Deciding whether you need a consent banner (also called a “cookie banner”) depends on many factors, including whether you collect sensitive data and whether disclosure requirements apply in the states where you’re conducting business. This post doesn’t give legal advice, but it will help you understand key consent banner considerations.
With the slate of data privacy laws entering enforcement this year in the United States, businesses are evaluating requirements and determining if they may need a consent banner on their website or mobile app. Let’s look at what may go into deciding one way or the other.
Do You Collect Sensitive Data?
While the definition may vary from state to state, sensitive data commonly includes data related to racial, ethnic, and sexual preferences. Several states require explicit user opt-in before this data can be collected.
For example, Virginia state in § 59.1-578.A.5 that a controller shall:
5. Not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act (15 U.S.C. § 6501 et seq.).
Virginia further defines consent as the following:
“Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
If you operate in Virginia, meet applicability requirements, are not subject to an exemption, and collect sensitive information, chances are that you will need a banner before data collection.
Do You Have Disclosure Requirements?
Say, however, that you don’t collect sensitive information. Does that mean you can ignore having a consent banner? Sadly, there’s not an easy answer to that, as some states have precise disclosure requirements. Six different states will review privacy laws this year, and each state is different. Just as an example, let’s take a look at the California requirements. (Read about a recent CCPA enforcement action in the news.)
Notice of Collection in the CCPA
In Section 7012 of the California Consumer Protection Act (CCPA), the regulations state that a business must provide a Notice of Collection:
The purpose of the Notice at Collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them, and the purposes for which the personal information is collected or used, and whether that information is sold or shared, so that consumers have a tool to exercise meaningful control over the business’s use of their personal information. For example, upon receiving the Notice at Collection, the consumer can use the information in the notice as a tool to choose whether to engage with the business, or to direct the business not to sell or share their personal information and to limit the use and disclosure of their sensitive personal information.
So, in this case, while it doesn’t say you need a banner, a notice is required. A consent banner is designed to accomplish this, while at the same time granting users control over how their data is collected and used. California’s Section 7012 C.1 states that a business may comply by doing the following:
When a business collects consumers’ personal information online, it may post a conspicuous link to the notice on the introductory page of the business’s website and on all webpages where personal information is collected.
So while the regulations don’t require a banner, disclosure is required and a banner has the capability to fulfill that requirement. The disclosure banner or link must communicate the categories and purpose of the collection.
UX Requirements in the CCPA
The regulations also cover UX requirements, listing provisions for how the link must read and function. For example, when clicking the link for “Do Not Sell or Share My Personal Information,” the link must anchor to the relevant terms. In addition, the business can not require the consumer to scroll through the policy to identify the mechanic for opting out.
Based on the above, assuming that you don’t have any action to take just because you don’t collect sensitive personal information is dangerous. A deeper inspection may ultimately prove that you have obligations to the user when collecting data, regardless of whether the information is sensitive.
Next Steps for Determining Your Consent Banner Needs
As you can see from the above, the layers of laws and regulations may make it difficult to determine requirements for execution. We advise speaking with legal counsel about your specific situations and use cases. Further stands ready to assist legal and technical teams in understanding the data they collect and determining which provisions may apply.