The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
The CCPA defines the phrase “personal information” to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1 The CCPA includes a non-exhaustive list of data types that fall within that definition including “unique personal identifiers,”2 a term that is itself defined to include “cookies” that are used to “recognize a . . . device that is linked to a consumer or family, over time and across different services.”3 As a result, the CCPA appears to treat persistent tracking cookies – such as those used by behavioral advertising networks – as “personal information” or a method of capturing “personal information.” If a business collects “personal information” it is required under the CCPA to provide California residents with a privacy disclosure “at or before the point of [information] collection.”4
In situations in which a website deploys the tracking cookies of a third party (e.g., behavioral advertising network cookies), it is unclear how the business that owns and controls the tracking cookie (i.e., the behavioral advertising network) will be able to provide California consumers with its privacy disclosure “at or before the point” of information collection, unless the cookie-owner requires that any website that deploys its cookie provide a copy of the cookie-owner’s privacy notice. This might be accomplished, for example, by requiring websites to deploy a cookie banner that contains links to the privacy notice of each cookie that deploys on the website.
1. CCPA, Section 1798.140(o)(1).
2. CCPA, Section 1798.140(o)(1)(A).
3. CCPA, Section 1798.140(x).
4. CCPA, Section 1798.100(b).