Updated June 22, 2020.
Cookies are mentioned only once in the California Consumer Privacy Act (CCPA), along with beacons, pixel tags, mobile ad identifiers and similar technology.
But cookies are very important for CCPA compliance, since they are one of the most widely used tracking technologies for websites that can make a business liable under the CCPA.
In this blogpost, we look at the CCPA and cookies.
What are cookies and how do they work?
What does the CCPA mean for your website and its cookies?
And how can you achieve CCPA website compliance?
The California Consumer Privacy Act (CCPA) is California’s data privacy law that took effect on January 1, 2020.
The CCPA empowers California residents with enforceable rights over the personal information they generate every day online.
The CCPA forces businesses to comply with certain legal requirements for the collection, use, sharing and selling of personal information, e.g. enabling California residents to opt out of having their data sold to third parties, granting them access to the data already collected, and having it deleted.
Cookies are the memory of a website. Or at least that’s what they were invented for back in 1994.
Cookies are small text files placed by a website on an end-user’s browser upon a visit, incapsulated with information about the user, their device and other things that make it possible for a website to recognize the user, when they return.
Today, cookies serve many different purposes, some of which have less to do with recall and more to do with privacy-invasive surveillance practices.
Some cookies are necessary for the core functions of a website. Most often, these types of cookies only store random identifiers that are deleted when users close their browser. No big deal.
But other cookies are for analytical and marketing purposes, placed by third parties that collect information on users through unique IDs that are sometimes stored for up to a hundred years.
Under the CCPA, cookies and website trackers are a liability for businesses all over the world.
Personal information collected through these types of cookies is often used for creating profiles on users that are then traded in exchange for digital ad space through real time bidding systems, where companies will follow the user cross-site, around the web in order to serve eerily targeted advertisement.
So, if you have visitors from the EU, you must be GDPR compliant – regardless of where in the world you and your website is located.
However, the relationship between the CCPA and cookies are different.
In the CCPA, cookies and similar tracking technologies are classified as unique identifiers that form part the law’s definition of personal information (1798.140.x).
Unique identifiers are types of technologies that are able to recognize a consumer, a family, a household, or a device that is linked to a consumer or family or household, over time and across services.
This means that any for-profit company in the world that has cookies and similar tracking technology implemented on their websites could be liable for CCPA cookie compliance, in particular if they sell or make available to third parties (such as Google or Facebook) the personal information of Californian users.
You might think, well that’s not me and my business. But hold on!
The CCPA’s definition of “personal information”, “business” and “sale” is very broad and will undoubtably extent to many more companies than it seems at first sight.
CCPA enforcement hasn’t begun yet, but the California Attorney General is still committed to start enforcing the CCPA on July 1, 2020. Until enforcement begin, it is difficult to speculate on exactly how the CCPA treatment of cookies and tracking technologies will be interpreted.
However, the CCPA definition of personal information is very broad and cookies and third-party trackers can be a real liability for businesses and websites all over the world.
Under the CCPA, cookies and website trackers will be under California regulation.
If the information collected on a website through cookies does not in itself constitute personal information under the CCPA (e.g. analytics data about the behavior of users on a website that is initially anonymous), inferences from this data with the purpose of identifying and connecting devices, creating profiles and serving personalized advertisement can be considered personal information under CCPA.
If anonymous data can in any way be re-identified, it can be considered personal information under the CCPA.
Other tracking technologies on websites, such as device and browser fingerprinting, web beacons and tracking pixels, are all ways for third party ad tech companies to collect and commodify consumers and their personal information for the purpose of serving behavioral advertisement.
Hypothetically (as analyzed by the California Lawyers Association), if your business through its website makes available to third parties (e.g. through cookies and social media plugins) data on Californian residents that is either not anonymized or has the potential to be re-identified, your business might be categorized as a business that is “selling” (i.e. making available, transferring or otherwise communicating, as the CCPA defines sale) personal information of Californian residents.
A business is liable under the CCPA, if it sells the personal information of more than 50.000 Californian residents per year.
This is one of three thresholds for CCPA compliance.
If the Attorney General of California enforces the CCPA close to the interpretation by the California Lawyers Association above, simple math will tell you that a business that collects or makes available to third parties (e.g. through cookies, web beacons, pixel tags and so on) the personal information of just 137 California residents per day for a year, that business will meet one of the thresholds for CCPA cookie compliance.
Try Cookiebot free for 30 days and scan your website to know all cookies and similar technologies, both first and third party.
The California Consumer Privacy Act (CCPA) is setting the bar for the rest of the US when it comes to data privacy rights. For now, only California residents will enjoy the newfound empowerment and ownership over their personal information, but the rest of the nation is looking west.
As an example of the country-wide impact of the CCPA, Microsoft announced in November 2019 that it will not only comply with CCPA consumer rights in California but will expand them to all US customers.
The CCPA’s extraterritorial scope means that if a company in New York or Texas collects the personal information of more than fifty thousand California residents annually, they are obligated to comply with the CCPA.
Collecting the personal information of 50.000 California residents per year may sound like a lot of data – but considering that the definition of personal information in the CCPA is so expansive that it includes cookies and IP addresses, a lot of companies might find themselves liable for compliance.
It is likely that a lot of companies all over the world will reach this threshold, have their data practices fall under the definition of sale and be obligated to achieve compliance with the CCPA.
That’s because simply having third party cookies and trackers on your company’s website might make you liable for CCPA compliance.
Cookiebot is the world’s leading consent manage platform enabling compliance with the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR) as well as other data privacy laws around the world.
Cookiebot’s technology is built for the specific purpose of uncovering all cookies and similar trackers on websites, so the end-users can be empowered with a real choice of consent, as required by the GDPR.
With the CCPA, cookies have a new legal reality in the US.
Cookiebot is bringing its area of expertise – automated deep website scans and end-user consent management - to California, so that businesses can be sure to know exactly how their online domains collect personal information from their consumers, what third parties are present on their website, as well as enabling end-users to exercise their right to opt out of having their data sold to third parties.
Using Cookiebot, websites can obtain CCPA compliance with the required Do Not Sell My Personal Information link.
Cookiebot’s geolocation configuration makes it easy for companies to comply with both the CCPA and the EU’s GDPR depending on where in the world their end-users are located.
The California Consumer Privacy Act (CCPA) is a state-wide law that regulates how businesses are allowed to collect, share and sell the personal information of California residents. The CCPA empowers California residents with the right to opt out of third-party sales, the right to access already collected personal information and the right to have it deleted. Businesses must comply with the CCPA if they have an annual gross revenue exceeding $25 million, derive more than 50% of annual revenues from persona information sales or buy, receive, sell or share the personal information of more than 50.000 California residents.
Cookies, web beacons, pixel tags, ultrasound beacons and many more tracking technologies that process unique identifiers such as IP addresses, search and browser history fall under the CCPA’s definition of personal information. If your website uses third-party cookies through analytics tools, video plugins or social media, it will have cookies and other tracking technologies that collect and share personal information from your users.
Under the CCPA, consumers (or California residents) have five enforceable rights over their own personal information. These are the right to opt out of third-party data sales, the right to be informed of personal data collection and sales, the right to access of already collected personal information, the right to have collected personal information deleted and the right to receive equal services and prices.