As anyone who uses the internet can attest, cookies banners pop up on almost every type of website and offer a dizzying and often annoying array of approaches and options to consumers. It is difficult to parse through what the banners are offering and what consumers need to do to exercise their choices. Until recently, though, US privacy regulators had not weighed in on whether cookies banners meet state law opt-out obligations for targeted/ad cookies or what options must be provided to consumers via these banners.
This silence came to an end in March when the California Consumer Privacy Protection Agency (CPPA) waded into the fray with its first enforcement action against American Honda Motor Co. The enforcement action focused on several issues under the California Consumer Privacy Act (CCPA), including Honda's cookies management solution, which allowed consumers to accept all cookies via the banner but required them to take additional steps to opt-out of advertising and other cookies. Specifically, Honda's approach was to permit users to accept the use of cookies in one click (e.g., by clicking "Accept All" in the banner), but to require at least two clicks to opt-out of cookies (e.g., requiring users to hit a toggle to turn off behavioral advertising cookies, then click "Confirm My Choices").
When focusing on this approach, the CPPA identified these asymmetrical options as a violation of the CCPA, stating (citations removed):
Businesses must design and implement methods for submitting CCPA requests that are easy to understand, provide symmetry in choice, avoid language or interactive elements that are confusing to the Consumer, avoid choice architecture that impairs or interferes with the Consumer's ability to make a choice, and are easy to execute.
Symmetry in choice means that the path for a Consumer to exercise a more privacy-protection option cannot be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the Consumer's ability to make a choice. More specifically, a choice is not symmetrical when a business's process for submitting a Request to Opt-out of Sale/Sharing requires more steps than that business's process for a Consumer to opt-in to the sale of Personal Information after having opted out....
A website banner that provides only two options when seeking Consumers' consent to use their Personal Information—such as "Accept All" and "More Information," or "Accept All" and "Preferences"—is not equal or symmetrical. Such a method is not equal or symmetrical because it allows Consumers to "Accept All" in one step, but requires Consumers to take additional steps to exercise their rights over their Personal Information. An equal or symmetrical choice, by contrast, could be between "Accept All" and "Decline All."
It would be easy to overlook the import of this one portion of the enforcement action without considering that the configuration of Honda's cookies banner is not an outlier in the market and rather a relatively typical approach. Permitting website users to set their preferences through toggles has been the market approach and has not, until this action, been treated by regulators as requiring extra steps to be taken to opt-out of cookies.
If the CPPA's enforcement picks up steam and/or other regulators adopt a similar approach, many companies could find themselves in the same position as Honda. Consequently, companies should not assume that if they have implemented a cookies banner with an opt-out function, they are in the clear. They also should not assume that a cookies banner is necessarily a better solution than an opt-out link.
To help navigate this process, companies need to first carefully consider the strategic goals for implementing a cookies banner versus an opt-out link (Your Privacy Choices or a Do-Not-Sell or Share My Personal Information link). Under current US state privacy laws, companies are required only to offer a right of opt-out via an opt-out link and only for targeted or ad cookies (not for analytics, performance or essential cookies). Nevertheless, cookies banners have proliferated across all types of industries and websites, with one likely reason being the significant uptick in class action litigation based on claims that ad cookies deployed without consumer consent are unlawful surveillance under the California Invasion of Privacy Act ("CIPA") and similar laws. Therefore, companies may be implementing banners when not otherwise legally required to do so to try to establish consumer consent and reduce the risk of being targeted against these types of suits.
The question with this approach, however, is whether it actually reduces the risk of CIPA and similar lawsuits. At the current time, the only meaningful "safe harbor" for CIPA and similar suits seems to be a full opt-in approach (where ad cookies do not drop unless a user affirmatively opts in to their use), noting that even this approach may be subject to challenge by plaintiffs' firms. Nevertheless, most companies steer clear of a full opt-in approach in the US due to the corresponding loss of marketing revenue. For similar reasons, many cookies banners are configured in a manner similar to that of the Honda banner, likely to encourage consumers to opt-in to their use and move on rather than taking the extra step of opting-out. Therefore, the many opt-out banners popping up on websites may not be an effective shield (beyond potential optics associated with the banner) against these types of class action lawsuits and can create corresponding legal risk under the CCPA if not configured appropriately.
With these various factors in mind, companies should take a careful look at their cookies management solution (for further information, please see our prior alert on this issue – "Cookies Banners and Beyond: how to avoid common mistakes"). If it still makes sense to implement a cookies banner, they should make sure to offer two equal choices for consumers (Accept All/Reject All versus Accept All/Confirm My Choices). This may not be the preferred approach from a marketing perspective, but failing to do so will leave companies open to enforcement by the CPPA and/or other state regulators who decide to pick up this torch.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
