A common and mis-understood aspect of CCPA is about website cookies. CCPA requires you to ensure that you manage the data collected using website cookies. This data is to be considered as personal information. As such your company must be able to identify this data with the visitor and respond to privacy requests from the consumer. Nearly all such requests need access to the data, and your 3rd party cookie vendor should include that ability. Engage your vendor for CCPA compliance.
Cookies and consumers
Technically there are only two types of cookies. First is a session cookie. Session cookies live a short life and die when you close the browser. When a website uses a session cookie each visit is treated as a new visit. Second is a persistent cookie. Persistent cookies are stored on your computer and their life is set by the website. Websites use persistent cookies for different purposes:
- Essential cookies – these type of cookies are used for basic features to work on the website. Example of basic features include signin, signup, loading images, enabling selection of preferences, and so.
- Functional cookies – these type of cookies are used so the website can do analysis of website usage. Example of functional use include performance improvements, better user experience, optimizing image load or video performance, and so.
- Advertising cookies – these types of cookies are mainly used for advertising purpose. This enables the website to display ads that are relevant to the specific visitor. Example of advertising functions include data sharing with advertisers, social sharing, return visit tracking, and so.
In this article:
- Personal information & cookie profiling under CCPA
- State of cookies before CCPA
- State of cookies after CCPA
Personal information tracked with cookies
Cookies are simply identifiers with a expiration date. A cookie do not contain any personal information when created. It does not have any personally identifiable data. It does not scan your computer, browser data, or browser history. Most websites collect personal information only when you provide them on a form. Any information a cookie stores is usually encrypted. The website server is aware of the information coded in the cookie. The server is aware of any information you provide. As a result of the how the internet works, the server is also aware of your potential location, time of visit, your IP address, your service provider, length of your visit, web pages you visited, clicks, frequency of clicks, your search terms, and so. All this information may not be considered personally identifiable information. This is personal information under CCPA (California Consumer Privacy Act).
Web server can use third party tools to profile you. Marketers could collate data from multiple websites and create your unique profile. This is often called web profiling. This helps marketers target specific ads. For example, when you search for running shoes on a website and moments later you visit an ecommerce site, it is likely that you will be served an advertisement for running shoes. Another example would be when you visit a website called xyz.com, and you start browser other sites, you may be served ads for xyz.com.
Profiling with cookies and consumer privacy
Profiling using cookies is an essential tool for marketers. It is powerful and helps them spend advertising dollars effectively. Marketers can specifically target users based on the products they are likey to purchase. However, profiling can be malicious, could be used by trolls. Cookies can help in many other ways.
As a consumer you cannot prevent profiling. You could take precautions to protect your privacy. For example, you may use free browser extensions or 3rd party applications such as Ghostery to identify companies using cookies. And, you may also install CCleaner that helps in session and cookie cleaning. A simpler approach is to configure your browser to prevent cookies from untrusted sites. Chrome browser provides several advanced privacy settings. We recommend that you explore these settings.
Chrome has several options that you could explore in site settings. This option allows you to set permissions for specific site without changing default settings. You may use this to browse trusted sites and untrusted sites in a different way.
You may explore cookie settings options in your Chrome or other browsers. This may help you prevent profiling. Additionally most browsers also provide a list of cookies by website and the estimated amount of data stored in relation to that cookie.
State of cookies prior to CCPA
A study by advertising firms in 2018 examied 5 billion page impressions. This study states that users on web browsers block over 60% of cookies. And, users on mobile devices reject over 70% of cookies. They use tools and buil-in browser settings to actively block cookies. Consumer awareness of the privacy risks of cookie tracking is at an all time high. A substantial improvement over the past 2 decades.
The General Data Protection Regulation (GDPR) came into effect in 2018. This meant that websites have to change their privacy policies, cookie management policies, and more. GDPR and EU ePrivacy directive require that your website visitors must provide consent before the website deploys tracking cookies. Additionally, this consent must be saved. As a result, many website deployed cookie consent managemet on their sites. Today, a website visitor seeks a familiar cookie consent banner. GDPR regulation of cookies implies:
- Personally identifiable information – A visitor may or may not provide directly identifiable information. However, an individual may be singled out by a combination of data collected for the regulation to apply
- Accountability for cookies on the site – A website is accountable to all the data collected. The company is accountable for the safety, processing, and storage of collected data. This is more difficult to manage. Websites often apply 3rd party cookies and data processing by 3rd parties should be more carefully managed.
- Opt-in cookie consent – A visitor must be provided a clear choice to opt-in or reject tracking using cookies. This choice must be obtained before any cookies can start collecting data.
- Manage consent – A visitor must have the ability to change (reject or accept) their consent. Additionally, a website must ask the visitor to update consent every 12 months. And, each such consent must be recorded for future reference.
GDPR set the stage on how cookies should be managed on websites. Several large companies that operate in EU have taken steps to apply these cookie management settings globally. This GDPR did not apply to millions of California websites. EU barely has resources to regulate within its own juridiction. Awareness had built-up for change in California. Result – CCPA (California Consumer Privacy Act).
Right to privacy in Califonia
California state Constitution give each citizen a right to pursue and obtain privacy – Article 1, Section 1. Several other state and federal laws protect the privacy of individuals. You may review a list of privacy laws that apply in California here.
Why the CCPA – California Consumer Privacy Act?
Officially AB-375 the California Consumer Privacy Act is intended to hold companies accountable for the use of consumer data. Beyond privacy, consumers have the right to control their data and its use. CCPA (California Consumer Privacy Act) is intended to provide the consumer the right to control what happens to their personal information. Consumer are now expected to have certain enforceable rights about their personal information:
- Right to know what information is collected
- Right to know if their data is sold or shared
- Right to know 3rd parties that have access to their data
- Right to say no to the sale of their data
- Right to be forgotten
- Right to have access to data
- No discrimination upon exercise of rights
- and more…
State of cookies after CCPA
- Personal information – A visitor may not provide directly identifiable information. However, any information collected using cookies shall be considered personal information under CCPA (California Consumer Privacy Act).
- Cookies on the site – A website is accountable to all the data collected. The company is accountable for the safety, management, and storage of collected data. Websites that use 3rd party cookies must be able to manage the data collected.
- Know your 3rd party vendors: Cookies on website are mostly from 3rd party vendors. It is critical to ensure that your vendor agreement clearly have data protection and CCPA compliance clauses.
- Opt-out of sale of personal information – A visitor must be provided a clear choice to opt-out of sale of personal information. The opt-out choice should be clear and easy to find. This opt out of sale refer to all data.
- Manage opt-out and opt-in of sale of personal information – A visitor must have the ability to change (reject or accept) their consent. And, each such consent must be recorded for reference.
Under CCPA (California Consumer Privacy Act) different types of cookies have separate treatment. Essential cookies are requied for the proper operation of the website. Websites are not required to provide the ability to opt-out of essential cookies. It is advisable to disclose their use, but not required to allow visitors or users to disable essential cookies.
Functional cookies are used for multiple functions and potentially for web tracking. Some of these cookies may be required for the performance of the website. While other functional cookies may be optional. Under CCPA (California Consumer Privacy Act), websites are required to provide the visitor an ability to opt-out of some functional cookies. Websites should place a clear description of each type of cookies used, how many cookies are used for each type, and the option to opt-out of anything that isn’t mandatory for the website to function. These cookies may be first party or 3rd party cookies. While the letter of the CCPA act is not specific, the provisions of the act imply clear disclosure. Disclosure must include how cookies collect, and use data, and the ability to opt-out of non-essential cookies.
Clearly advertising cookies are under the preview of non-essential cookies. These may be first party or 3rd party cookies. Under CCPA, data collected must be protected and you must be able to provide access to this data to consumers upon request.
Consent management (A good practice and not necessary under CCPA)
Website must start to implement clear consent management. We recommend consent management for all websites. Such consent management should have the ability to opt-out. Opt-out consent management does not adversely impact the way websites do business today. Typically most companies that use email marketing have already incorporated consent management. Websites need to extend this to their website visitors.
Companies now need to manage consent across all functions. Website need to track visitor cookie preferences. CCPA is clear about opt-out consent for adults. It is also clear about opt-in consent for children and young adults. However, it is still unclear on how to implement both types of consent for different types of visitors. We expect to provide an update when this clarity emerges. Finally, websites need an integrated consent management system that also includes the ability to share consent with 3rd party partners.
Consent management system must also have another additional capability. They should be able to recognize the visitor across multiple devices that the visitor uses and be able to track consent across devices. This implies deploying advanced cookie tracking capabilities across multiple devices including mobile, tablets, and computers.
CCPA does not have a requirement on cookie banners and their usage. However, it does have a clear requirement of ‘Do not sell my personal information’ link on the home page. There is a need to provide clear consent management. We recommend that website do not use a cookie banner. We also recommend that website place a clear link on their home pages to manage cookie preferences. This differs from how GDPR compliance uses cookie banner. For technical reasons or reasons of consistency, you may use a cookie banner for both.
In conclusion, CCPA has several requirements about cookies and consent management:
- Detail of each cookie used and its purpose
- Collect, manage, store, and secure personal information collected using cookies
- Manage 3rd party vendors for CCPA compliance and data protection
- Track consent across multiple devices (see household requirement under CCPA)
- No requirement for cookie banner
- Recommend placing a link on home page for consent management (a good practice, not a CCPA requirement)