CCPA and Cookies

Last updated on 01 November 2022 by Stephen Titcombe (Legal writer at TermsFeed)

CCPA and Cookies

The California Consumer Privacy Act (CCPA) regulates how companies collect and handle numerous forms of personal information, and cookies are no exception.

With the privacy concerns surrounding cookies, it's no surprise that modern laws provide specific requirements to help companies uphold fair and transparent cookie practices.

This article will briefly clarify what cookies are and how they work. We'll then discuss the privacy implications and CCPA requirements for businesses that use cookies, as well as best practices for ensuring compliance.



What are Cookies?

Cookies are small data files stored in a user's internet browser by the websites they visit. As an integral component of the modern internet, cookies are used by virtually every website to carry out a wide range of functions.

While some cookies are essential to a website's operation, others may be used for tracking, marketing, and analytical purposes.

Websites generally use cookies to perform the following tasks:

  • Identify users through a unique ID
  • Keep users signed in to a website
  • Recall information to help enhance users' browsing experience (e.g., login credentials, shopping cart inventory, etc.)
  • Track browsing activities and preferences for advertising purposes (e.g., behavioral profiling and retargeting)
  • Improve a website's overall performance

Although cookies aren't harmful to users or devices, they are a vulnerability to data privacy. This is because cookies can sometimes gather personal information by observing users and their habits.

Naturally, such information is susceptible to data breaches and theft, at which point privacy laws become involved. Regulations like the GDPR and EU Cookies Directive are especially known for their strict requirements when it comes to cookie compliance.

To better understand the privacy implications of using cookies, we need to address two major cookie categories.

First-party Cookies vs. Third-party Cookies

In terms of their provenance, cookies can be classified into first-party and third-party cookies. Let's see how they compare.

First-party cookies

First-party cookies are stored on a user's internet device by the website they visit directly. These cookies are not particularly intrusive by nature. They merely allow the website owner to collect basic information about users and their devices, typically for analytical purposes. No one other than the website owner or operator can access this information.

Ultimately, websites use first-party cookies to enhance the overall browsing experience of users.

Third-party cookies

Third-party cookies are stored on a user's internet device by external services incorporated into the website they visit. In other words, cookies from an analytics provider or payment platform integrated into the website a user visits are third-party cookies.

These cookies are considered a deterrent to privacy because they disclose users' data to external services and are typically used to track users' activities all over the internet. Consequently, top companies like Google have begun to phase them out.

Now that we're clear about what cookies are and how they work, let's examine the CCPA and its take on cookies.

The CCPA: A Summary

The CCPA: A Summary

The California Consumer Privacy Act or CCPA is a groundbreaking privacy law enacted to strengthen privacy rights and data protection for California residents. Approved by California's Governor in June 2018, the CCPA took effect on January 1, 2020.

The CCPA grants consumers (i.e., California residents) the following rights over their personal information:

  • The right to know
  • The right to access
  • The right request deletion
  • The right to opt out
  • The right to opt in (for minors)
  • The right to non-discrimination

For more information about CCPA rights, check out our article Consumer Rights Under the CCPA.

Despite being a state-level law, the CCPA is extraterritorial and, therefore, applicable beyond California and even the United States. Essentially, any entity anywhere in the world that falls under the CCPA's definition of a "business" must comply with its provisions.

Definition of "Business"

The CCPA defines a "business" as any legal entity that:

  1. Pursues a profit
  2. Operates in California
  3. Decides why and how to process consumers' personal information, and
  4. Satisfies at least one of the following thresholds

    • Its annual gross revenue exceeds $25 million
    • It annually buys, sells, receives, or shares the personal information of at least 50,000 consumers, households, or devices
    • It makes at least 50% of its annual revenue by selling consumers' personal information

Are Cookies Personal Information Under the CCPA?

Are Cookies Personal Information Under the CCPA?

Yes, the CCPA brings cookies and similar identifiers under its definition of "personal information." This is because businesses can use cookies and similar identifiers to recognize a consumer or a device linked to that consumer.

To explore this further, here's how the CCPA defines personal information in Section 1798.140 (o)(1):

California Legislative Information: CCPA Section 1798 140 - Definition of Personal Information

As you can see, the CCPA provides several examples of personal information, notably including unique personal identifiers.

When we look more closely at how the CCPA defines "unique personal identifier," we can see cookies and similar technologies explicitly cited as unique identifiers in Section 1798.140 (x):

California Legislative Information: CCPA Section 1798 140 - Definition of Unique Identifier

As you can see, cookies are considered personal information for the CCPA's purposes.

Does Using Third-Party Cookies Count as Selling Personal Information Under the CCPA?

Does Using Third-Party Cookies Count as Selling Personal Information Under the CCPA?

In short, using third-party cookies does qualify as selling personal information.

The legal implications of using third-party cookies have caused quite a controversy among privacy experts over the years. However, this issue has been put to rest thanks to a recent enforcement action taken by the California Attorney General (AG) against a beauty products retailer (Sephora).

The Sephora case reveals the ongoing efforts by the AG to enforce the CCPA right to opt out of the sale of personal information. The AG notably labels sharing of data through third-party cookies for targeted advertising as a "sale" of personal information.

Essentially, the AG requires applicable businesses to:

  • Describe their use of third-party cookies for targeted advertising as a "sale," and
  • Honor consumer opt-out requests, including requests sent through the Global Privacy Control (GPC) tool.

The GPC tool lets consumers opt out of data collection on the browser level rather than having to click individual businesses' opt-out buttons.

According to the AG:

"Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale. I hope today's settlement sends a strong message to businesses that are still failing to comply with California's consumer privacy law. My office is watching, and we will hold you accountable. It's been more than two years since the CCPA went into effect, and businesses' right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls."

To get additional context, it's essential to explain the CCPA's meaning of a "sale."

Definition of a "Sale"

According to the CCPA, a "sale" means:

"selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."

Simply put, you are conducting a sale if you disclose a consumer's personal information to a third party (in this case, through cookies) for money or any other benefit.

For more information, check out our article: CCPA: What Constitutes a "Sale" of Personal Information.

There are certain exceptions to the definition of sale. Let's take a look.

Exceptions to the Definition of Sale

Exceptions to the Definition of Sale

The CCPA identifies three instances wherein your use of third-party cookies may not constitute "selling" personal information.

They are as follows:

  • Consumer Direction: A sale has not occurred if the consumer tells you to intentionally disclose their personal information to a third party. In the context of cookies, this refers to a form of opt-in consent (i.e., getting user consent before activating cookies).

    Opt-in consent is not mandatory under the CCPA. However, if you obtain opt-in consent from a consumer before enabling cookies, you will not be deemed to be selling that consumer's personal information.

  • Third-party Notification: If you share the personal information of a consumer who has opted out of a sale to alert the third party of this opt-out, then you have not conducted a sale under the CCPA.
  • Service Provider: Finally, if you disclose a consumer's personal information to a "service provider," you have not sold personal information.

    A service provider is a legal entity that processes personal information on behalf of a business. The service provider must be bound by a contract with the business.

    For more information, see our article: The Complete Guide to CCPA Service Providers.

Now that we understand the privacy implications of using cookies, let's check out the requirements and best practices for CCPA cookies compliance.

CCPA Requirements for Businesses That Use Cookies

CCPA Requirements for Businesses That Use Cookies

The CCPA is not as strict as the GDPR when it comes to cookie compliance for businesses. This is mainly because the CCPA uses an opt-out consent model.

In other words, you can store cookies on a consumer's device without their consent once they visit your website. However, you must provide a way for consumers to opt out of the sale of personal information collected through cookies.

The only exception to the CCPA opt-out requirement is "strictly necessary cookies" since your website can't function without them.

Note that you need explicit consent before selling the personal information of children aged 13-16 and parental consent for children under 13. In the context of cookies, this means you need to get opt-in consent before using third-party cookies for minors.

Importantly, you must let consumers know what categories of cookies you use on your website. You can do this by conducting a comprehensive cookies audit.

Finally, you must provide a detailed explanation of your cookie practices in your website policies.

How can you comply with these requirements? Let's find out.

Best Practices for CCPA Cookies Compliance

Best Practices for CCPA Cookies Compliance

If your website or app uses cookies and is subject to the CCPA, here are significant steps you must take to comply with the requirements.

To comply with the CCPA cookie requirements, you must prominently disclose key details about your use of cookies to consumers.

Providing cookie information in your Privacy Policy is considered compliant under the CCPA. However, setting up a Cookies Policy on a separate webpage is also valid and may help you give a more comprehensive account of your practices.

In any case, a CCPA-compliant Cookies Policy must address the following:

  • The categories of cookies you use on your website
  • A detailed account of how you use cookies
  • The personal information these cookies collect
  • How users can decline or opt out of cookies
  • The third-party cookies on your website and their purposes

For example, here's how Apple explains its use of cookies and similar technologies within its Privacy Policy:

Apple Privacy Policy: Cookies and Other Technologies clause excerpt

Alternatively, Amazon provides a separate webpage to address its practices regarding cookies:

Amazon Help: Cookies page

While you have a few options for how you disclose your cookies usage, make sure to always be transparent and accurate with your disclosure, and update the information as needed.

Provide a "Do Not Sell My Personal Information" Page

Provide a

A distinctive feature between the CCPA and equivalent privacy laws is the "Do Not Sell My Personal Information" page requirement. If you sell personal information through your use of cookies, you must observe this requirement.

It entails setting up a page that addresses consumers' right to opt out of the sale of personal information and providing simple instructions to help exercise this right.

After doing this, you must set up a link to this page reading "Do Not Sell My Personal Information" and place this link in prominent areas of your website or app (e.g., your website footer and Privacy Policy).

Here's how Coca-Cola includes this link in its Privacy Policy:

Coca-Cola Privacy Policy: Your Choices and Access Rights clause with Do Not Sell My Personal Information link highlighted

Best Buy, on the other hand, places this link in its website footer section:

Best Buy website footer with Do Not Sell My Personal Information link highlighted

When consumers click the link, they are directed to a webpage that explains how they can opt out of the sale of personal information as well as what happens when they do:

Best Buy Do Not Sell My Personal Information page: How to Opt Out section

Set Up a Way for Consumers to Submit Opt Out Requests

In addition to your "Do Not Sell My Personal Information" page, you'll need at least one designated means for consumers to submit opt-out requests. A commonly used opt-out mechanism is the cookie consent banner.

Since the CCPA accepts opt-out consent, you can load cookies automatically on consumers' devices when they visit your website.

Note that your cookie consent banner must disclose this practice and include an "I decline" button or a link to your settings/preference center for consumers to opt out. You must also provide a link to your Privacy/Cookies Policy.

For example, Deloitte loads cookies automatically for consumers in its cookie banner and includes links to its Cookie Policy and settings:

Deloitte Cookie Consent Banner with Cookie Policy and Cookie Settings highlighted

Recall that you must obtain opt-in consent before selling children's personal information. This means you cannot automatically load third-party cookies for minors. They must click an "I accept" button before you are allowed to place cookies on their devices.

That said, you may be better off implementing the opt-in consent model for all consumers to err on the side of caution.

This model also puts you under the "consumer direction" exemption, thereby ensuring you don't accidentally sell personal information through third-party cookies.

Here's an example of opt-in consent from EY:

EY Cookie Consent Banner

Finally, in light of enforcement actions taken by the California AG, you must honor consumer opt-out signals sent through user-enabled Global Privacy Controls (GPC).

Provide a Notice at Collection

Provide a Notice at Collection

A "Notice at Collection" is one of the CCPA's four notices that businesses must present before or when collecting consumers' personal information (including via cookies).

You may wish to insert this notice into a section of your Privacy Policy or host it on a separate webpage.

This notice must include the following:

  • The types of personal information you collect from consumers
  • Your commercial purposes for collecting it
  • A link to your "Do Not Sell My Personal Information" page
  • A link to your Privacy Policy

Here's how AGCO presents this notice:

AGCO CCPA Notice at Collection

Summary

Cookies are an essential instrument for modern businesses. They perform various critical functions to help websites and apps serve users better. However, some cookies are intrusive and may present threats to user privacy.

The CCPA brings cookies under its definition of personal information, thereby requiring businesses to evaluate their cookie implementation to ensure fair and transparent practices.

Since using third-party cookies does qualify as "selling" personal information, companies must take additional steps to ensure compliance in this regard, as ignorance is not an excuse.

To recap, if the CCPA applies to your business, you need to take the following steps to ensure cookie compliance:

  • Disclose your cookie practices in your Privacy Policy and/or Cookies Policy
  • Provide a "Do Not Sell My Personal Information" page and include links in prominent areas of your website or app
  • Provide a way for consumers to submit opt-out requests and honor GPC opt-out signals
  • Include a "Notice at Collection" in your Privacy Policy or host it on a separate webpage

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

Screenshot of TermsFeed Generator

Stephen Titcombe

Stephen Titcombe

Legal writer at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.