A look at the regulations that govern cookie policy.
Each month this year I have been asked by one of my clients about cookie consent pop-ups or other consent processes that they have integrated on their website. I’ve written a primer on the best practices for implementing a cookie consent process onto your website, but the main thing I get asked is …
The short answer is probably, “yes.”
Many companies have implemented a Cookie Consent process in recent months in response to the 2018 California Consumer Privacy Act (CCPA), the 2020 EU’s General Data Protection Regulation (GDPR), and the 2020 California Privacy Rights Act (CPRA) which modified, expanded, and clarified privacy rights for California residents, and takes inspiration from the EU’s GDPR policy. Those who have managed large-scale websites, sweepstakes, or growth campaigns have probably been addressing certain privacy guidelines and concerns in their campaigns for some time. But with the newer GDPR guidelines and stricter CPRA legislation, most privacy experts are advising companies to place more focus on their privacy and data collection processes.
Another trend that has led to this change has been the uptick in lawsuits aimed at companies in violation of the GDPR regulations. The GDPR allows for each EU country to set its own custom privacy rules, which has made it very difficult to stay in compliance across multiple countries. There has been a rise in lawsuits by law firms, many located in Russia, that have been targeting large to mid-sized companies that may be in violation of GDPR regulation, which is an easy argument considering that many countries have conflicting regulations that are not easy to resolve technically. Both US and German companies have been hard hit by fines levied through such lawsuits. This has led to some companies restricting EU access to their websites altogether because they fear a potentially costly lawsuit. Sadly, this means a less open flow of information across international borders.
The GDPR is the most restrictive in governance in that it sets regulations for ANY business that collects privacy data and sets fines up to 20 Million Euros for any business that allows EU consumers, even if that business is located outside of the EU. So unless your tech team has the technical ability to block EU members from loading your website, you need to respond to GDPR compliance.
And even if you do block EU countries from your website through IP address blocking or other measures, there’s still the CCPA regulation to address which applies to any business that stores privacy data for at least 50,000 consumers in a database such as membership, acquisition, or email platforms. That applies to most of the companies I’ve worked with in my career.
Here’s a handy chart that helps clarify the differences between CCPA and GDPR regulations:
Look, the reality is that if you are a small to mid-sized company, it’s tempting to assume that you won’t be targeted in a lawsuit. But the GDPR and CCPA are just the tip of the iceberg when it comes to the oncoming onslaught of privacy regulation that is coming from various countries and states. It behooves your marketing team and digital officers to take this issue seriously. If you are handling private data in any way that could be considered suspect, you should stop. But even if you think you are doing everything on the up and up, you should take steps to show you’ve made a good-faith effort to comply with the regulations that govern your business and consumers.
If you follow me, you know I am a big advocate of the Webflow platform. If you happen to have your website hosted on Webflow, you will be happy to learn that the Webflow partner {finsweet has a great cookie consent library that can be implemented quite easily. If you are on another platform, there are many javascript libraries available that you can plug into your website to manage cookie compliance.
Check out my primer on implementing a cookie consent popup, and if you need additional help, Contact me, and let’s discuss how I might be able to assist you.
How the EU Plans to rewrite the rules of the Internet
by The Brookings Institute, October 2020
A cookie consent reckoning is coming
by Techcrunch, May 2021
20 new privacy enhancements found in the CPRA compared to CCPA
by Tom Kemp, May 2021