The California Consumer Privacy Act (CCPA), as amended by the CPRA, regulates how companies collect and handle numerous forms of personal information, and cookies are no exception.

With the privacy concerns surrounding cookies, it's no surprise that modern laws provide specific requirements to help companies uphold fair and transparent cookie practices.

This article will briefly clarify what cookies are and how they work. We'll then discuss the privacy implications and CCPA (CPRA) requirements for businesses that use cookies, as well as best practices for ensuring compliance.

What are Cookies?

Cookies are small data files stored in a user's internet browser by the websites they visit. As an integral component of the modern internet, cookies are used by virtually every website to carry out a wide range of functions.

While some cookies are essential to a website's operation, others may be used for tracking, marketing, and analytical purposes.

As the most commonly used method of gathering user data, cookies are employed by virtually every website to carry out a ton of different operations.

Websites generally use cookies to streamline users' browsing experiences by recalling details like language settings, login details, and shopping cart items (in the case of an ecommerce store).

However, certain cookie categories (such as third-party cookies) can be used to track users all over the web and build detailed profiles of their preferences for marketing purposes.

Websites generally use cookies to perform the following tasks:

  • Identify users through a unique ID
  • Keep users signed in to a website
  • Recall information to help enhance users' browsing experience (e.g., login credentials, shopping cart inventory, etc.)
  • Track browsing activities and preferences for advertising purposes (e.g., behavioral profiling and retargeting)
  • Improve a website's overall performance

Although cookies aren't harmful to users or devices, they are a vulnerability to data privacy. This is because cookies can sometimes gather personal information by observing users and their habits.

Because this tracking may intrude on users' privacy and such information is susceptible to data breaches and theft, cookies and similar technologies are heavily regulated by data protection laws like the GDPR and the EU Cookies Directive.

To better understand the privacy implications of using cookies, we need to address two major cookie categories.

First-party Cookies vs. Third-party Cookies

In terms of their provenance, cookies can be classified into first-party and third-party cookies. Let's see how they compare.

  • First-party cookies are created and stored on users' devices by the websites they interact with directly. Only the website owner can access the data collected by these cookies.
  • Third-party cookies are created and placed on a user's device by domains other than the one a user interacts with directly. As such, the data collected by these cookies are available to external services or agencies.

First-party cookies

As noted above, first-party cookies are stored on a user's internet device by the website they visit directly. These cookies are not particularly intrusive by nature. They merely allow the website owner to collect basic information about users and their devices, typically for analytical purposes. No one other than the website owner or operator can access this information.

Ultimately, websites use first-party cookies to enhance the overall browsing experience of users.

Third-party cookies

Third-party cookies are stored on a user's internet device by external services incorporated into the website they visit. In other words, cookies from an analytics provider or payment platform integrated into the website a user visits are third-party cookies.

These cookies are considered a deterrent to privacy because they disclose users' data to external services and are typically used to track users' activities all over the internet. Consequently, top companies like Google have begun to phase them out.

Now that we're clear about what cookies are and how they work, let's examine the CCPA and its take on cookies.

Definition of "Business"

The CCPA (CPRA) defines a "business" as any legal entity that:

  1. Pursues a profit
  2. Operates in California
  3. Decides why and how to process consumers' personal information, and
  4. Satisfies at least one of the following thresholds

    • Its annual gross revenue exceeds $25 million
    • It annually buys, sells, receives, or shares the personal information of at least 100,000 consumers, households, or devices
    • It makes at least 50% of its annual revenue by selling or sharing consumers' personal information

To get additional context, it's essential to explain the CCPA/CPRA's meaning of a "sale."

Definition of a "Sale"

According to the CCPA (CPRA), a "sale" means:

"selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."

Simply put, you are conducting a sale if you disclose a consumer's personal information to a third party (in this case, through cookies) for money or any other benefit.

For more information, check out our article: CCPA: What Constitutes a "Sale" of Personal Information.

There are certain exceptions to the definition of sale. Let's take a look.

Exceptions to the Definition of Sale

Exceptions to the Definition of Sale

The CCPA (CPRA) identifies a number of instances wherein your use of third-party cookies may not constitute "selling" personal information.

They are as follows:

  • Consumer Direction: A sale has not occurred if the consumer tells you to intentionally disclose their personal information to a third party. In the context of cookies, this refers to a form of opt-in consent (i.e., getting user consent before activating cookies).

    Opt-in consent is not mandatory under the CCPA (CPRA). However, if you obtain opt-in consent from a consumer before enabling cookies, you will not be deemed to be selling that consumer's personal information.

  • Third-party Notification: If you share the personal information of a consumer who has opted out of a sale to alert the third party of this opt-out, then you have not conducted a sale under the CCPA (CPRA).

  • Service Provider: Finally, if you disclose a consumer's personal information to a "service provider," you have not sold personal information.

    A service provider is a legal entity that processes personal information on behalf of a business. The service provider must be bound by a contract with the business. However, the service provider must obtain consent before collecting, using or sharing personal information.

    For more information, see our article: The Complete Guide to CCPA Service Providers.

Now that we understand the privacy implications of using cookies, let's check out the requirements and best practices for CCPA (CPRA) cookies compliance.

Note that the CPRA amendment defines consent as follows:

"any freely given, specific, informed and unambiguous indication of the consumer's wishes by which the consumer or the consumer's legal guardian signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose."

We recommend using a clickwrap method here to ensure that your users have read and authorized your cookie practices.

CCPA (CPRA) Requirements for Businesses That Use Cookies

CCPA Requirements for Businesses That Use Cookies

The CCPA (CPRA) is not as strict as the GDPR when it comes to cookie compliance for businesses. This is mainly because the CCPA (CPRA) uses an opt-out consent model.

In other words, you can store cookies on a consumer's device without their consent once they visit your website. However, you must provide a way for consumers to opt out of the sale of personal information collected through cookies.

The only exception to the CCPA (CPRA) opt-out requirement is "strictly necessary cookies" since your website can't function without them.

Note that you need explicit consent before selling the personal information of children aged 13-16 and parental consent for children under 13. In the context of cookies, this means you need to get opt-in consent before using third-party cookies for minors.

Importantly, you must let consumers know what categories of cookies you use on your website. You can do this by conducting a comprehensive cookies audit.

Finally, you must provide a detailed explanation of your cookie practices in your website policies.

The CCPA (CPRA) brings cookies and similar identifiers under its definition of "personal information." This is because businesses can use cookies and similar identifiers to recognize a consumer or a device linked to that consumer.

When we look more closely at how the CCPA (CPRA) defines "unique personal identifier," we can see cookies and similar technologies explicitly cited as unique identifiers in Section 1798.140 (aj):

California Legislative Information: CPRA Section 1798 140 aj - Definition of Unique Identifier and Unique personal identifier

Since cookies can be used (in conjunction with other identifiers) to recognize a consumer or a household, they fall under this definition.

Moreover, the CPRA clearly classifies cookies as a "Unique Personal Identifier" in Section 1798.140. (aj):

California Legislative Information: CPRA Section 1798 140 aj - Definition of Unique Identifier and Unique personal identifier

As you can see, cookies are considered personal information for the CCPA/CPRA's purposes.


Cookies are an essential instrument for modern businesses. They perform various critical functions to help websites and apps serve users better. However, some cookies are intrusive and may present threats to user privacy.

The CCPA (CPRA) brings cookies under its definition of personal information, thereby requiring businesses to evaluate their cookie implementation to ensure fair and transparent practices.

Since using third-party cookies does qualify as "selling" personal information, companies must take additional steps to ensure compliance in this regard, as ignorance is not an excuse.

To recap, if the CCPA (CPRA)applies to your business, you need to take the following steps to ensure cookie compliance:

  • Disclose your cookie practices in your Privacy Policy and/or Cookies Policy
  • Provide a "Do Not Sell My Personal Information" page and include links in prominent areas of your website or app
  • Provide a way for consumers to submit opt-out requests and honor GPC opt-out signals
  • Include a "Notice at Collection" in your Privacy Policy or host it on a separate webpage