Cookies - delicious and nutritious! Now with Rules.
TL;DR: While no federal United States laws exist around cookies or online privacy, at least 20 US states carry these rules. Generally, they do not apply to businesses handling fewer than 30,000 online customers. When running a business dealing with the “lower 48,” whether or not you need one is a function of the size of the customer base from that state, not necessarily your own geography. If your business is strictly local and deals with online customers, your requirements will be more specific. None of these laws require a cookie banner like Europe’s GDPR, but they want you to be up-front about tracking and give an option to opt-out.
So, do you need a cookie banner?
No. Yes! Maybe in the future. How soon before you’re dealing with 30,000 customer records, online? If the answer is “this is not foreseeable for my situation,” then you can probably skip this website feature for now, until news headlines bring this back with increased scrutiny and gusto. However, if this is you, you may be big enough to have a legal department who is already on it, or looking to scale your business. While considering website softwares that stay stable over time and don’t get hacked, planning ahead for privacy concerns is both smart and realistic.
Most US states that have Cookie Privacy laws carry specific numeric thresholds for applicability, generally varying by the size of the state. So, California’s is 100,000, and Connecticut, Rhode Island, and New Hampshire have a threshold of around 35,000 customer records before this kicks in.
If you do business with/in Nebraska, there is no threshold of applicability, but all business classified as Small Business (like us, likely you) are exempt. So that’s good. Other states carry exemptions for different reasons. Check the specifics of your customer’s state.
Still, US-based websites aren’t subject to Europe’s GDPR, which requires a banner, specifically. A banner is still one (familiar, done-before) way to satisfy the requirement of privacy laws, which generally mandate:
Explanation of Data Practices
The ability to opt-out with a few clicks, not gangly offline processes
The use of standardized GPC code/language/signals to carry out these changes
Opt-in for more-strictly legalized data, such as data around health or dependents
California has also passed additional measures applying to businesses that buy and sell 100,000+ personal data records per year (or, make half their money doing this, or, make $26,000,000 a year or more in this way) - that businesses that make these thresholds also make this data (if it is yours) available for deletion, correction, opt-out, and many other facets. It’s a lot - here’s a solid article on these details.
What does your cookie privacy solution need to do?
Your cookie management feature needs to do its best to figure out where your user lives (through tracking by IP,) and present them with an opt-in or opt-out banner which most closely conforms to the laws around their state. For this reason, Aquarian does not recommend that individual developers design or implement these themselves. Finding a management software that takes care of these details and having your friendly development team implement it, is the recommended course of action.
Software that can help with Cookie Consent
Many cookie preference management solutions are drop-in apps that are quick to set up and manage. These generally cost their value but can keep you out of trouble if that’s where you’re headed. A quick Cookie Consent Google Search yields potentially dozens of apps that offer this service. We don’t have a favorite.
Craft CMS has at least one cookie management solution which is GDPR compliant, which ought to cover all US requirements as well. Cookie Consent carries the benefit of allowing the website owner to keep track of cookie consent within the website itself, without a subscription or dependency on 3rd party services.
ExpressionEngine’s Termly add-on is a hybrid between internal management and 3rd party. It connects to the termly service via API key but installs into the control panel. While it relies on a 3rd party service, much of the editing and policy control can be done from the control panel of the website. Termly is a freemium service which at the time of this writing offers 10,000 page views a month for free - not enough to clear any particular state hurdles, except maybe that Nebraska one.
The bottom line
If you’re unsure about whether your website needs cookie consent added, talk to your legal department or an attorney that specializes in business law. The laws predominantly apply to larger entities where (you'd think) having some kind of lawyer available would be a routine thing. If you're close to your local threshold, don't wait!
With contributions by Niki Wolf
Additional Reading:
https://iapp.org/resources/article/us-state-privacy-legislation-tracker
https://www.cookiebot.com/us/ccpa-vs-cpra-differences-guide