Oops! You May Be Selling or Sharing Personal Information

In the upcoming months, 19 states will have “gone live” with comprehensive privacy legislation.  Are you ready?   

Several organizations are surprised to learn so many states have passed privacy legislation that is nearly as comprehensive as the more well-known EU General Data Protection Regulation (GDPR) or California Consumer Protection Act (CCPA).  If you meet certain activity thresholds in these states, you may be subject to these comprehensive privacy regimes, even if your home state has not yet passed comprehensive privacy legislation. 

Knowing whether you are subject to these laws is probably the biggest compliance question your organization needs to ask right now. If you are subject to one or more comprehensive privacy laws, the next biggest compliance question for you is whether your organization sells or shares personal information. This latter inquiry, although extremely important, can be difficult to answer. 

States with comprehensive privacy legislation impose a host of additional obligations on entities that sell or share personal information. These include notifying individuals that their information may be sold to others or shared for targeted advertising purposes, informing individuals they have the right to opt-out of such selling or sharing, and establishing a user-friendly mechanism for individuals to do so. Such notices are required to be communicated via your organization’s privacy policy. 

Related:Federal Privacy Is Inevitable in The US (Prepare Now)

In addition to notification and opt-out rights, 10 states with comprehensive privacy regimes currently require, or will require (in 2025), organizations to recognize and process opt-out preference signals (OOPS) sent by the browsers of individuals visiting their websites. Compliance with OOPS mandates can be a challenging technological undertaking, and ambiguities in applicable legal requirements are being discovered. For example, it is currently unclear which signals must be recognized in each state. It is also unclear whether a browser’s opt-out signal should be processed solely for that individual’s website visit or whether your organization is also required to process the opt-out signal for all other information on file for that consumer. Although guidance has been provided in California and Colorado, where OOPS laws are already in effect, there are many traps for the unwary, and a careful eye is needed as more guidance unfolds. 

Failing to comply carries significant consequences. Although California is currently the only state that affords a private right of action under its privacy regime, other states have empowered their Attorneys General to police enforcement and impose appropriate fines under the respective state’s unfair trade practices statutes. Further, the Federal Trade Commission has been increasingly vigilant in applying federal unfair trade practice laws to website operators that fail to comply with consumer privacy requirements. Fines in either case can be significant per violation, making this a top compliance priority. 

Related:Data Quality: The Strategic Imperative Driving AI and Automation

Compliance executives, privacy officers, and corporate counsel can find it challenging to navigate the vast array of mechanisms and processes used to collect personal information. What is done with that information after collection is an equally, if not more complicated inquiry. Identifying who is ultimately responsible for understanding this highly regulated area can save time and effort. 

Accountability for monitoring the collection and distribution of personal information tends to be shared across organizational leadership, meaning blind spots often abound. Chief information security officers and privacy officers typically have a good understanding of the general processing activities that take place within their organization and are a great place to start when seeking a clear picture of information collection. But these teams rarely have a complete understanding of information that may be automatically collected (namely, through website tracking devices and cookies). This understanding is necessary to ensure full compliance. 

Related:Why Enterprises Still Grapple With Data Governance

Many organizations entrust their public-facing websites to a corporate marketing team. Although some corporate marketing teams publish and maintain websites internally, it is becoming more common that such activities are outsourced to third-party vendors that develop, host, and maintain these websites. These vendors -- particularly developers -- are likely the best resources for information on what personal information is automatically collected through a website and how that information is used. If neither your marketing department nor developer can provide a detailed overview of the tracking technologies used on a website and the purpose for such data collection, then you should dig deeper, and engage in a detailed review of website cookies and other tracking technologies. 

It’s worth noting that virtually every public-facing website has some collection technology that captures personal information. A recent estimate from W3Techs.com determined that approximately 84% of all websites employ Google Analytics or similar tools. Sometimes this happens without anyone knowing, such as when website templates containing such mechanisms are redeployed from client to client.   

Given new state privacy regimes, it is critical for organizations to conduct periodic audits of website tracking devices. With the help of your marketing team and website developer, you can hopefully itemize the various cookies, pixels, and other tracking devices being employed, the types of personal information being collected and what is being done with that information. Only then can you begin to understand, based upon applicable law, what you need to do to achieve compliance with a regulatory landscape that continues to evolve at a breakneck pace.