The California Consumer Privacy Act (CCPA), as amended by the CPRA, regulates how companies collect and handle numerous forms of personal information, and cookies are no exception.

With the privacy concerns surrounding cookies, it's no surprise that modern laws provide specific requirements to help companies uphold fair and transparent cookie practices.

This article will briefly clarify what cookies are and how they work. We'll then discuss the privacy implications and CCPA (CPRA) requirements for businesses that use cookies, as well as best practices for ensuring compliance.



What are Cookies?

Cookies are small data files stored in a user's internet browser by the websites they visit. As an integral component of the modern internet, cookies are used by virtually every website to carry out a wide range of functions.

While some cookies are essential to a website's operation, others may be used for tracking, marketing, and analytical purposes.

As the most commonly used method of gathering user data, cookies are employed by virtually every website to carry out a ton of different operations.

Websites generally use cookies to streamline users' browsing experiences by recalling details like language settings, login details, and shopping cart items (in the case of an ecommerce store).

However, certain cookie categories (such as third-party cookies) can be used to track users all over the web and build detailed profiles of their preferences for marketing purposes.

Websites generally use cookies to perform the following tasks:

  • Identify users through a unique ID
  • Keep users signed in to a website
  • Recall information to help enhance users' browsing experience (e.g., login credentials, shopping cart inventory, etc.)
  • Track browsing activities and preferences for advertising purposes (e.g., behavioral profiling and retargeting)
  • Improve a website's overall performance

Although cookies aren't harmful to users or devices, they are a vulnerability to data privacy. This is because cookies can sometimes gather personal information by observing users and their habits.

Because this tracking may intrude on users' privacy and such information is susceptible to data breaches and theft, cookies and similar technologies are heavily regulated by data protection laws like the GDPR and the EU Cookies Directive.

To better understand the privacy implications of using cookies, we need to address two major cookie categories.

First-party Cookies vs. Third-party Cookies

In terms of their provenance, cookies can be classified into first-party and third-party cookies. Let's see how they compare.

  • First-party cookies are created and stored on users' devices by the websites they interact with directly. Only the website owner can access the data collected by these cookies.
  • Third-party cookies are created and placed on a user's device by domains other than the one a user interacts with directly. As such, the data collected by these cookies are available to external services or agencies.

First-party cookies

As noted above, first-party cookies are stored on a user's internet device by the website they visit directly. These cookies are not particularly intrusive by nature. They merely allow the website owner to collect basic information about users and their devices, typically for analytical purposes. No one other than the website owner or operator can access this information.

Ultimately, websites use first-party cookies to enhance the overall browsing experience of users.

Now that we're clear about what cookies are and how they work, let's examine the CCPA and its take on cookies.

To get additional context, it's essential to explain the CCPA/CPRA's meaning of a "sale."

Now that we understand the privacy implications of using cookies, let's check out the requirements and best practices for CCPA (CPRA) cookies compliance.

Note that the CPRA amendment defines consent as follows:

"any freely given, specific, informed and unambiguous indication of the consumer's wishes by which the consumer or the consumer's legal guardian signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose."

We recommend using a clickwrap method here to ensure that your users have read and authorized your cookie practices.

CCPA (CPRA) Requirements for Businesses That Use Cookies

CCPA Requirements for Businesses That Use Cookies

When we look more closely at how the CCPA (CPRA) defines "unique personal identifier," we can see cookies and similar technologies explicitly cited as unique identifiers in Section 1798.140 (aj):

California Legislative Information: CPRA Section 1798 140 aj - Definition of Unique Identifier and Unique personal identifier

Since cookies can be used (in conjunction with other identifiers) to recognize a consumer or a household, they fall under this definition.

Moreover, the CPRA clearly classifies cookies as a "Unique Personal Identifier" in Section 1798.140. (aj):

California Legislative Information: CPRA Section 1798 140 aj - Definition of Unique Identifier and Unique personal identifier

As you can see, cookies are considered personal information for the CCPA/CPRA's purposes.

Summary

Cookies are an essential instrument for modern businesses. They perform various critical functions to help websites and apps serve users better. However, some cookies are intrusive and may present threats to user privacy.

The CCPA (CPRA) brings cookies under its definition of personal information, thereby requiring businesses to evaluate their cookie implementation to ensure fair and transparent practices.

Since using third-party cookies does qualify as "selling" personal information, companies must take additional steps to ensure compliance in this regard, as ignorance is not an excuse.

To recap, if the CCPA (CPRA)applies to your business, you need to take the following steps to ensure cookie compliance:

  • Disclose your cookie practices in your Privacy Policy and/or Cookies Policy
  • Provide a "Do Not Sell My Personal Information" page and include links in prominent areas of your website or app
  • Provide a way for consumers to submit opt-out requests and honor GPC opt-out signals
  • Include a "Notice at Collection" in your Privacy Policy or host it on a separate webpage