Updated December 6, 2019.
Cookies are mentioned only once in the California Consumer Privacy Act (CCPA), along with beacons, pixel tags, mobile ad identifiers and similar technology.
But don’t be fooled – cookies are very important for CCPA compliance, since they are one of the most widely used tracking technologies for websites that can make a business liable under the CCPA.
In this blogpost, we look at the CCPA and cookies.
What are cookies and how do they work?
What does the CCPA mean for your website and its cookies?
And how can you achieve CCPA website compliance?
The California Consumer Privacy Act (CCPA) is California’s data privacy law that took effect on January 1, 2020.
CCPA empowers California residents with new rights over their personal information and the data they generate every day on websites, through their devices, online and as well as offline.
CCPA also forces businesses to comply with new legal requirements for the handling of personal information, e.g. enabling California residents to opt out of having their data sold to third parties, granting them access to the data already collected, and having it deleted.
Cookies are the memory of a website. Or at least that’s what they were invented for back in 1994.
Cookies are small text files placed by a website on an end-user’s browser upon a visit, incapsulated with information about the user, their device and other things that make it possible for a website to recognize the user, when they return.
Today, cookies serve many different purposes, some of which have less to do with recall and more to do with privacy-invasive surveillance practices.
Some cookies are necessary for the core functions of a website. Most often, these types of cookies only store random identifiers that are deleted when users close their browser. No big deal.
But other cookies are for analytical and marketing purposes, placed by third parties that collect information on users through unique IDs that are sometimes stored for up to a hundred years.
Under the CCPA, cookies and website trackers are a liability for businesses all over the world.
These third-party cookies are a threat to privacy and autonomy, and are found all throughout the Internet.
In fact, one year into the rigorous European privacy regulation of GDPR, European government domains and health sector websites were littered with third party marketing cookies collecting sensitive data on unwitting users.
Personal information collected through these types of cookies is often used for creating profiles on users that are then traded in exchange for digital ad space through real time bidding systems, where companies will follow the user cross-site, around the web in order to serve eerily targeted advertisement.
Under the European General Data Protection Regulation (GDPR), websites are not allowed to set any cookies apart from those strictly necessary, without the prior consent of end-users.
So, if you have visitors from the EU, you must be GDPR compliant – regardless of where in the world you and your website is located.
However, the relationship between the CCPA and cookies are different.
In the CCPA, cookies and similar tracking technologies are classified as unique identifiers that form part the law’s definition of personal information (1798.140.x).
Unique identifiers are types of technologies that are able to recognize a consumer, a family, a household, or a device that is linked to a consumer or family or household, over time and across services.
This means that any for-profit company in the world that has cookies and similar tracking technology implemented on their websites could be liable for CCPA cookie compliance, in particular if they sell or make available to third parties (such as Google or Facebook) the personal information of Californian users.
You might think, well that’s not me and my business. But hold on!
The CCPA’s definition of “personal information”, “business” and “sale” is very broad and will undoubtably extent to many more companies than it seems at first sight.
Inform yourself on what constitutes personal information under the CCPA.
Since any enforcement of the CCPA is yet to take place, it is difficult to speculate exactly how the law will be interpreted by the Attorney General of California and the courts.
However, the CCPA definition of personal information is very broad and cookies and third-party trackers can be a real liability for businesses and websites all over the world.
Under the CCPA, cookies and website trackers will be under California regulation.
If the information collected on a website through cookies does not in itself constitute personal information under the CCPA (e.g. analytics data about the behavior of users on a website that is initially anonymous), inferences from this data with the purpose of identifying and connecting devices, creating profiles and serving personalized advertisement can be considered personal information under CCPA.
If anonymous data can in any way be re-identified, it can be considered personal information under the CCPA.
Other tracking technologies on websites, such as device and browser fingerprinting, web beacons, tracking pixels, are all ways for third party ad tech companies to collect and commodify consumers and their personal information for the purpose of serving behavioral advertisement.
Hypothetically (as analyzed by the California Lawyers Association), if your business through its website makes available to third parties (e.g. through cookies and social media plugins) data on Californian residents that is either not anonymized or has the potential to be re-identified, your business might be categorized as a business that is “selling” (i.e. making available, transferring or otherwise communicating, as the CCPA defines sale) personal information of Californian residents.
A business is liable under the CCPA, if it sells the PI of more than fifty thousand Californian residents per year.
This is one of three thresholds for CCPA compliance.
If the Attorney General of California enforces the CCPA close to the interpretation by the California Lawyers Association above, simple math will tell you that a business that collects or makes available to third parties (e.g. through cookies, web beacons, pixel tags and so on) the personal information of just 137 California residents per day for a year, that business will meet one of the thresholds for CCPA cookie compliance.
Try Cookiebot for free today and scan your website to know all cookies and similar technologies, both first and third party.
The California Consumer Privacy Act (CCPA) is setting the bar for the rest of the US when it comes to data privacy rights. For now, only California residents will enjoy the newfound empowerment and ownership over their personal information, but the rest of the nation is looking west.
As an example of the country-wide impact of the CCPA, Microsoft announced in November 2019 that it will not only comply with CCPA consumer rights in California but will expand them to all US customers.
The CCPA’s extraterritorial scope means that if a company in New York or Texas collects the personal information of more than fifty thousand California residents annually, they are obligated to comply with the CCPA.
Collecting the PI of fifty thousand individuals per year may sound like a lot of data – but considering that the definition of personal information in the CCPA is so expansive that it includes cookies and IP addresses, a lot of companies might find themselves liable for compliance.
It is likely that a lot of companies all over the world will reach this threshold, have their data practices fall under the definition of sale and be obligated to achieve compliance with the CCPA.
That’s because simply having third party cookies and trackers on your company’s website might make you liable for CCPA compliance.
This is why you should sign up to Cookiebot for free today.
Cookiebot is a global leader when it comes to consent management and cookie compliance for websites.
Our technology is built for the specific purpose of uncovering all cookies and similar trackers on websites, so the end-users can be empowered with a real choice of consent, as required by the European General Data Protection Regulation that came into force in May 2018.
Cookiebot also offers CCPA compliance for businesses and their websites.
With the CCPA, cookies have a new legal reality in the US.
Cookiebot is bringing its area of expertise – automated deep website scans and end-user consent management - to California, so that businesses can be sure to know exactly how their online domains collect personal information from their consumers, what third parties are present on their website, as well as enabling end-users to exercise their right to opt out of having their data sold to third parties.
Using Cookiebot, websites can obtain CCPA compliance with the required Do Not Sell My Personal Information link.
Cookiebot’s geolocation configuration makes it easy for companies to comply with both the CCPA and the EU’s GDPR depending on where in the world their end-users are located.
Sign up to Cookiebot today to try automatic website scans and cookie blocking to protect the privacy and personal information of your end-users.