.
For a simpler solution, apply the “Advanced” model to all states in both categories. Communicating transparently with customers builds trust. Additionally, privacy laws are constantly evolving, and opt-out experience expectations are only getting stricter. The best way to protect your business is to be proactively transparent and ensure you have a tracked consent decision for each user.
Basic opt-out
For most states with an opt-out requirement, a privacy policy linked in the footer of the website is sufficient, as long as this policy also provides detail on how the user can opt-out of tracking if desired.
This approach is sufficient for Oregon, Texas, Utah, New Hampshire, New Jersey, Delaware, and for non-sensitive data, also Colorado, Connecticut, Virginia, Tennessee, Indiana, Florida, and Washington.
Advanced opt-out
A few regions have stricter opt-out compliance expectations. Inspired by laws such as the California Privacy Protection Act (CCPA), amended by the the California Privacy Rights Act (CPRA), many brands are now allowing users to control their privacy via an opt-out banner upon their first site visit. This banner is presented in addition to a privacy policy in the footer, so that a user may change their decision at any later date.
While these laws don’t necessarily require a banner or pop-up, they do often require that certain tracking opt-outs be “clear and conspicuous,” and the banner has become a broadly adopted best practice for achieving this description. This approach is especially important if your business participates in any selling or sharing of data. The CCPA requires a separate opt-out for this choice and lists additional requirements for its display and copy.
We are likely to see similar expectations from other states still working on their privacy laws, such as New York, whose Attorney General has provided detailed preliminary guidance on opt-out notice expectations.
No policy
Many states have not yet enacted any law regulating online tracking or requiring businesses to get consent or offer an opt-out. However, legislators are constantly working on new privacy regulations. You can future-proof your business by offering at least the “Basic opt-out” approach to these regions.
By supporting just a few consent models, you can simplify 15+ unique state privacy laws to a manageable and standardized consent program. DataGrail Consent is designed to set you up within best practices quickly, and our team will work with you to achieve the best combination of consent policies to meet your business goals while ensuring compliance.
Final thoughts
By supporting just a few consent models, you can simplify 15+ unique state privacy laws to a manageable and standardized consent program. DataGrail Consent is designed to set you up within best practices quickly, and our team will work with you to achieve the best combination of consent policies to meet your business goals while ensuring compliance.
Take a tour of DataGrail Consent here.
While your approach to gaining consent can be covered by these models, be sure to take some time specifying what kinds of tracking users are consenting to. In many states, such as California and Delaware, users must consent separately to selling and sharing data. In others, use of user data to drive automated decision making (i.e. decisions made by AI models) must also be consented to separately. It’s best to be specific with each type of consent you request.
Lastly, remember that many state privacy laws also request that users be able to access, modify, and/or delete all of their data with you, not just web browsing data, at any time. Leverage DataGrail Request Manager to facilitate the processing of these requests.
Like what you see?
Get data privacy updates sent straight to your inbox.