The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
The CCPA was put together quickly (in approximately one week) as a political compromise to address a proposed privacy ballot initiative that contained a number of problematic provisions. (You can find a timeline that illustrates the history and development of the CCPA in BCLP’s Practical Guide to the CCPA). Given its hasty drafting there are a number of areas in which the act intentionally, or unintentionally, is ambiguous. One of those areas involves cookies.
The CCPA defines “personal information” to include (among other things) a “unique identifier.”1 The phrase “unique identifier” is, in turn, defined as follows:
“Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.2
The first part of the above definition refers only to identifiers that can recognize a device “over time and across different services.” This would not include session cookies which are designed to contain information only during a single online session (i.e., not over any significant length of time) and typically on a single website or domain (i.e., not across services). The second part of the definition, however, refers to cookies, and does so in a manner in which it is not clear whether cookies are included as a stand-alone category of “unique identifiers” or as an example of a type of identifier that may be able to recognize a device “over time and across different services.” The first interpretation would mean that first-party session cookies are “personal information” governed by the CCPA; the second interpretation would mean that first-party session cookies are typically not “personal information” governed by the CCPA. The net result is that there is ambiguity as to whether the CCPA governs first-party session cookies at all.
1. CCPA, Section 1798.140(o)(1).
2. CCPA, Section 1798.140(x).
3. CCPA, Section 1798.130(a)(5)(B).