Banner Scanner
And maybe your privacy budget too.
This is the harsh reality of the state of privacy in the US right now. GDPR is taking a back step while the new kids on the block are getting in-house legal teams all worked up, and rightly so. Hopefully you've already heard of The California Invasion of Privacy Act (CIPA). And maybe you've heard of ECPA, CDAFA, and VPPA too. This is the ever growing list of US federal and state laws that are being weaponised to sue thousands of US companies right now.
The approach is a fairly simple one - take an old law that probably predates the invention of the Internet, such as one regarding wiretapping, and apply it to modern technologies such as scripts and cookies on your website. And crucially, make sure the law that gives you a private right of action, so rather than complaining to your local Attorney General and hoping that a multi-million dollar fine is issued (that'll probably never come your way), you go straight to the target and demand thousands of dollars because they had the audacity to use Google Analytics on their website.
Claims are focusing on all sorts right now - Facebook pixel being used, website searches going to Google Analytics, Google Ads running, and session replay tools being used without prior notice. Pretty much whatever they can think of that can be loosely applied to an existing law.
CIPA is the main focus right now. It's California focused and seems to be literally paying off.
At a high level, the issue is one of transparent notice and affirmative consent. The claimants argue that without that, you're breaching their privacy and the only way to solve that is through cold hard cash. And don't for one minute think the irony isn't lost on me. For years we've had people across the US ridiculing us Europeans for our cookie banners and the woes of GDPR compliance, and now the chickens have come home to roost, with ePrivacy now at the forefront of every US privacy and legal team. And even worse, it's no longer about risk of non-compliance, it's not even about compliance. It's about protecting yourself and probably paying out for something that is standard practice and likely compliant with the CCPA.
If you work in US legal right now, you will know someone that has paid out five figures to settle these claims. And that's budget that could have gone on better things, like privacy consultants ๐.
Personally, I've now worked on over 15 of these claims, and they keep coming.
If you work in privacy, legal, or compliance in the US, I'd be interested to know:
Are these claims changing how your organisation thinks about scripts, cookies, analytics, and consent?
