USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
allowing cookies to collect their personal data. (The one exception is for trackers present on websites or platforms displaying or allowing access to video content.) Therefore, cookie, ban - ners are not required in the USA, although busi - nesses increasingly use them. Instead, US state laws require businesses to provide consumers with a mechanism to opt out of the disclosure of their personal information to third-party cook - ies when such disclosures are for monetary or other valuable consideration (called a “sale” under many state privacy laws) or for targeted advertising (ie, advertising based on consumers’ online activities over time and across unaffiliated websites). Most state privacy laws do require businesses to obtain opt-in consent from consumers before allowing third-party cookies to collect certain sensitive personal data or before “selling” per - sonal data (ie, making such data available to certain types of third-party cookies) collected from consumers known to be minors or before allowing third-party cookies to collect such data for targeted (or personalised) advertising. 4.2 Personalised Advertising and Other Online Marketing Practices As previously noted, comprehensive state pri - vacy laws generally require controllers to give consumers the opportunity to opt out of the processing of their personal information for “tar - geted advertising”. State laws generally define “targeted advertising” as “displaying to a con - sumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across non-affil - iated websites, applications or online services to predict consumer preferences or interests”. The CCPA uses different terminology but simi - larly requires businesses to give consumers the
chance to opt out of “cross-context behavioural advertising”, which it defines as “the targeting of advertising to a consumer based on the con - sumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications or services, oth - er than the business, distinctly branded website, application or service with which the consumer intentionally interacts”. The CCPA is slightly more restrictive because it treats entities as a single “business” only if they are under common control and share common branding. Therefore, an entity that uses personal information obtained from a consumer’s activity across its differently branded affiliates’ websites for targeted adver - tising may need to provide the consumer with a mechanism to opt out of such advertising. State privacy laws generally require controllers to provide an opt-out link in the footer of their website homepages, and many state privacy laws require controllers to recognise browser- based opt-out signals that consumers can con - figure to signal their requests to opt out of sales and for sharing of personal data for targeted or cross-context behavioural advertising. As previously noted, some states require opt-in consent to process the personal data of minors for targeted advertising, and most states with comprehensive privacy laws require opt-in con - sent to process sensitive personal data. There - fore, controllers will need to obtain opt-in con - sent before engaging in targeted advertising in some circumstances. 4.3 Employment Privacy Law The USA does not have a comprehensive federal employee privacy law, but an employer’s han - dling of employees’ personal information may be subject to sector-specific federal and state laws designed to protect the confidentiality of certain
540 CHAMBERS.COM
Powered by FlippingBook