Cookies 'Ground Zero' in Privacy Debates on Consent, Hogan Lovells Panel Says
Cookies and other tracking technologies were considered simple tools to enhance website users' experience but have become "ground zero" in the data-protection consent space, privacy and cybersecurity attorney Scott Loughlin said at a June 12 Hogan Lovells webinar.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Cookies have been on the radar of EU regulators for years, but the U.S. landscape is "fragmented" and "chaotic," Loughlin said. Cookies weren't an issue, but they are now, as the FTC, state attorneys general and other authorities focus on them.
Under EU rules, a website publisher is responsible for collecting consent because it has the sole direct relationship with the user, said privacy attorney Etienne Drouard. The recipient/beneficiary of consent must comply with the "consent string" resulting from a publisher's consent management platform (CMP).
One example of a CMP is the Interactive Advertising Bureau's transparency and consent framework (TCF), responsible for building a consent chain but which the courts have recently held not to bear responsibility for misuse of the consent (see 2506010001), Drouard added.
Europeans are debating several cookie evolutions, Drouard said. These include changing the system from browser-based consent to cross-device or even cross-group consent, or moving from browser-based consent to an "all-tracking technology" consent. Moreover, "consent fatigue" (too many requests for consent) is the top concern of EU regulators, he noted; 70%-85% of users already provide an overall consent.
In January, the U.K. Information Commissioner's Office contacted Britain's biggest 1,000 websites about their use of non-essential cookies, said privacy attorney Katie McMullan.
This move was partly due to the Data Use (and Access) Bill, which is expected to receive Royal Assent soon (see 2506100003, McMullan added. DUA brings fines from cookie breaches in line with the General Data Protection Regulation but also introduces some exemptions from cookie requirements, she said.
The ICO said it intends to name and shame companies that misuse cookies and hinted it plans to cooperate on the issue with its EU counterparts, McMullan said.
U.S. regulators hadn't deemed cookies a significant issue until recently, Loughlin said. There have been, however, discussions about aligning laws, such as the Health Insurance Portability and Accountability Act and Section 5 of the FTC Act, with online technologies.
A series of FTC actions, for example, focused on how sensitive information might be collected on websites and then transferred to companies using web-tracking technologies, Loughlin said. The FTC stated that it's an unfair trade practice for organizations to collect sensitive data and then give it to third parties, including those setting cookies, without user consent.
Now, Loughlin said, he sees some federal actors requiring a level of affirmative opt-in consent, and this is occurring in several states as well. U.S. laws are likely to move toward better definitions of sensitive information, he added.
The bigger story, Loughlin said, is whether companies need cookie banners or not. Here, U.S. law is developing faster than technology.
There have been more than 1,000 web-tracking cases filed in the U.S. since 2022, including class actions and individual suits in state and federal courts, said litigation attorney Vassi Iliadis.
Claims include statutory causes of action under federal and state law such as the California Information Privacy Act (CIPA) and the Federal Wiretapping Act, Iliadis noted. Plaintiffs are basing their claims on broad allegations about the use of such technologies and are pushing for overly expansive interpretations of the laws. They're banking on the fact that many courts are reluctant to hold that a particular law doesn't cover the technologies, and the lack of clarity is frustrating to defendants, she said.
Plaintiffs' key legal theories involve CIPA, the California Consumer Privacy Act and the Video Privacy Protection Act, said Iliadis. Disclosing cookie banners to consumers is a good defense against these claims, she added.
There are several cookie-banner options under discussion depending on different risk positions, Loughlin said. One is to obtain affirmative, opt-in consent prior to third-party advertising or analytics via an EU-style banner. A second is an opt-in, consent-style banner that gives consumers accept-all, reject-all choices.
A third choice is a notice-only banner alerting users that the website uses tracking technology, and a fourth is for a company to rely on the privacy policy and terms of use in its website footer, Loughlin said.