CPRA and Cookies

As cookie usage becomes more widespread today, its associated privacy risks become more evident. In order to help businesses observe open and ethical cookie practices, privacy regulations worldwide, including the comprehensive California Privacy Rights Act (CPRA), have provided specific guidance.

In this article, we'll discuss cookies and their privacy implications, the CPRA's position on cookies, and the steps businesses must take to stay on the right side of the law when it comes to cookie compliance.

Cookies: An Overview

Cookies are tiny data files stored on users' computer or mobile device browsers when they visit a website. These files typically contain basic information about user browsing patterns and activities, but they can also store a wide range of personal information.

As the most commonly used method of gathering user data, cookies are employed by virtually every website to carry out a ton of different operations.

To fully grasp the privacy implications of using cookies, it's important to address two major cookie categories: first-party and third-party cookies.

• First-party cookies are created and stored on users' devices by the websites they interact with directly. Only the website owner can access the data collected by these cookies.
• Third-party cookies are created and placed on a user's device by domains other than the one a user interacts with directly. As such, the data collected by these cookies are available to external services or agencies.

Websites generally use cookies to streamline users' browsing experiences by recalling details like language settings, login details, and shopping cart items (in the case of an ecommerce store).

However, certain cookie categories (such as third-party cookies) can be used to track users all over the web and build detailed profiles of their preferences for marketing purposes.

Because this tracking may intrude on users' privacy, cookies and similar technologies are heavily regulated by data protection laws like the GDPR, EU Cookies Directive, and the CCPA.

What is the California Privacy Rights Act (CPRA)?

The CPRA is an amendment to the CCPA. Approved on November 3, 2020, the CPRA substantially modifies and improves upon the CCPA's provisions, bringing it a few steps closer to the GDPR.

The CPRA also addresses key areas of digital privacy unexplored by the CCPA, including dark patterns, behavioral advertising, and profiling. As a result, the CPRA is informally referred to as "CCPA 2.0."

The amendments became fully operative on January 1, 2023.

The CPRA expands several privacy rights already established in the CCPA and grants California residents additional rights over their personal information.

These rights are as follows:

• The right to correct outdated or inaccurate personal information
• The right to access information about and opt out of automated decision-making technology
• The right to limit the use and disclosure of sensitive personal information (e.g., identification numbers, financial details, racial or ethnic origins, biometric data, sexual orientation, etc.)

What's more, the CPRA establishes the California Privacy Protection Agency (CPPA) to oversee data protection standards and enforce California's consumer privacy laws.

Finally, the CPRA updates the CCPA's definition of a business, thereby amending its scope of coverage. Let's take a look.

What is a "Business"?

According to the CPRA, a "business" refers to any profit-driven organization that:

1. Operates in California
2. Decides the purposes and means of processing consumers' personal information, and

3. Meets one or more of the following criteria:

   • Has an annual gross revenue exceeding $25 million in the preceding calendar year
   • Buys, sells, or shares the personal information of at least 100,000 consumers or households each year, or
   • Derives at least 50% of annual revenue from selling or sharing consumers' personal information

Now that we have a basic understanding of cookies and the CPRA, let's answer a few common questions about the CPRA's treatment of cookies.

Frequently Asked Questions about Cookies and the CPRA

To clear up confusion about the privacy implications of using cookies under the CPRA's jurisdiction, consider the following questions.

Are Cookies Personal Information Under the CPRA?

The CPRA amendments consider cookies and similar technologies as personal information.

To provide some context, the CPRA defines personal information as:

"Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

Since cookies can be used (in conjunction with other identifiers) to recognize a consumer or a household, they fall under this definition.

Moreover, the CPRA clearly classifies cookies as a "Unique Personal Identifier" in Section 1798.140. (aj):

Does the CPRA Require Consent Before Using Cookies?

No, the CPRA does not require businesses to get consent before using cookies. The CPRA remains consistent with the CCPA in this regard by adopting an opt-out consent system.

In other words, you can automatically set cookies on your users' devices without their consent once they visit your website. However, you must notify users of this practice and give them a simple way to opt out of selling or sharing their data within the context of cookies.

It's important to note that consent is necessary for some situations, such as before you sell or share the personal information of minors.

This means you must first obtain opt-in consent from children under 16 and parental consent for children under 13 before placing cookies on their devices.

Note that the CPRA defines consent as:

"any freely given, specific, informed and unambiguous indication of the consumer's wishes by which the consumer or the consumer's legal guardian signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose."

We recommend using a clickwrap method here to ensure that your users have read and authorized your cookie practices.

What Does the CPRA Say about Third-party Cookies and "Sale"?

The CPRA brings an end to a long-standing debate about whether using third-party cookies constitutes a "sale" of personal information.

A sale occurs when you disclose a consumer's personal information to a third party for money or other valuable consideration.

Given the CCPA's ambiguous term, "valuable consideration," it's no surprise that businesses have struggled to determine if their use of third-party cookies can be flagged as a "sale."

The CPRA resolves this issue by simply introducing the term "sharing."

Sharing occurs when you disclose a consumer's personal information to a third party, whether or not for money or other valuable consideration.

Note that the standard CCPA exceptions apply to the definition of "sharing" under Section 1798.40 (ah) (2):

Now, while the CCPA grants consumers the right to opt out of the "sale" of their personal information, the CPRA extends this right to include the "sharing" of personal information and sensitive personal information.

In other words, as long as you disclose a consumer's personal or sensitive information to a third party, you must provide a way for the consumer to opt out.

Notably, the CPRA's definition of "sharing" covers any disclosure of personal information for cross-context behavioral advertising. This means you are either selling or sharing data once you use third-party cookies (unless one of the above exceptions apply).

In any case, you must observe the CPRA's additional obligations for businesses that sell or share personal information (which we'll cover in the next section).

Now, let's go over what the CPRA requires if you use cookies, including if you sell or share personal information through third-party cookies.

Requirements and Best Practices for CPRA Cookies Compliance

Businesses that use cookies on their websites or apps are subject to a number of requirements under the CPRA amendments. The regulation also outlines additional obligations for companies that sell or share personal information, including through third-party cookies.

Here are some significant steps to take if you fall under either or both of these categories.

Provide Cookie Information in Your Privacy or Cookies Policy

The CPRA is a strong advocate of transparency. Accordingly, the law requires you (as a website owner) to provide consumers with a detailed account of your cookie practices.

Like with the CCPA, you can either address cookie information in a section of your Privacy Policy or on a separate webpage in your Cookies Policy. It's simply a matter of preference.

Importantly, you must perform periodic cookie audits to identify relevant web domains and categorize cookies appropriately.

Your compliant Cookies Policy must address the following:

• The categories of cookies you use on your website and their purposes
• The types of personal or sensitive information these cookies collect, and their purposes
• Cookie expiration dates
• How consumers can exercise their right to opt out of cookies
• The third parties with whom you sell or share personal information and the reasons for such
• Information about children's right to opt in

For example, Nike presents information about cookies and similar technologies within a section in its Privacy Policy:

Notably, Nike doesn't cover all of the essential details listed above. However, the CPRA's criteria can be met by merely updating this clause to reflect the necessary information.

Observe CPRA Guidelines for Limiting the Sale, Sharing, and Use of Personal and Sensitive Information

As previously mentioned, the CPRA broadens the scope of the CCPA's opt-out provision by adding the word "sharing."

Effectively, if you either sell or share personal information (including through third-party cookies), you must set up a page explaining how consumers can exercise their right to opt out.

In addition, you must provide a link to this page titled, "Do Not Sell or Share My Personal Information," and place this link in conspicuous locations around your website (such as your footer section and Privacy Policy).

Here's how Victoria's Secret provides this link in its footer section:

Once users click the link, Victoria's Secret directs them to a page explaining how it collects data through cookies and how users can adjust their preferences or opt out of selling or sharing of personal information within the context of cookies:

Keep in mind that if you use or disclose sensitive personal information (including through cookies), the CPRA requires you to provide a second link titled "Limit the Use of My Sensitive Personal Information."

Interestingly, you don't need to provide any of the abovementioned links if you honor global opt-out preference signals, which allow consumers to opt out of selling or sharing their personal information and limit the use of their sensitive personal information.

Update Your "Notice at Collection"

The CPRA expands the required information businesses must address in their CCPA "Notice at Collection." If your business collects consumers' personal information, including through cookies, you must present this notice at or before the data collection point.

Like with the CCPA, the CPRA allows you to insert this notice as a section within your Privacy Policy.

Briefly, your "Notice at Collection" must provide the following details:

• The categories of personal information or sensitive personal information you collect from consumers
• Your purposes for collecting it
• How long you intend to retain personal information
• A link to your "Do Not Sell or Share My Personal Information" page (if applicable)
• A link to your Privacy Policy

Set Up a Cookie Consent Banner

A cookie consent banner is commonly used as an alternative medium to help consumers submit opt-out requests specifically regarding cookies.

To use this medium appropriately, businesses must provide "a single, clearly-labeled link" on their website or app. Moreover, this link must allow consumers to simultaneously opt out of selling or sharing their personal information and limit the use or disclosure of their sensitive personal information.

Here's how the CPRA discloses this requirement in Section 1798.135 (a) (3):

Since the CPRA adopts the opt-out consent system, you can store cookies on consumers' devices without explicit consent through your cookie preference center.

However, your cookie consent banner must reveal this practice to consumers and provide an "I decline" button or a link to your settings/preference center for consumers to submit opt-out requests. You must also include a link to your Privacy/Cookies Policy for a more detailed explanation of your practices.

Here's an example from Upwork:

Remember to obtain opt-in consent before using third-party cookies for minors (below 16 years). They must click an "I accept" button or tick an empty checkbox before you can place cookies on their devices.

In light of this, you may consider implementing the opt-in consent system for all consumers, as it also helps protect you from accidentally selling or sharing personal information through third-party cookies.

Summary

Cookies are a core component of modern web technology. While most cookies are harmless, others are quite invasive of user privacy and have stirred up a lot of controversies.

For this reason, privacy laws like the CCPA have been enacted to regulate how companies collect and manage consumers' personal information, including information collected through cookies. And the CCPA's amendment of the CPRA adds more privacy protection for consumers.

In order to strengthen digital privacy in California, the CPRA introduces several new terminologies, such as consent, profiling, cross-context behavioral advertising, sensitive personal information, and sharing.

The CPRA also clarifies several vague provisions in the CCPA, including the complicated relationship between third-party cookies and the sale of personal information.

To recap, if you use cookies and are subject to the CCPA/CPRA, here's a quick rundown of your cookie compliance responsibilities:

• Provide cookie information in your Privacy Policy and/or Cookies Policy
• Observe the CPRA's method of limiting the sale, sharing, and use of personal and sensitive information
• Update your CCPA "Notice at Collection" to accommodate the CPRA's additional provisions
• Set up a CCPA/CPRA-compliant Cookie Consent Banner