Last updated on 01 November 2022 by Stephen Titcombe (Legal writer at TermsFeed)
The California Consumer Privacy Act (CCPA) regulates how companies collect and handle numerous forms of personal information, and cookies are no exception.
With the privacy concerns surrounding cookies, it's no surprise that modern laws provide specific requirements to help companies uphold fair and transparent cookie practices.
Cookies are small data files stored in a user's internet browser by the websites they visit. As an integral component of the modern internet, cookies are used by virtually every website to carry out a wide range of functions.
While some cookies are essential to a website's operation, others may be used for tracking, marketing, and analytical purposes.
Naturally, such information is susceptible to data breaches and theft, at which point privacy laws become involved. Regulations like the GDPR and EU Cookies Directive are especially known for their strict requirements when it comes to cookie compliance.
To better understand the privacy implications of using cookies, we need to address two major cookie categories.
In terms of their provenance, cookies can be classified into first-party and third-party cookies. Let's see how they compare.
First-party cookies are stored on a user's internet device by the website they visit directly. These cookies are not particularly intrusive by nature. They merely allow the website owner to collect basic information about users and their devices, typically for analytical purposes. No one other than the website owner or operator can access this information.
Ultimately, websites use first-party cookies to enhance the overall browsing experience of users.
Third-party cookies are stored on a user's internet device by external services incorporated into the website they visit. In other words, cookies from an analytics provider or payment platform integrated into the website a user visits are third-party cookies.
These cookies are considered a deterrent to privacy because they disclose users' data to external services and are typically used to track users' activities all over the internet. Consequently, top companies like Google have begun to phase them out.
Now that we're clear about what cookies are and how they work, let's examine the CCPA and its take on cookies.
The California Consumer Privacy Act or CCPA is a groundbreaking privacy law enacted to strengthen privacy rights and data protection for California residents. Approved by California's Governor in June 2018, the CCPA took effect on January 1, 2020.
The CCPA grants consumers (i.e., California residents) the following rights over their personal information:
For more information about CCPA rights, check out our article Consumer Rights Under the CCPA.
Despite being a state-level law, the CCPA is extraterritorial and, therefore, applicable beyond California and even the United States. Essentially, any entity anywhere in the world that falls under the CCPA's definition of a "business" must comply with its provisions.
The CCPA defines a "business" as any legal entity that:
Satisfies at least one of the following thresholds
To explore this further, here's how the CCPA defines personal information in Section 1798.140 (o)(1):
As you can see, the CCPA provides several examples of personal information, notably including unique personal identifiers.
When we look more closely at how the CCPA defines "unique personal identifier," we can see cookies and similar technologies explicitly cited as unique identifiers in Section 1798.140 (x):
As you can see, cookies are considered personal information for the CCPA's purposes.
In short, using third-party cookies does qualify as selling personal information.
The legal implications of using third-party cookies have caused quite a controversy among privacy experts over the years. However, this issue has been put to rest thanks to a recent enforcement action taken by the California Attorney General (AG) against a beauty products retailer (Sephora).
The Sephora case reveals the ongoing efforts by the AG to enforce the CCPA right to opt out of the sale of personal information. The AG notably labels sharing of data through third-party cookies for targeted advertising as a "sale" of personal information.
Essentially, the AG requires applicable businesses to:
The GPC tool lets consumers opt out of data collection on the browser level rather than having to click individual businesses' opt-out buttons.
According to the AG:
"Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale. I hope today's settlement sends a strong message to businesses that are still failing to comply with California's consumer privacy law. My office is watching, and we will hold you accountable. It's been more than two years since the CCPA went into effect, and businesses' right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls."
To get additional context, it's essential to explain the CCPA's meaning of a "sale."
According to the CCPA, a "sale" means:
"selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."
Simply put, you are conducting a sale if you disclose a consumer's personal information to a third party (in this case, through cookies) for money or any other benefit.
For more information, check out our article: CCPA: What Constitutes a "Sale" of Personal Information.
There are certain exceptions to the definition of sale. Let's take a look.
The CCPA identifies three instances wherein your use of third-party cookies may not constitute "selling" personal information.
They are as follows:
Consumer Direction: A sale has not occurred if the consumer tells you to intentionally disclose their personal information to a third party. In the context of cookies, this refers to a form of opt-in consent (i.e., getting user consent before activating cookies).
Opt-in consent is not mandatory under the CCPA. However, if you obtain opt-in consent from a consumer before enabling cookies, you will not be deemed to be selling that consumer's personal information.
Service Provider: Finally, if you disclose a consumer's personal information to a "service provider," you have not sold personal information.
A service provider is a legal entity that processes personal information on behalf of a business. The service provider must be bound by a contract with the business.
For more information, see our article: The Complete Guide to CCPA Service Providers.
Now that we understand the privacy implications of using cookies, let's check out the requirements and best practices for CCPA cookies compliance.
The CCPA is not as strict as the GDPR when it comes to cookie compliance for businesses. This is mainly because the CCPA uses an opt-out consent model.
In other words, you can store cookies on a consumer's device without their consent once they visit your website. However, you must provide a way for consumers to opt out of the sale of personal information collected through cookies.
The only exception to the CCPA opt-out requirement is "strictly necessary cookies" since your website can't function without them.
Note that you need explicit consent before selling the personal information of children aged 13-16 and parental consent for children under 13. In the context of cookies, this means you need to get opt-in consent before using third-party cookies for minors.
Importantly, you must let consumers know what categories of cookies you use on your website. You can do this by conducting a comprehensive cookies audit.
Finally, you must provide a detailed explanation of your cookie practices in your website policies.
How can you comply with these requirements? Let's find out.
In any case, a CCPA-compliant Cookies Policy must address the following:
Alternatively, Amazon provides a separate webpage to address its practices regarding cookies:
While you have a few options for how you disclose your cookies usage, make sure to always be transparent and accurate with your disclosure, and update the information as needed.
It entails setting up a page that addresses consumers' right to opt out of the sale of personal information and providing simple instructions to help exercise this right.
Best Buy, on the other hand, places this link in its website footer section:
When consumers click the link, they are directed to a webpage that explains how they can opt out of the sale of personal information as well as what happens when they do:
In addition to your "Do Not Sell My Personal Information" page, you'll need at least one designated means for consumers to submit opt-out requests. A commonly used opt-out mechanism is the cookie consent banner.
Since the CCPA accepts opt-out consent, you can load cookies automatically on consumers' devices when they visit your website.
Note that your cookie consent banner must disclose this practice and include an "I decline" button or a link to your settings/preference center for consumers to opt out. You must also provide a link to your Privacy/Cookies Policy.
Recall that you must obtain opt-in consent before selling children's personal information. This means you cannot automatically load third-party cookies for minors. They must click an "I accept" button before you are allowed to place cookies on their devices.
That said, you may be better off implementing the opt-in consent model for all consumers to err on the side of caution.
This model also puts you under the "consumer direction" exemption, thereby ensuring you don't accidentally sell personal information through third-party cookies.
Here's an example of opt-in consent from EY:
Finally, in light of enforcement actions taken by the California AG, you must honor consumer opt-out signals sent through user-enabled Global Privacy Controls (GPC).
A "Notice at Collection" is one of the CCPA's four notices that businesses must present before or when collecting consumers' personal information (including via cookies).
This notice must include the following:
Here's how AGCO presents this notice:
Cookies are an essential instrument for modern businesses. They perform various critical functions to help websites and apps serve users better. However, some cookies are intrusive and may present threats to user privacy.
The CCPA brings cookies under its definition of personal information, thereby requiring businesses to evaluate their cookie implementation to ensure fair and transparent practices.
Since using third-party cookies does qualify as "selling" personal information, companies must take additional steps to ensure compliance in this regard, as ignorance is not an excuse.
To recap, if the CCPA applies to your business, you need to take the following steps to ensure cookie compliance:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 November 2022