Question: I have seen internet cookie consent banners on bank websites recently that require me to consent to the collection and sharing of my personal data. Is there an Indiana law that requires these banners?

Answer: No, there is no Indiana law that explicitly requires cookie consent banners on websites. This contrasts with certain laws in European countries that explicitly require consumer consent before using cookies that are not strictly necessary for a website to function properly.

However, recent class action lawsuits have alleged novel theories of liability under various existing laws where websites do not obtain consumers’ informed consent prior to deploying cookies or other tracking technologies (e.g., pixels, web beacons, session replay tools).

Many banks use the services of technology companies like Google to track and record customer interactions with their website. This tracking technology helps gain insights into how visitors navigate their websites, enhance user experiences, optimize site performance and improve customer service. Other technology companies that banks engage, such as Meta, offer behavioral advertising capabilities that display targeted advertisements to individuals based on their browsing history and interests. For example, when a consumer visits a car dealership website that has the Meta Pixel installed, they may subsequently see advertisements for that dealership on Facebook. Additionally, they may encounter advertisements from other companies offering related products, such as car loans.

Although tracking technologies offer benefits, they have led to several class action lawsuits in recent years alleging violations of privacy or consumer protection laws. Originally, these lawsuits were aimed at healthcare companies alleging sharing sensitive medical information with tracking technology companies in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Recently, plaintiffs’ attorneys have begun to adapt these cases to target financial institutions, including TD Bank,¹ Barclays Bank² and Capital One Bank.³ Furthermore, a recent class action lawsuit against an Indiana-based credit union⁴ underscores the potential risks associated with the use of tracking technologies on financial institution websites.

Plaintiffs allege that organizations embed technology in their websites to unlawfully track them, collect their data and transmit to third parties. These cases include state law claims of negligence, breach of contract, unjust enrichment and violations of privacy and wiretap laws. These cases can also include claims based on various federal laws, such as the Gramm-Leach-Bliley Act, Electronic Communications Privacy Act, Section 5 of the Federal Trade Commission Act, and the Computer Fraud and Abuse Act. The plaintiffs contend that even without a private right of action in laws such as the GLBA and FTC Act, violating the law supports a state law claim of negligence per se.

Although these lawsuits are based on novel claims, having a robust disclosure and consent process can help defend against potential legal actions. Third-party cookie banner and consent management tools can be installed on websites to provide necessary disclosures about tracking and data collection and to obtain consumer consent. Additionally, these tools can communicate consumer consent preferences to third parties and vendors that use tracking technology on websites.