All Blog Posts

CCPA and Cookies

The California Consumer Privacy Act (CCPA) may affect how your website is allowed to handle the personal information of Californians.

Updated August 31, 2020.

Cookies are mentioned only once in the California Consumer Privacy Act (CCPA), along with beacons, pixel tags, mobile ad identifiers and similar technology.

But cookies are very important for CCPA compliance, since they are one of the most widely used tracking technologies for websites that can make a business liable under the CCPA.

In this blogpost, we look at the CCPA and cookies.

What are cookies and how do they work?

What does the CCPA mean for your website and its cookies?

And how can you achieve CCPA website compliance?

Become compliant with Cookiebot consent management platform (CMP).

What’s the CCPA, and cookies?

The California Consumer Privacy Act (CCPA) is California’s data privacy law that took effect on January 1, 2020.

The CCPA empowers California residents with enforceable rights over the personal information they generate every day online.

Take a look at the new CCPA consumer rights here.

The CCPA forces businesses to comply with certain legal requirements for the collection, use, sharing and selling of personal information, e.g. enabling California residents to opt out of having their data sold to third parties, granting them access to the data already collected, and having it deleted.

Take an in-depth look at the business requirements for CCPA compliance here.

What are cookies?

Cookies are the memory of a website. Or at least that’s what they were invented for back in 1994.

Cookies are small text files placed by a website on an end-user’s browser upon a visit, encapsulated with information about the user, their device and other things that make it possible for a website to recognize the user, when they return.

Today, cookies serve many different purposes, some of which have less to do with recall and more to do with privacy-invasive surveillance practices.

Some cookies are necessary for the core functions of a website. Most often, these types of cookies only store random identifiers that are deleted when users close their browser. No big deal.

But other cookies are for analytical and marketing purposes, placed by third parties that collect information on users through unique IDs that are sometimes stored for up to a hundred years.

Palm tree - Cookiebot
Under the CCPA, cookies and website trackers are a liability for businesses all over the world.

These third-party cookies can infringe on user privacy.

Personal information collected through these types of cookies is often used for creating profiles on users that are then traded in exchange for digital ad space through real time bidding systems, where companies will follow the user cross-site, around the web in order to serve eerily targeted advertisement.

Under the European General Data Protection Regulation (GDPR), websites are not allowed to set any cookies apart from those strictly necessary, without the prior consent of end-users.

So, if you have visitors from the EU, you must be GDPR-compliant – regardless of where in the world you and your website is located.

However, the relationship between the CCPA and cookies are different.

Check out how to achieve CCPA website compliance here.

CCPA, cookies and personal information

In the CCPA, cookies and similar tracking technologies are classified as unique identifiers that form part the law’s definition of personal information (1798.140.x).

Unique identifiers are types of technologies that are able to recognize a consumer, a family, a household, or a device that is linked to a consumer or family or household, over time and across services.

This means that any for-profit company in the world that has cookies and similar tracking technology implemented on their websites could be liable for CCPA cookie compliance, in particular if they sell or make available to third parties (such as Google or Facebook) the personal information of Californian users.

You might think, well that’s not me and my business. But hold on!

The CCPA’s definition of “personal information”, “business” and “sale” is very broad and will undoubtedly extent to many more companies than it seems at first sight.

Learn more about the CCPA and personal information

CCPA enforcement has begun

On August 14, 2020 the final CCPA regulations took effect and enforcement by the Attorney General began.

Enforcement precedents are important in order to know for certain how the CCPA’s treatment of cookies and tracking technologies will be interpreted.

Learn more about the final CCPA regulations and enforcement

CCPA cookies example

California Attorney General on cookies, third-party advertising and consent management

However, the CCPA definition of personal information is very broad and cookies and third-party trackers can be a real liability for businesses and websites all over the world.

Road with Mountain Range in the background - Cookiebot
Under the CCPA, cookies and website trackers will be under California regulation.

If the information collected on a website through cookies does not in itself constitute personal information under the CCPA (e.g. analytics data about the behavior of users on a website that is initially anonymous), inferences from this data with the purpose of identifying and connecting devices, creating profiles and serving personalized advertisement can be considered personal information under CCPA.

Learn more about the details, definition and scope of personal information under the CCPA.

If anonymous data can in any way be re-identified, it can be considered personal information under the CCPA.

Other tracking technologies on websites, such as device and browser fingerprinting, web beacons and tracking pixels, are all ways for third party ad tech companies to collect and commodify consumers and their personal information for the purpose of serving behavioral advertisement.

Hypothetically (as analyzed by the California Lawyers Association), if your business through its website makes available to third parties (e.g. through cookies and social media plugins) data on Californian residents that is either not anonymized or has the potential to be re-identified, your business might be categorized as a business that is “selling” (i.e. making available, transferring or otherwise communicating, as the CCPA defines sale) personal information of Californian residents.

A business is liable under the CCPA, if it sells the personal information of more than 50.000 Californian residents per year.

This is one of three thresholds for CCPA compliance.

If the Attorney General of California enforces the CCPA close to the interpretation by the California Lawyers Association above, simple math will tell you that a business that collects or makes available to third parties (e.g. through cookies, web beacons, pixel tags and so on) the personal information of just 137 California residents per day for a year, that business will meet one of the thresholds for CCPA cookie compliance.

Check out more possible CCPA interpretations by the California Lawyers Association here.

Try Cookiebot CMP free for 14 days and scan your website to know all cookies and similar technologies, both first and third party.

Cookiebot CMP, CCPA and cookies

The California Consumer Privacy Act (CCPA) is setting the bar for the rest of the US when it comes to data privacy rights. For now, only California residents will enjoy the newfound empowerment and ownership over their personal information, but the rest of the nation is looking west.

As an example of the country-wide impact of the CCPA, Microsoft announced in November 2019 that it will not only comply with CCPA consumer rights in California but will expand them to all US customers.

The CCPA’s extraterritorial scope means that if a company in New York or Texas collects the personal information of more than fifty thousand California residents annually, they are obligated to comply with the CCPA.

Collecting the personal information of 50.000 California residents per year may sound like a lot of data – but considering that the definition of personal information in the CCPA is so expansive that it includes cookies and IP addresses, a lot of companies might find themselves liable for compliance.

It is likely that a lot of companies all over the world will reach this threshold, have their data practices fall under the definition of sale and be obligated to achieve compliance with the CCPA.

That’s because simply having third party cookies and trackers on your company’s website might make you liable for CCPA compliance.

Sign up to Cookiebot CMP to control your website’s cookies

Cookiebot CMP and CCPA cookies

Cookiebot CMP is the world’s leading consent manage platform enabling compliance with the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR) as well as other data privacy laws around the world.

The Cookiebot CMP technology is built for the specific purpose of uncovering all cookies and similar trackers on websites, so the end-users can be empowered with a real choice of consent, as required by the GDPR.

Orange sunset over the sea - Cookiebot
With the CCPA, cookies have a new legal reality in the US.

Cookiebot CMP is bringing its area of expertise – automated deep website scans and end-user consent management – to California, so that businesses can be sure to know exactly how their online domains collect personal information from their consumers, what third parties are present on their website, as well as enabling end-users to exercise their right to opt out of having their data sold to third parties.

Cookiebot CMP is a software-as-a-service product that is highly customizable to the needs of every business. Simply sign up and integrate Cookiebot CMP on your website with a few strings of JavaScript.

Using Cookiebot CMP, websites can obtain CCPA compliance with the required Do Not Sell My Personal Information link.

The Cookiebot CMP geolocation configuration makes it easy for companies to comply with both the CCPA and the EU’s GDPR depending on where in the world their end-users are located.

See all Cookiebot CMP features

See all Cookiebot CMP plans and pricing models

Try Cookiebot CMP free for 14 days… or forever if you have a small website

FAQ

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a state-wide law that regulates how businesses are allowed to collect, share and sell the personal information of California residents. The CCPA empowers California residents with the right to opt out of third-party sales, the right to access already collected personal information and the right to have it deleted. Businesses must comply with the CCPA if they have an annual gross revenue exceeding $25 million, derive more than 50% of annual revenues from persona information sales or buy, receive, sell or share the personal information of more than 50.000 California residents.

Learn more about CCPA compliance

What does the CCPA say about cookies and website tracking?

Cookies, web beacons, pixel tags, ultrasound beacons and many more tracking technologies that process unique identifiers such as IP addresses, search and browser history fall under the CCPA’s definition of personal information. If your website uses third-party cookies through analytics tools, video plugins or social media, it will have cookies and other tracking technologies that collect and share personal information from your users.

Learn more about cookies and website tracking

What are the CCPA requirements for website privacy policies?

The CCPA requires businesses to inform its website’s users about their rights under the CCPA, and how they can exercise these rights. This can be done in your website’s privacy policy. Your website’s privacy policy should also include lists of all categories of personal information collected in the past 12 months, of the personal information that your business has sold to third parties in the past 12 months and the personal information that your business has disclosed for business purposes in the last 12 months. Your privacy policy must be updated every 12 months and be easily accessible form your website’s front page.

Learn more about CCPA compliant privacy policy for websites

What are the rights for consumer under the CCPA?

Under the CCPA, consumers (or California residents) have five enforceable rights over their own personal information. These are the right to opt out of third-party data sales, the right to be informed of personal data collection and sales, the right to access of already collected personal information, the right to have collected personal information deleted and the right to receive equal services and prices.

Learn more about the CCPA consumer rights

Resources

What is the CCPA?

How do I achieve CCPA compliance?

What is CCPA personal information?

What are the new CCPA rights?

What is the GDPR?

How can I sign up to Cookiebot CMP?

Report by Cookiebot CMP on third party tracking on EU government websites.

California Lawyers Association on possible CCPA enforcement and interpretation

Microsoft on expanding the CCPA to rest of the US

Real Time Bidding, Brave and the British data protection authority (ICO)

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.