As businesses prepare for the effective date of the California Consumer Privacy Act, many are conducting data mapping to identify the personal information they collect, who it belongs to, how they use it, with whom they share it and whether they sell or disclose it. The information a business collects from this exercise will set the groundwork for understanding compliance obligations. Given the CCPA’s expansive definition of personal information, it is easy to overlook elements of personal information during this exercise, including website cookies. These FAQs provide a high-level look at how the CCPA may apply to website cookies.
Does the CCPA apply to website cookies?
A cookie is a small text file that a website places on a user’s computer (including smartphones, tablets or other connected devices) to store information about the user’s activity. Cookies have a variety of uses ranging from recognizing you when you return to the website to providing you with advertising targeted to your interests. Depending on their purpose, the website publisher or a third party may set the cookies and collect the information.
The CCPA defines personal information to include a “unique identifier.” This means “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology… or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.” As a result, personal information collected by website cookies that identifies or could reasonably be linked to a particular consumer, family or device may be subject to the same disclosure notices and consumer rights, including the right to delete or opt out of the sale of information to a third party, as other personal information collected through the website.
Does the CCPA require that we have a cookie policy on our website?
The CCPA does not require websites of covered businesses to have a separate cookie policy to address the collection and use of personal information through cookies, or to permit consumers to exercise their rights. This information can be included in the website’s privacy policy.
Does our website need a cookie banner?
The website does not need a separate cookie banner if the website discloses information relating to the collection and use of personal information through cookies, and permits consumers to exercise their rights, if this information is included in the website privacy policy and is provided at or before the point of collection.
Do cookies create special challenges to CCPA compliance?
Covered businesses may not have a full understanding of what cookies are present on their websites or their functionality. These businesses should inventory and audit their cookies to identify at a minimum:
- the types of cookies set on their sites
- their purpose and functionality
- the personal information they collect and how it is used
- whether the personal information is shared and, if so, to whom
- if applicable, the purpose(s) for selling the personal information and to whom it is sold, and
- whether the cookies are first party or third party cookies. This may require consulting with your IT provider, website designer, marketing department, and particularly advertising partners.
In certain cases, third parties may place cookies on the website that collect personal information as part of services necessary for the site’s business purpose. The services agreement with this third party should contain specific provisions identifying it as a service provider, stating the business purpose for collecting the personal data, and prohibiting the further use or sale of any personal information collected by the cookies. These provisions are necessary to demonstrate that any disclosure of personal information to a third party, or collection by a third party, is in the context of providing services and not a sale or disclosure to which the consumer’s right to opt out applies.
In other cases, it may be unclear if a third party cookie’s collection of personal information is strictly for the website’s business purpose or a sale subject to the right to opt out. This may apply in cases where cookies are placed by embedded content (e.g. video), a social media widget, or a vendor that provides targeted or behavioral advertising. While the website publisher should disclose all collection activity and use, it will need to review these activities to determine how to effectuate meaningful notice and the right to opt out.
It is not yet clear how the CCPA will apply to third party cookies used specifically for targeted and behavioral advertising. This creates significant uncertainty for website publishers who engage vendors to assist with advertising. The Adtech industry, legislators, and various stakeholders are currently reviewing how the CCPA may apply to third party cookies that track site users for targeting and behavioral advertising and clarification may be forthcoming.
Cookies and other website tracking technologies pose a unique challenge to businesses as they work to identify the personal information they collect and process. Identifying the presence of these technologies, their function, and the relationship with any third party that places them on the website is an essential part of data mapping. This process will require a greater understanding of the website’s functionality as well as a deeper dive into the business’ analytics, marketing, and advertising practices.