Banner Scanner
For US privacy and legal folks, CIPA (The California Invasion of Privacy Act), and other weaponised US laws such as ECPA, CDAFA and VPPA are likely on your plate right now.
The vast majority of all these claims centre around supposed breaches of surveillance laws because of a lack of consent. So that's where we must start. Consent.
It's tempting to argue these laws predate the web and weren't intended for this purpose, but these claims aren't really about the law — they're about squeezing you for money. You've got to defend with action, not facts.
That means there's one immediate step to take.
If you want to get into defensive mode, it's time to fire up our good old friend the cookie banner.
Before I continue, it's worth clarifying what a cookie banner is and what it isn't.
Firstly, a cookie banner is just the visual part of the Consent Management Platform (CMP) that operates on a website. OneTrust is an example of such a CMP. The banner itself gives you the notice, and the buttons to let you control stuff. But it's the CMP engine behind the scenes that does all the opt-in/opt-out magic.
Secondly, we might name it a cookie banner, but it isn't actually about cookies. It's about scripts and other active components on a webpage that perform analytical, functional and marketing services for us. Google Analytics is one example. These scripts often use cookies to help them operate, but that's not the main concern, and not what cookie banners control.
With all that in mind, our consent defence needs two parts:
- Notice - we need to tell people what we're going to do with scripts so there is no doubt what they're consenting to, and
- Blocking - we need to enable/disable scripts based on the user's choice. A big issue here, and the substance of many CIPA and ECPA claims, is timing. Many organisations already had a banner on display in California for CCPA compliance, but as per the CCPA, these were in opt-out mode, with scripts enabled by default on first page-load, and then a banner provided the user an opt-out choice. CIPA claimants argue this needs to be opt-in instead, with scripts disabled until affirmative consent is provided (GDPR style).
A complication with blocking (and this will be a conversation you'll definitely have with Marketing) is that you can block at varying levels of depth, e.g. with Google scripts you can block the whole thing, or you can leave them enabled but just block the personal information processing within them. Tread carefully here, because remember these CIPA claims aren't about the law, they're about money. You can argue about the merits of anonymisation all the way to the courts. And you'll probably win. But the cost might not be worth it.
And now I hear you asking, "So we just need to do what we do in Europe for GDPR, but in California?" Yeah, that's pretty much the answer.
I wish it was that simple though. Marketing will have other ideas…
