Online Tracking, Cookies, and US Privacy Law

Online tracking technologies — including cookies, pixels, fingerprinting scripts, and session replay tools — sit at the intersection of commercial data collection and an expanding framework of US privacy regulation. Federal and state laws impose different obligations depending on the technology used, the data collected, and the jurisdiction of the affected user. The Privacy Providers provider network catalogs professional service providers operating across this sector. Understanding how these technologies are classified legally determines which compliance obligations apply and which enforcement bodies hold jurisdiction.

Definition and scope

Online tracking refers to the automated collection of data about a user's behavior, identity, or device as that user interacts with digital services. Cookies are the most widely recognized mechanism: small text files stored in a browser that persist session state, authentication tokens, or behavioral identifiers. The Federal Trade Commission (FTC) treats persistent tracking cookies used for advertising profiling as data collection subject to its unfair or deceptive practices authority under Section 5 of the FTC Act (15 U.S.C. § 45).

The scope of US tracking law is not uniform. At the federal level, the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501–6506) restricts tracking children under 13 and requires verifiable parental consent before collecting any personal data. The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), extends rights specifically to "cross-context behavioral advertising" — a statutory phrase that encompasses third-party cookie networks used for retargeting.

At least 13 US states had enacted comprehensive consumer privacy laws with specific provisions covering online tracking and targeted advertising opt-out rights as of the 2023–2024 legislative cycle (IAPP State Privacy Legislation Tracker). These include Virginia's Consumer Data Protection Act (VCDPA), Colorado's Privacy Act (CPA), and Connecticut's Data Privacy Act (CTDPA).

How it works

Online tracking operates through a layered technical stack, with legal obligations attaching at each layer:

  1. First-party cookies — Set directly by the domain a user visits. Used for authentication, shopping cart persistence, and analytics. Generally considered lower-risk under US state frameworks but still subject to disclosure requirements.
  2. Third-party cookies — Set by external domains embedded in a page (ad networks, analytics providers). The primary mechanism for cross-site behavioral profiling. CCPA/CPRA treats sharing data via these cookies as a "sale" or "share" of personal information if used for cross-context behavioral advertising.
  3. Pixel tags and web beacons — Single-pixel images embedded in pages or emails that trigger HTTP requests to third-party servers, transmitting IP address, timestamp, and referrer data. The FTC has cited pixel deployments in enforcement actions involving health data.
  4. Device fingerprinting — Collects browser attributes (screen resolution, installed fonts, user-agent string) to construct a persistent identifier without storing data on the device. Harder to block than cookies; treated as a unique identifier under CCPA (California Civil Code § 1798.140).
  5. Session replay scripts — Record mouse movements, keystrokes, and scroll behavior. The California Attorney General and state health regulators have investigated session replay tools on medical provider websites as potential HIPAA-adjacent disclosures.

The privacy-provider network-purpose-and-scope reference describes how service providers in this sector are classified and verified within this network.

Common scenarios

Healthcare websites and pixel disclosures — Hospital and telehealth websites embedding Meta Pixel or Google Analytics tags triggered regulatory scrutiny beginning in 2022, when the HHS Office for Civil Rights (OCR) issued a bulletin clarifying that IP addresses combined with health-related URL paths could constitute Protected Health Information (PHI) under HIPAA (45 CFR Parts 160 and 164).

E-commerce retargeting — Retailers using third-party ad networks to serve ads based on browsing history are engaged in "sharing" personal information under CPRA, triggering the requirement to honor Global Privacy Control (GPC) signals as a valid opt-out. California AG enforcement guidance confirmed GPC compliance as mandatory, not optional.

SaaS analytics platforms — Business-to-business platforms that deploy session analytics on behalf of enterprise clients create controller–processor relationships. Under Virginia's VCDPA and Colorado's CPA, the enterprise remains the data controller and bears primary compliance responsibility even when the tracking script is operated by a vendor.

Decision boundaries

The operative legal question in most US tracking scenarios is whether the technology collects "personal information" or "personal data" as defined under applicable statute — and whether the collection constitutes a "sale," "share," or "targeted advertising" activity.

First-party vs. third-party distinction — First-party analytics (server logs, first-party cookies scoped to a single domain) generally fall outside CCPA's sale definition if no data is transmitted to external parties. Third-party scripts that transmit identifiers externally cross into sale/share territory under CPRA even without monetary exchange.

Consent vs. opt-out frameworks — COPPA requires affirmative prior consent for users under 13. All current US state privacy laws use an opt-out model for adults, not an opt-in consent requirement — a structural contrast with the EU's GDPR Article 6 lawful basis framework. This distinction determines whether cookie banners must block tracking until affirmative consent or merely disclose and offer an opt-out mechanism.

Sensitive data categories — Health, financial, precise geolocation, and biometric data trigger heightened requirements under state laws. Colorado's CPA and Connecticut's CTDPA both require opt-in consent before processing sensitive data, including precise geolocation derived from tracking scripts. For a broader overview of how professionals navigate these distinctions, the how-to-use-this-privacy-resource reference outlines how this provider network is structured for service seekers and researchers.

 ·   · 

References

Read Next

Employee Privacy Rights in the Workplace ANA › Professional Services Authority › National Cyber › National Privacy Employee Privacy Rights in the Workplace Employee privacy... Biometric Data Privacy Laws by State ANA › Professional Services Authority › National Cyber › National Privacy Biometric Data Privacy Laws by State State-level biometric... Health Data Privacy Beyond HIPAA ANA › Professional Services Authority › National Cyber › National Privacy Health Data Privacy Beyond HIPAA Health data privacy in the...