Do you qualify?
To determine whether your business qualifies, you must adhere to the new regulatory requirements in Virginia, California, Colorado, and in the EU.
- Does your company collect personal data on 100,000 or more California, Virginia, or Colorado residents in a calendar year?
- Does your company buy, sell, or share the personal information of 100,000 or more California, Virginia, or Colorado residents in a calendar year?
- Does your company earn at least 50% of its annual revenue from selling or sharing California, Virginia, or Colorado consumer information in a calendar year?
- Does your company exceed an annual revenue of $25 million (applies to CA and VA)?
- Does your company control or process the personal data of more than 100,000 Colorado or Virginia residents in a calendar year?
- Does your company control or process the personal data of at least 25,000 Colorado or Virginia residents and derive more than 50% of gross revenue from the sale of Colorado or Virginia residents’ personal data?
- Does your company operate inside or outside of the EU and offer goods or services to residents or businesses inside the EU?
Not all entities are required to follow these guidelines. If you are not doing business in California, Colorado, or Virginia and controlling the data of residents, you don’t need to comply with the CPA/CDRA/CPRA, as noted above. Also, if you are a non-profit, you are exempt in VA and CA (not Colorado).
The types of organizations listed below are exempt:
- Public Utilities
- Financial institutions
- Governmental entities
- Entities covered by the Health Insurance Portability and Accountability Act (HIPAA)
- Entities, collecting or processing data for health insurance law purposes
- Entities, collecting or processing data for employment records purposes
- Entities, processing de-identified personal data
- Consumer reporting agencies
- Higher education institutions
If you are not exempt and answer yes to any of the above questions, then you are regulated by the GDPR, CPRA, CDRA, or CPA and must comply with the privacy, cookie, and data collection policies.
What is a Cookie?
- Here are the cookies by category that could exist on a website:
- Necessary cookies are placed on the site for two sites to connect/integrate with each other.
- Functional cookies are needed to allow a website to function better, advancing the usability of the site.
- Analytic cookies are placed on the site for tracking and monitoring the usability and performance of the site.
- Performance cookies support the performance of the site.
- Advertisement cookies are placed to help track users for paid advertising campaigns.
- Other cookies tend to include sales to capture data for managing communications with consented users.
Cookie Consent Options
In all the cookie consent models we investigated, there are varying levels of consent available. Many site owners provide varying levels of choice about the types of cookies they serve. However, from a practical and user experience perspective, there are varying degrees of granularity available to site owners to address which cookies are served.
The types of consent are as follows:
- Notice Only
- Soft Opt-in
- Explicit Consent
A cookie consent banner is necessary for those companies that must be compliant with CPA, CDRA, CPRA, or GDPR. These rules were put in place for large companies that are collecting, storing, sharing, selling, and making money on consumers’ personal information without their consent.
What’s the Risk?
Cookies have proven more effective in driving conversions, and likely your revenue. Companies need to be prepared for how a cookie consent banner will affect their online marketing efforts.
It is important to consider the function of the privacy policies being implemented. The data consumers provide explicitly or implicitly is called First-Party or Third-Party data. The difference between the two and how this information is used may directly affect a paid media campaign.
First-party cookies often improve the user experience by remembering user preferences and settings. This also includes data such as email addresses, purchase history, or preferences that provide businesses with data that can be used for marketing collateral because users have given explicit consent.
Third-party cookies track site performance and consumer behavior and are directly affected by customer opt-outs because third-party data is collected from external sources and often used to track user activities across multiple websites. According to recent Adobe research, about 75% of marketing and customer experience leaders globally rely heavily on tactics that utilize third-party cookies.
Therefore, the company must consider how to address the possibility of 40% of website users deciding to opt out of all cookies when presented with the option easily.
Contact us today for a free consultation!