When California's Office of the Attorney General submitted the final California Consumer Privacy Act regulations package to the Office of Administrative Law, it also included a "Final Statement of Reasons" with six appendices comprised of more than 500 pages of comments and responses. One of the many topics that the attorney general’s office was confronted with concerns the CCPA’s treatment of cookies and other tracking technologies. As discussed below, while the office provided some clarity, many questions remain unanswered.

Does the definition of 'personal information' cover all cookies?

The CCPA’s definition of “personal information” includes “unique personal identifier,” which is defined as “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology ... .” Commentators have queried whether the phrase “persistent identifier” modifies the subsequent list of examples, suggesting that, if yes, then perhaps session cookies would be excluded.

In Response #892 in Appendix A, the office confirmed as such, citing the definition of unique personal identifier and stating, “If a session cookie cannot be used to recognize a consumer, family, or device that is linked to a consumer or family, over time and across services, it would not fall within this definition.” The office, however, qualified its position by saying, “[t]his conclusion, however, is fact-specific and contextual.”

Despite the disclaimer, this response suggests that the office does not view session cookies as personal information.

Are third-party advertising cookies and similar tracking technologies 'sales'?

Privacy advocates have taken the position that third-party advertising cookies and similar tracking technologies constitute "sales" triggering the CCPA’s right to opt out. Consistent with that position, last year, the California state Senate considered a bill that would have amended the definition of “sale” to exclude instances in which, “pursuant to a written contract, the business shares, discloses, or otherwise communicates to another business or third party an online identifier, an Internet Protocol address, a cookie identifier, a device identifier, or any unique identifier only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer” provided that the contract prohibits the other business or third party from using such information outside of that limited purpose. That bill was withdrawn in April 2019 after privacy advocates argued that it would exclude some of the very transfers that the CCPA was intended to allow consumers to opt out of.

Conversely, some businesses — most notably, Facebook — have taken the position that the use of tracking technologies are not sales.

The attorney general’s comments in the "Final Statement of Reasons" confirm that the office considers this determination to be highly fact-specific.

When asked to “clarify the definition of ‘sale,’ including whether [the] use of website cookies shared with third parties are a sale,” the office refused to take a definitive position, stating that whether “the particular situations ... constitute a ‘sale’ raises specific legal questions that would require a fact-specific determination, including whether or not there was monetary or other valuable consideration involved, the consumer directed the business to intentionally disclose the information, and whether the parties involved were service providers.” (See Appendix A, Response #47.)

The attorney general gave a similar response when asked to state whether the use of Google and Adobe Analytics constitute sales, stating it “require[s] a fact-specific determination.” (See Appendix A, Response #533.)

Further, the office’s comments with respect to the use of advertising on other websites suggest that it may accept, under limited circumstances, that tracking is not a sale. (See Appendix A, Response #519.) There, the commentator posited that service providers should not “add data about the consumer to any profile that may be used to tailor advertising to that consumer on a different, unrelated website.” The office accepted the comment in part, but made the following clarifying statement:

“The comment, however, mentions that ads should not be shown on other websites, but such a limitation would violate the CCPA and/or is unnecessary.  The CCPA allows a service provider to furnish advertising services to the business that collected personal information from the consumer, and such ads may be shown to the same consumer on behalf of the same business on any website. See Civ. Code § 1798.140(d)(5). Prohibiting a service provider from placing such ads is also unnecessary because the CCPA would not prohibit the business’s own marketing department from placing the same ads itself. This provision of advertising services, however, does not relieve the service provider from its obligations to not share the personal information of the consumer with third parties and does not allow the service provider to use the personal information to provide advertising services to other businesses.”

This response could be interpreted to remove the use of tracking technologies from “sales” under certain limited circumstances, i.e., if the other entity agrees to the CCPA’s “service provider” limitations, including, among other things, only using the personal information for the business’s purposes.

That said, Section 999.315(d) of the final regulations requires businesses to “treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request” to opt out. This suggests that the office views a business’s tracking of users across websites and devices as potential sales; otherwise, there would no need for this requirement.

Ultimately, the conclusion is that the office is unwilling to take a firm position on this issue because it considers the question of whether cookies and other tracking technologies are sales to be nuanced and fact-specific.

Does the use of a cookie banner or cookie manager tool qualify as an exception to the definition of 'sale'?

Assuming third-party advertising cookies and tracking technologies qualify as sales, commentators have questioned whether the use of cookie consent banners or cookie manager tools would exempt websites from having to provide the right to opt out of sales.

By way of explanation, the CCPA’s definition of sale excludes instances in which a “consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title.” The CCPA clarifies that “[a]n intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.”

In light of that definition, commentators have queried whether the act of a consumer “accepting” cookies or toggling cookies on in a cookie manager tool would qualify as an “intentional interaction,” assuming that there is not a further “sale” of personal information by the other entity. 

Unfortunately, the office did not squarely address this issue. However, it did note in Response #227 to Appendix C that “Civil Code § 1798.140(t)(2)(A)’s exception to the definition of 'sale' is very narrow. It requires the consumer’s intentional disclosure or interaction with the third party and only applies when the third party does not also sell the personal information.” Yet, the fact that the exception may be “narrow” does not necessarily mean that the use of cookie consent banners or cookie manager tools does not fall within the exception.

Conclusion

In the end, those who were looking for the final regulations to bring clarity to this topic will be disappointed. Although the office’s responses provide some helpful insights, the attorney general’s comments leave many unanswered questions. Until more clarity is provided from the office or through enforcement actions, businesses are left to conduct their own analysis.

Photo by Joseph Barrientos on Unsplash