The US data privacy legal landscape is a patchwork of federal and state laws. At the federal level, data privacy laws vary by business sector. For example, the federal Gramm-Leach-Bliley Act regulates data collection and use by financial institutions and the Health Insurance Portability and Accountability Act governs collection and disclosure of protected health information. No federal law provides comprehensive protection for our personal information (“PI”).
Since 2018, when the EU’s General Data Protection Regulation (“GDPR”) took effect, twenty-four states have considered data privacy laws with new laws arising in California, Maine, Vermont, and Nevada. Regardless of where you are physically based, if you “do business” in the EU or any US state that regulates business collection and use of personal information, then you are subject to that jurisdiction’s law.
Any legal analysis begins with understanding two highly variable terms:
Given the fragmented legal backdrop, this blog post will focus on California’s Consumer Privacy Act ("CCPA"), which broadly defines PI so that it includes identifiers such as the IP address of the device that a Californian used to access your website. Given the CCPA’s broad definition of PI, Piggyback Tags are almost certainly collecting PI from your site’s visitors.
Similarly, the CCPA’s definition of “sale” is also very broad and includes any form of disclosure in exchange for money or “other valuable consideration.” So, if a tag discloses PI to a Piggyback Tag, it is almost certainly a sale under the CCPA. However, the CCPA also has something of a “safe harbor” for disclosures of PI if they are consistent with all other provisions of the CCPA and:
Before you draw comfort from the safe harbor exceptions, consider other provisions of the CCPA and the unauthorized nature of Piggyback Tags.
The provisions of CCPA's safe harbor exceptions cover topics like intentional interaction of your users, disclosed vendors, prohibition of the sale of data, and data breaches. Here is why Piggyback Tags are likely to violate these exceptions:
Breaches are interesting because there are multiple courses of action that can be taken in the incident of breach. While the California Attorney General enforces the law, individual Californians also have a private right of action for breaches. Piggyback Tags on your website open the door not only to enforcement actions by California’s AG, but also to consumer lawsuits.
If you are affected by CCPA, you have likely already taken steps to ensure that users have an effective means of opting into or out of the different services provided by vendors on your website, from analytics data collection to cookies and ad targeting. However, opting out of known services does nothing for Piggyback Tags, which is why you should vet your vendorsas well.
Vetting your vendors is essential, and includes obtaining a list of additional services used by that vendor and vetting each code source to ensure compliance with privacy laws. Malicious attacks can still occur, however, and controlling the content that is allowed to load on your site is another step in protecting yourself from violations of privacy and security law.
The final part of this series will cover blocking any unwanted content from loading on your site, including malicious content and Piggyback Tags.