What businesses need to know
Due to recent fines and lawsuits, many businesses have chosen to implement a cookie consent banner on their website, asking website visitors whether they would like to be tracked through tools such as Google Analytics, Google AdWords, and Meta Pixel. While this banner may be required by laws in certain states or countries, some states that have no such requirement have been taking note of the fact that the layout and implementation of these banners may lead to deceptive acts and practices, which are prohibited by consumer protection laws. A great example of this is the New York State Attorney General’s Office, which recently released guidance on website privacy controls. In this article, we will discuss what cookie consent banners are, which privacy laws require them, and the New York State Attorney General’s Guidance so that you can determine whether your cookie consent banner is proper.
What is a cookie consent banner?
A cookie consent banner is a banner that goes onto your website that provides individuals with information regarding the cookies on your website and asks them to either agree or decline the placement of cookies on their device and/or browser. A cookie consent banner controls cookies and scripts, which are small files that are created and stored on a user’s browser and/or device when visiting a website that uses cookies. Cookies are used to track information about visitors for various reasons such as analytics, marketing, security, and more. Many websites choose to have a cookie consent banner to comply with applicable privacy laws that require websites to obtain the consent of the user prior to being tracked through cookies and scripts or allow website visitors to opt out of certain tracking.
Which privacy laws require websites to have a cookie consent banner?
Websites implement a cookie consent banner when they need to comply with certain privacy laws that require them to obtain the consent of the website visitor prior to tracking them through non-essential cookies:
- ePrivacy Directive;
- General Data Protection Regulation (GDPR);
- United Kingdom’s Data Protection Act 2018 (UK DPA);
- California Privacy Rights Act (CPRA);
- California Invasion of Privacy Act (CIPA);
- Personal Information Protection and Electronic Documents Act (PIPEDA);
- Quebec Law 25.
It is important to note that each privacy law may have different requirements for the layout of the cookie consent banner. For example, the CPRA allows tracking by default but requires the website to provide a way to opt out of the sales of personal information or the sharing of personal information for targeted advertising. On the other hand, other privacy laws require opt in consent to be obtained prior to the individual being tracked. Failure to have the proper cookie consent banner can lead to fines and even lawsuits. For example, multiple businesses have been sued under the California Invasion of Privacy Act for failure to obtain the consent of residents of California prior to tracking them through tools such as the Meta Pixel.
In this case, it is important to note that the State of New York does not have a privacy law prohibiting the tracking of individuals residing in New York without obtaining consent. However, the Attorney General of New York has released guidance stating the use of misleading or improper cookie consent banners can be considered a deceptive act or practice, which is governed by New York’s consumer protection laws. This means that cookie consent banners that contain any of the enumerated issues discussed below could lead to businesses being fined under New York’s consumer protection laws.
New York State Attorney General’s cookie consent banner guidance
In its guidance document, the New York State Attorney General states that it found that 13 high-traffic websites selling consumer products that had an estimated 75 million website visitors in March of 2024 contained multiple issues with their cookie consent banners. The issues that the Attorney General advised businesses to avoid are as follows:
- Failing to disable marketing or advertising cookies when the user clicked “decline” on those cookies;
- Failing to categorize cookies and scripts at all (all cookies must be categorized as essential, functional and marketing);
- Failing to properly categorize cookies and scripts (e.g. marketing cookies were labeled as essential);
- Misconfiguring tag management tools so that individuals could not properly opt out of marketing cookies;
- Hardcoding tags so that the cookie consent banner was not able to control those tags and cookies;
- Failure to understand and provide information about tag data collection and use – some cookie consent banners did not provide adequate information as to what personal information is being collected or how it is used;
- Confusing selections. For example, certain cookie consent banners stated that if the user clicks “accept”, then they will be tracked by cookies. However, the user was tracked regardless of whether they selected “accept”;
- Poor design choices that led the user to accept cookies as the option to decline cookies was not prominent.
Website owners should ensure that their cookie consent banners avoid the mistakes listed above to ensure that their cookie consent banners are not only compliant with applicable privacy laws, but also meet the expectations and requirements of consumer protection laws.