While the definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider, whether the exception applies to analytics cookies operated by third parties may depend in part upon the contract in place (or terms and conditions) with the third party.4 Specifically, the service provider exception requires that following three conditions be present:
- The transfer of information to the service provider must be “necessary” for the website’s business purpose.5 It is uncertain whether a court would view analytics cookies (and the information that they provide) as a necessity.
- The transfer of the information to the service provider must be disclosed to consumers. Many websites arguably meet this requirement by disclosing their use of third party cookies or analytics cookies in their privacy policies.
- The agreement with a service provider must “prohibit” the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”6 Whether the contract in place with the provider of an analytics cookie meets these requirements may be a case-by-case inquiry.
In order to mitigate the risk that permitting analytics cookies to deploy on a website will be interpreted as a “sale” of information, a website has at least three options:
- Verify that the contract fits the definition of a “service provider.” If the analytics cookies are necessary for the efficient operation of the website, and if a website verifies that its contract with the analytics cookie provider qualifies as a “service provider,” the cookie can be placed without offering consumers the ability to opt-out or toggle the cookie off.
- Ask for consent. The CCPA excepts from the definition of “sale” the situation where a “consumer uses or directs the business to intentionally disclose personal information.”7 As a result, if a website deploys a cookie banner, and a consumer agrees or “opts-in” to the use of analytics cookies, the website arguably has not “sold” information to the company that provides the analytics cookie. Note that if the consumer agrees to the deployment of the analytics cookie, nothing within the CCPA would require the website to present them with an automatic ability to opt-out (i.e., toggle off) the cookie.
The net result is that while the CCPA does not expressly require that websites offer to consumers the ability to “toggle-off” analytics cookies, some companies may offer such a feature as part of a risk mitigation strategy.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.