Cookie compliance is essential for all businesses collecting consumer data. Cookies are a tracking technology utilized by internet web browsers for user personalization. Cookies track site sessions to streamline the consumer’s experience and also acquire personal data. It’s important to consider data privacy laws when utilizing cookies for gathering or selling personal data.
Laws to consider include, but are not limited to, the following:
- Brazil’s General Data Protection Law (LGPD)
- Virginia Consumer Data Protection Act (VCDPA)
- Utah Consumer Privacy Act (UCPA)
- Colorado Privacy Act (CPA)
Cookie Compliance Regulations
Brazil’s General Data Protection Law (LGPD)
The LGPD or Lei Geral de Proteção de Dados Pessoais went into effect in May 2021 and applies to companies offering any goods or services to Brazilian citizens. Similar to GDPR compliance, the LGPD rules and restrictions are based on accountability, purpose limitation, data minimization, security, and privacy. The LGPD does not apply to data processing related to national security, academia, or personal use. Under the scope of the LGPD, companies that utilize cookies must inform consumers of clear consent with the option to decline data processing. Failure to comply with the LGPD can result in fines of up to 2% of the company’s revenue.
Virginia Consumer Data Protection Act (VCDPA)
The VCDPA will become effective in January 2023 and also applies to any company that conducts business in the state of Virginia or markets to Virginia residents. Companies utilizing cookies must inform consumers of their rights in order to be compliant. Failure to comply with the VCDPA can result in fines of up to $7,500 per violation.
Rights under the VCDPA include:
- The right to know, access, correct, confirm, and delete personal data.
- The right to portable access of personal data.
- The right to opt-out of the sale, targeted advertising, and profiling of personal data.
- The right to not be discriminated against for opting out of processing personal data.
Utah Consumer Privacy Act (UCPA)
Similar to the VCDPA, the UCPA will become effective in 2023. The UCPA applies to companies in Utah and companies that market services to Utah residents. In addition, companies must have annual revenue of 25 million or more and either acquire or use the personal data of 100,000 or more consumers annually or receive more than half of their revenue from personal data. While the UCPA must provide information on how the data is used, the act does not require companies to require consent.
Colorado Privacy Act (CPA)
The CPA goes into effect in July 2023. The CPA applies to companies in Colorado and companies that market services to Colorado residents. Like the UCPA, the CPA applies to companies that acquire or use the personal data of 100,000 or more consumers per year. The CPA includes the right to access, correct, or delete personal data. In addition, the CPA requires that companies must provide portable access to personal data and the right to opt out of data processing. The CPA requires companies to act on consumer requests within a 45-day period.