New lawsuits that were recently filed in California echo some of the “cookie” conversations my colleagues and I have been having with online merchants and retail clients.

The fact patterns tend to be similar to each other. Here are some things to note:

  • Mind your service providers: Payment processors may process the information collected through the merchant website for more than just facilitating the specific transaction.
  • Such additional uses are not necessarily expected by consumers. And consumers may be unaware that a third party is involved in the payment processing. Consumer expectation is front and center for the Federal Trade Commission. (These types of uses also might constitute a sale under U..S privacy laws)
  • The lawsuits raise the issue of using info for fraud purposes under the “unexpected by consumer” prong. (This is something to watch since there is a fraud exception under U.S. state privacy laws, though its breadth has yet to be tested.)
  • As the FTC has been saying, it all needs to start with understanding what your service providers do with your data. It is important to be transparent about data uses and get consent when necessary.