
There has been an increasing number of lawsuits threatened and filed in the last year against ecommerce marketers and other online companies based on their use of analytical and other “non essential” marketing-related cookies. These actions typically allege violations of various federal and state privacy statutes—most notably the California Invasion of Privacy Act (“CIPA”), including California Penal Code §§ 631(a), 632, 632.7, and 638.51—and challenge widely used online advertising and tracking practices such as the usage of cookies, pixels or the alleged interceptions of communications. It is important to note that there have been no definitive legal rulings on these claims, and this is an ever-changing area of the law, which is being increasingly exploited by plaintiff’s attorneys.
While there is no guarantee that a claim will not be threatened or brought, in order to minimize a marketer’s risk of exposure, we have cataloged certain “best practices” for cookies and tracking technologies (such as pixels). The hallmark of these practices in the United States centers on transparency and the ability of users to immediately opt-out of non-essential cookies.
Federal and state laws generally follow an opt-out model, meaning cookies and other tracking technologies can be placed by default, but users should be given clear notice and an easy way to opt-out of non-essential cookies.
There are three basic types of cookies and tracking technologies:
- Essential cookies: These are vital for a website’s basic operations (e.g., shopping cart functionality, secure logins). They typically do not require explicit user consent, as the user’s request for the service implies their necessity.
- Analytics cookies: These gather data about user behavior to measure and improve a site’s performance. Because they collect personal information (like IP addresses and browsing history), they are not strictly necessary for the core service.
- Marketing cookies: These monitor a user’s online behavior, collecting data like visited pages, clicks, and purchase history to build user profiles for delivering personalized, targeted ads across the web, making ads more relevant and effective. They often track users across different sites, enabling remarketing (showing ads for products the user viewed elsewhere) and building user interest profiles for tailored campaigns, often set by third parties like ad networks.
Analytics cookies have been found to be non-essential. It is generally accepted that analytics cookies are non-essential cookies, and users should be given the option of opting out of them. There are a number of recently filed lawsuits on this issue. While most are in California, it is important to note that at least 20 states have their own privacy laws in effect, and various other statutes (as well as common law such as fraud) may apply in all states. While none of these suits appear to have proceeded to a final judgement as yet, several have survived motions to dismiss. In these cases, the plaintiffs allege, among other claims, that non-essential cookies (including analytics cookies) were placed even though the plaintiffs opted out of non-essential cookies and/or were placed before the plaintiffs had the opportunity to opt out, allegedly this was a violation of various state and common laws.
With the above in mind, the following are best-practice guidelines for the use of cookies:
- Transparency: A company should disclose in its privacy policy: (a) whether it uses cookies or other tracking technologies; (b) the purpose of the same; (c) what information is collected by the cookies/technologies; (d) how the information is used; and (e) what options has are given to opt out of non-essential cookies or manage preferences in relation to the cookies/technologies.
- Auto-Block Non-Essential Cookies: A company should ensure that non-essential cookies are not placed until a user has been given notice and the ability to opt out.
- Clear Options to Accept or Reject Cookies: A website should offer clear and equally prominent “Accept” and “Reject” buttons in any cookie banner, avoiding “dark patterns” that “trick” users to accept them. It is acceptable to allow users to accept all, reject all, or only reject marketing cookies as long as the company discloses that it also places analytics cookies.
- Rejecting Cookies as Easily as Accepting Cookies: A website should ensure that rejecting cookies is as easy as accepting them, and users should be able to revisit and change their cookie preferences or withdraw consent at any time via an easily accessible link (e.g., in the privacy policy or footer).
- Data Minimization: A company should retain data only as long as necessary for its business purpose. This includes using session cookies where possible instead of persistent cookies, and setting reasonable expiration dates for persistent cookies.
- Regular Testing: A company should test its cookie functionality regularly to ensure the blocking mechanisms operate correctly and that actual practices match the company’s stated policies.
- Maintain Proof of Compliance: A company should maintain logs of user consents and documented procedures to demonstrate compliance with privacy policies in the event of a lawsuit or regulatory inquiry.
TAKEAWAY: Many online marketers rely heavily on analytics cookies to deliver targeted online advertising, and plaintiffs’ attorneys are increasingly focused on the alleged failure to obtain proper consent. In addition to providing transparency as to their online marketing practices, marketers should take the steps described above designing their websites and data privacy compliance efforts.
Please contact the Olshan attorney with whom you regularly work or one of the attorneys below if you would like to discuss further or have any questions, including potential reimbursement for penalties paid under Section 6038(b) for late filings of Form 5471 or similar penalties.