It's a question hotly debated by legal and privacy experts, and repeatedly asked by concerned businesses: Does using third-party cookies count as "selling" personal information under the California Consumer Privacy Act (CCPA)?
In this article, we'll be providing a strong case for why we think the answer is "yes."
We'll also discuss why this has enormous implications, and what your business needs to do about it.
Below, we're going to explain why it appears that using third-party cookies is now considered to be "selling" personal information in California. Before we proceed, it's important to spell out why this is such a huge development.
If using third-party cookies does indeed qualify as selling personal information, this has significant implications for the jurisdiction of the CCPA.
One of the criteria for determining whether a business is covered by the CCPA is as follows:
"It, alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more [California] consumers, households, or devices."
Under this criterion, assuming that using third-party cookies can constitute "selling" personal information, the CCPA would apply to anyone operating a website or app that:
This could bring thousands of small and medium-sized businesses under the scope of the CCPA.
Among legal and privacy experts, the jury has been out on the CCPA's position on cookies. However, the evidence is now mounting, pretty overwhelmingly, on one side of the debate.
First of all, the CCPA explicitly brings cookies and similar technologies under the definition of "personal information."
Here's the definition of "personal informatio" at Section 1798.140 (o) (1) of the CCPA:
Certain cookies fit category (F), above, as they can contain information about internet activity, including a person's browsing history and interactions with websites, etc.
It is also possible, particularly using advertising cookies, to draw inferences about a person's preferences and characteristics, per category (K).
Here's the definition of "sale," at Section 1798.140 (t) (1) of the CCPA:
There are three key elements to this definition:
A "third party" can be anyone other than your business, except for the type of person described at Section 1798.140 (w) (2) of the CCPA. There is also an exception for service providers, as we'll see below.
"Valuable consideration" can mean anything that brings a benefit to your business. We'll look at this concept in detail below.
The CCPA Proposed Regulations (available here) provide general guidance to businesses about how to comply with the CCPA.
The Proposed Regulations also provide some insight into how the California Attorney-General, who will be bringing civil cases against businesses that violate the CCPA, interprets the statute.
There's a tell-tale sign at Section 99.315 (a) of the Proposed Regulations suggesting that the Attorney-General does consider third-party cookies capable of facilitating a sale of personal information (at page 18 of the linked PDF):
The above section suggests a number of ways by which a consumer can submit a request to opt out of the sale of their personal information. Among these methods are "user-enabled global privacy controls, such as a browser plugin or privacy setting, [or] device setting..."
These consent methods are associated with opting in or out of cookies. They are commonly used in the EU under the General Data Protection Regulation (GDPR).
The appendices to the CCPA Final Statement of Reasons (FSOR, available here) provide some further insight into this topic.
The appendices to the FSOR contain comments, submitted by various stakeholders, requesting modifications to the CCPA Proposed Regulations. The California Attorney-General responds to some of these requests, and declines to answer others.
Despite many requests for clarity on the issue, the California Attorney-General has not provided a definitive statement about whether sharing cookies with third parties could qualify as selling personal information. However, he does strongly imply it.
Comment 47 of the FSOR requests that the Attorney-General "clarify the definition of "sale," including whether use of website cookies shared with third parties are a sale..."
The Attorney-General suggests the answer is "fact-specific" and refuses to provide a definitive answer. However, he also indicates that there are three factors that may determine whether sharing cookies with third parties constitute a "sale":
"...whether or not there was monetary or other valuable consideration involved, the consumer directed the business to intentionally disclose the personal information, and whether the parties involved were service providers."
We'll look at these three factors in detail below.
In light of the CCPA, advertising networks such as Google and Facebook are making changes to their processes that will enable businesses to allow consumers to opt out of cookies.
This is another indication that the CCPA deems using third-party cookies to be "selling" personal information, or at least that the legal teams of some of the world's largest corporations interpret the law that way.
To provide further insight into the CCPA's implications, let's briefly examine how Google and Facebook are changing their practices.
Google maintains that it "never sells personal information," however this interpretation of its business activities may not be consistent with the tech firm's reading of the CCPA.
In response to the CCPA, Google is introducing a new "restricted processing" function to its advertising products in order "to help advertisers, publishers and partners meet their CCPA compliance needs."
"Restricted processing" is an alternative means of processing the personal information of consumers collected via Google's advertising products.
When restricted processing is enabled, Google and the advertiser/business will enter into a "service provider" relationship. Google will perform a narrower range of functions with personal information than it would otherwise perform. According to Google, these functions include:
These activities fall within the categories of "business purposes" that may be performed by a service provider.
Businesses can enable restricted processing to trigger in response to a consumer's request to exercise their right to opt out, or across all California consumers by default.
Facebook has implemented a new policy known as "Limited Data Use (LDU)," which allows businesses to restrict processing for opted-out California consumers.
Facebook's LDU process works in a similar way to Google's "restricted processing," with Facebook entering into a service provider relationship with the business, and processing the consumer's personal information for a narrower range of purposes.
Let's look at each of these in turn, so you can examine whether your cookies program meets the criteria.
"Monetary consideration" means, simply, money. Most businesses do not receive money as a direct result of collecting personal information via cookies. "Other valuable consideration" is more relevant to most businesses.
"Consideration" is a very broad concept. In the FSOR, the Attorney-General declined to elaborate on the definition of "consideration" in the context of the CCPA, claiming that it is well-established in California law.
California law defines "consideration" at Section 1605 of the California Civil Code (available here):
According to the Attorney-General, we must interpret "consideration" in the light of the definition above. This implies that any benefit your business incurs when it discloses a consumer's personal information via cookies constitutes "consideration."
There are many benefits to using third-party cookies, including:
The definition of "consideration," and thus "sale," would appear to apply to third-party advertising and analytics (including crash-reporting) cookies.
This might sound far-fetched, but EU privacy law (upon which the CCPA is based) explicitly applies to these types of "non-essential" cookies.
The Attorney-General states that using third-party cookies may not count as a sale if "the consumer directed the business to intentionally disclose the personal information."
This refers to a carve-out in the definition of "selling," located at Section 1798.135 t (2) (A) of the CCPA:
In the context of cookies, this refers to a form of opt-in consent. This sort of cookie consent mechanism is mandatory (but often neglected) among businesses subject to the GDPR.
This exemption doesn't mean third-party cookies require opt-in consent in order to avoid being part of a "sale." However, this does reiterate that, if you obtain opt-in consent from a consumer before enabling cookies, you will not be deemed to be selling that consumer's personal information.
Finally, the Attorney-General indicates that a business using third-party cookies may be able to avoid being deemed to have "sold" a consumer's personal information if the disclosure of the cookie data was made to a "service provider."
A service provider is a legal entity that processes personal information on behalf of a business. The service provider must be bound by a contract with the business.
The service provider exemption is another exception to the definition of selling, located at Section 1798.135 t (2) (C) of the CCPA:
This is among the worst-drafted of the CCPA's many poorly-drafted provisions. However, there are a few insights we can glean from this section:
The CCPA's business purposes include "providing advertising or marketing services" and "providing analytic services." As such, it may be possible to disclose cookie data to a service provider in a way that does not constitute a sale.
Note that this is the approach taken by Google and Facebook.
The CCPA imposes several requirements on businesses that sell personal information. If you believe that your cookies program puts you into this category, there are several things you must do.
All businesses selling personal information must post a link on their website and/or app reading "Do Not Sell My Personal Information." This link must lead to a page where consumers can exercise their right to opt out.
In addition to your "Do Not Sell" page, you'll need at least one additional designated means by which a consumer can submit an opt-out request.
The California Attorney-General has suggested that using a cookie banner could be an appropriate means of offering consumers the right to opt out.
So what could a CCPA cookie banner look like? The below example from Costa Coffee represents one possible approach:
This cookie banner has two options: decline or accept non-essential cookies. This is a low-risk solution that presumes cookies are disabled for California users by default.
Another approach might be to enable cookies by default and omit the "I accept" button. Since this only provides an option to "opt out," you would be selling the personal information of all consumers who do not exercise this right.
Whatever approach you take, it's important that:
Section 999.305 (b) of the Proposed Regulations states:
This refers to a "notice at collection," one of the CCPA's four notices that businesses must present whenever collecting personal information from consumers.
Your notice at collection:
Does using third-party cookies count as selling personal information under the CCPA? Most signs point to "yes":
This is a very big deal. If you believe that your cookie program brings you under the scope of the CCPA, make sure you take all necessary steps to comply with the law.