Could Your Cookie and Tracking Settings Spark a CCPA Lawsuit? What FIs Need to Know.

Note: This article includes insights from Director of Digital Services Crystal Steinbach, VP - Risk and Compliance Rhonda Handy, Compliance Specialist Heather Stahl and Content Manager Ryan Pleggenkuhle. 

Recently, banks and credit unions have been targets of lawsuits alleging violations of various California privacy laws regarding the use of website cookies and tracking pixels.

Does your institution have proper safeguards in place?

The Issue

There has been a surge of lawsuits (primarily by California law firms) against financial institutions over the last few months, from large national banks to smaller community banks and credit unions. The suits allege violations of a combination of California privacy laws, primarily the California Consumer Privacy Act (CCPA), involving data collection and tracking. 

Key Detail

These California privacy laws apply to any California resident who visits or browses your website!  

Examples of California residents’ rights under their laws: 

• To know what data is collected
• To request that their information be deleted
• To opt out of sharing (selling) their personal information or provide a link to “Do Not Sell or Share My Personal Information”

Some of the lawsuit claims include that websites: 

• Didn’t disclose tracking technologies in the privacy policy
• Didn’t honor opt-out requests
• Shared data improperly
• Are illegally eavesdropping using tools like chatbots and analytics

What Do Financial Regulators Expect?

• Clear disclosures regarding your cookies
• Transparency about your tracking technologies
• That your cookies and tracking practices align with your Online Privacy Policy

4 Recommendations for Your FI

1. Meet with the people responsible for cookies and tracking at your FI.
   • Learn more about what your FI is using.
   • Are they clearly and transparently disclosed in your Privacy Policy?
   • Do you have a consent and preference banner — or an opt-out/Do Not Sell or Share link? Be sure they are working as they are supposed to.
   • Are you aligned with the California Privacy Acts and your state requirements?
2. Create an Internet Privacy Policy that covers your website, online and mobile banking.
   •  We recommend you create a policy that addresses cookies and is transparent about your tracking technologies. 
3. Audit your Internet Privacy Policy periodically.
   •  Ensure it’s current and your privacy practices align with what is really happening.  
     Typically, this audit should be done:
     • At least annually
     • After a website change
     • When new vendors are involved
     •  Keep thorough records of consent or opt-outs and document your compliance actions 
4. Ensure your agreements with third-party service providers and vendors are up to date.
   • And make sure they comply with the CCPA.

How Mills Can Help

Our Digital Team can perform a website audit to assess your cookie and tracking technologies and advise accordingly. If you're unsure what tracking technology may be on your site, let's connect.