CCPA Cookies

It's a question hotly debated by legal and privacy experts, and repeatedly asked by concerned businesses: Does using third-party cookies count as "selling" personal information under the California Consumer Privacy Act (CCPA)?

In this article, we'll be providing a strong case for why we think the answer is "yes."

We'll also discuss why this has enormous implications, and what your business needs to do about it.

Important Note About the Scope of the CCPA

Below, we're going to explain why it appears that using third-party cookies is now considered to be "selling" personal information in California. Before we proceed, it's important to spell out why this is such a huge development.

If using third-party cookies does indeed qualify as selling personal information, this has significant implications for the jurisdiction of the CCPA.

One of the criteria for determining whether a business is covered by the CCPA is as follows:

"It, alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more [California] consumers, households, or devices."

Under this criterion, assuming that using third-party cookies can constitute "selling" personal information, the CCPA would apply to anyone operating a website or app that:

  • Uses third-party cookies, and
  • Has 50,000 unique visitors or users originating in California per year

This could bring thousands of small and medium-sized businesses under the scope of the CCPA.

What We Know About the CCPA and Cookies

Among legal and privacy experts, the jury has been out on the CCPA's position on cookies. However, the evidence is now mounting, pretty overwhelmingly, on one side of the debate.

Definition of "Personal Information"

First of all, the CCPA explicitly brings cookies and similar technologies under the definition of "personal information."

Here's the definition of "personal informatio" at Section 1798.140 (o) (1) of the CCPA:

California Legislative Information: CCPA - Definition of Personal Information

Certain cookies fit category (F), above, as they can contain information about internet activity, including a person's browsing history and interactions with websites, etc.

It is also possible, particularly using advertising cookies, to draw inferences about a person's preferences and characteristics, per category (K).

Definition of "Sale"

Here's the definition of "sale," at Section 1798.140 (t) (1) of the CCPA:

California Legislative Information: CCPA - Definition of Sale

There are three key elements to this definition:

  • Communication of a consumer's personal information
  • To a third party
  • For valuable consideration

A "third party" can be anyone other than your business, except for the type of person described at Section 1798.140 (w) (2) of the CCPA. There is also an exception for service providers, as we'll see below.

"Valuable consideration" can mean anything that brings a benefit to your business. We'll look at this concept in detail below.

CCPA Proposed Regulations

The CCPA Proposed Regulations (available here) provide general guidance to businesses about how to comply with the CCPA.

The Proposed Regulations also provide some insight into how the California Attorney-General, who will be bringing civil cases against businesses that violate the CCPA, interprets the statute.

There's a tell-tale sign at Section 99.315 (a) of the Proposed Regulations suggesting that the Attorney-General does consider third-party cookies capable of facilitating a sale of personal information (at page 18 of the linked PDF):

Final Text of Regulations: CCPA - Section 999 315 - Requests to Opt-Out

The above section suggests a number of ways by which a consumer can submit a request to opt out of the sale of their personal information. Among these methods are "user-enabled global privacy controls, such as a browser plugin or privacy setting, [or] device setting..."

These consent methods are associated with opting in or out of cookies. They are commonly used in the EU under the General Data Protection Regulation (GDPR).

CCPA Final Statement of Reasons

The appendices to the CCPA Final Statement of Reasons (FSOR, available here) provide some further insight into this topic.

The appendices to the FSOR contain comments, submitted by various stakeholders, requesting modifications to the CCPA Proposed Regulations. The California Attorney-General responds to some of these requests, and declines to answer others.

Despite many requests for clarity on the issue, the California Attorney-General has not provided a definitive statement about whether sharing cookies with third parties could qualify as selling personal information. However, he does strongly imply it.

Comment 47 of the FSOR requests that the Attorney-General "clarify the definition of "sale," including whether use of website cookies shared with third parties are a sale..."

The Attorney-General suggests the answer is "fact-specific" and refuses to provide a definitive answer. However, he also indicates that there are three factors that may determine whether sharing cookies with third parties constitute a "sale":

"...whether or not there was monetary or other valuable consideration involved, the consumer directed the business to intentionally disclose the personal information, and whether the parties involved were service providers."

We'll look at these three factors in detail below.

How are Advertising Networks Responding?

In light of the CCPA, advertising networks such as Google and Facebook are making changes to their processes that will enable businesses to allow consumers to opt out of cookies.

This is another indication that the CCPA deems using third-party cookies to be "selling" personal information, or at least that the legal teams of some of the world's largest corporations interpret the law that way.

To provide further insight into the CCPA's implications, let's briefly examine how Google and Facebook are changing their practices.

Google

Google maintains that it "never sells personal information," however this interpretation of its business activities may not be consistent with the tech firm's reading of the CCPA.

In response to the CCPA, Google is introducing a new "restricted processing" function to its advertising products in order "to help advertisers, publishers and partners meet their CCPA compliance needs."

"Restricted processing" is an alternative means of processing the personal information of consumers collected via Google's advertising products.

When restricted processing is enabled, Google and the advertiser/business will enter into a "service provider" relationship. Google will perform a narrower range of functions with personal information than it would otherwise perform. According to Google, these functions include:

  • Ad delivery
  • Reporting and measurement
  • Security and fraud detection
  • Debugging
  • Improving and developing features

These activities fall within the categories of "business purposes" that may be performed by a service provider.

Businesses can enable restricted processing to trigger in response to a consumer's request to exercise their right to opt out, or across all California consumers by default.

Facebook

Facebook has implemented a new policy known as "Limited Data Use (LDU)," which allows businesses to restrict processing for opted-out California consumers.

Facebook's LDU process works in a similar way to Google's "restricted processing," with Facebook entering into a service provider relationship with the business, and processing the consumer's personal information for a narrower range of purposes.

Are You "Selling" Personal Information via Cookies?

The California Attorney-General sets out three factors that can determine whether a company's use of cookies constitutes "selling" personal information.

Let's look at each of these in turn, so you can examine whether your cookies program meets the criteria.

Valuable Consideration

In the Attorney-General's view, the use of cookies may constitute a "sale" if there is "monetary or other valuable consideration involved."

"Monetary consideration" means, simply, money. Most businesses do not receive money as a direct result of collecting personal information via cookies. "Other valuable consideration" is more relevant to most businesses.

"Consideration" is a very broad concept. In the FSOR, the Attorney-General declined to elaborate on the definition of "consideration" in the context of the CCPA, claiming that it is well-established in California law.

California law defines "consideration" at Section 1605 of the California Civil Code (available here):

California Legislative Information: California Civil Code Section 1605 - Definition of Consideration

According to the Attorney-General, we must interpret "consideration" in the light of the definition above. This implies that any benefit your business incurs when it discloses a consumer's personal information via cookies constitutes "consideration."

There are many benefits to using third-party cookies, including:

  • Targeting advertising at individual consumers, and thus increasing your sales, for example by using a digital marketing product such as the Facebook Pixel
  • Understanding whether your website or app functions as intended, for example by using a tool such as Crashlytics
  • Understanding the effectiveness of your marketing campaigns, for example by using Google Analytics

The definition of "consideration," and thus "sale," would appear to apply to third-party advertising and analytics (including crash-reporting) cookies.

This might sound far-fetched, but EU privacy law (upon which the CCPA is based) explicitly applies to these types of "non-essential" cookies.

Consumer Direction

The Attorney-General states that using third-party cookies may not count as a sale if "the consumer directed the business to intentionally disclose the personal information."

This refers to a carve-out in the definition of "selling," located at Section 1798.135 t (2) (A) of the CCPA:

California Legislative Information: CCPA - Definition of Selling

In the context of cookies, this refers to a form of opt-in consent. This sort of cookie consent mechanism is mandatory (but often neglected) among businesses subject to the GDPR.

This exemption doesn't mean third-party cookies require opt-in consent in order to avoid being part of a "sale." However, this does reiterate that, if you obtain opt-in consent from a consumer before enabling cookies, you will not be deemed to be selling that consumer's personal information.

Service Providers

Finally, the Attorney-General indicates that a business using third-party cookies may be able to avoid being deemed to have "sold" a consumer's personal information if the disclosure of the cookie data was made to a "service provider."

A service provider is a legal entity that processes personal information on behalf of a business. The service provider must be bound by a contract with the business.

The service provider exemption is another exception to the definition of selling, located at Section 1798.135 t (2) (C) of the CCPA:

California Legislative Information: CCPA - Service Provider exemption to the definition of selling

This is among the worst-drafted of the CCPA's many poorly-drafted provisions. However, there are a few insights we can glean from this section:

  • The sharing of personal information with a service provider must be necessary to perform a business purpose.
  • The business must provide consumers with information about how to opt out of the sale of their personal information, including via its "Terms and Conditions." Presumably this actually refers to a Privacy Policy, where it is mandatory to display such information, and its "Do Not Sell My Personal Information" page, where appropriate.
  • The service provider must not further process the personal information except as necessary to perform the business purpose.

The CCPA's business purposes include "providing advertising or marketing services" and "providing analytic services." As such, it may be possible to disclose cookie data to a service provider in a way that does not constitute a sale.

Note that this is the approach taken by Google and Facebook.

CCPA Requirements for Businesses That Sell Personal Information

The CCPA imposes several requirements on businesses that sell personal information. If you believe that your cookies program puts you into this category, there are several things you must do.

"Do Not Sell My Personal Information" Page

All businesses selling personal information must post a link on their website and/or app reading "Do Not Sell My Personal Information." This link must lead to a page where consumers can exercise their right to opt out.

Cookie Banner

In addition to your "Do Not Sell" page, you'll need at least one additional designated means by which a consumer can submit an opt-out request.

The California Attorney-General has suggested that using a cookie banner could be an appropriate means of offering consumers the right to opt out.

So what could a CCPA cookie banner look like? The below example from Costa Coffee represents one possible approach:

Costa Coffee Cookie Banner

This cookie banner has two options: decline or accept non-essential cookies. This is a low-risk solution that presumes cookies are disabled for California users by default.

  • If the user clicks " I decline," they are exercising their right to opt out. In this case, you simply don't enable cookies for that user.
  • If the user clicks "I accept," they are, arguably, directing your business to disclose their personal information, which could bring them under the "consumer direction" exemption. You could then enable cookies for that user without engaging in the "sale" of their personal information.

Another approach might be to enable cookies by default and omit the "I accept" button. Since this only provides an option to "opt out," you would be selling the personal information of all consumers who do not exercise this right.

Whatever approach you take, it's important that:

  • Your cookie banner appears when any California user visits your website or uses your mobile app
  • Your cookie banner appears on every page of your website on which you set non-essential cookies
  • You do not enable cookies for any user who has opted out, unless you are able to enter into a service provider relationship with the relevant cookies provider

Notice at Collection

Section 999.305 (b) of the Proposed Regulations states:

Final Text of Regulations: CCPA - Section 999 305 - Notice at Collection of Personal Information - Shall be readily available

This refers to a "notice at collection," one of the CCPA's four notices that businesses must present whenever collecting personal information from consumers.

Your notice at collection:

  • Must appear on every page of your website that sets cookies on consumers' devices
  • Must appear in the "Settings" menu of your mobile app (if applicable)
  • Can consist of a link to a section in your Privacy Policy which informs consumers:

    • What types of personal information you collect
    • Your business or commercial purposes for collecting it
    • A link to your "Do Not Sell My Personal Information" page

In the context of cookies, a notice at collection could conceivably consist of a link, displayed as part of your cookie banner, to the relevant section of your Privacy Policy.

Summary

Does using third-party cookies count as selling personal information under the CCPA? Most signs point to "yes":

  • The definition of "personal information" includes data collected by cookies
  • The definition of "sale" is very broad
  • The CCPA Proposed Regulations advocate "privacy controls" and "browser settings" as ways to allow consumers to opt of out of the sale of their personal information
  • In the CPA Final Statement of Reasons, the California Attorney-General suggests that third-party cookies may facilitate a sale of personal information under certain conditions

This is a very big deal. If you believe that your cookie program brings you under the scope of the CCPA, make sure you take all necessary steps to comply with the law.