The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Is a cookie considered “personal data?”
The terms “personal data,” “personal information,” or “personally identifiable information” are used in various statutes and regulations in different contexts and are assigned different meanings. For example, the term “personal information” is defined under most state data breach notification statutes as referring only to name in combination with a small sub-set of data fields viewed by legislators as being particularly sensitive, such as Social Security Number.
For the purpose of California’s CCPA the phrase “personal information” refers to any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1 The CCPA includes a non-exhaustive list of data types that fall within that definition. That list includes “unique personal identifiers,”2 a term which itself is defined as including “cookies” that are used to “recognize a . . . device that is linked to a consumer or family, over time and across different services.”3 As a result, the CCPA appears to treat persistent cookies – such as those used by behavioral advertising networks – as “personal information,” but session cookies may fall outside of the definition.
Personal data is similarly defined by the European GDPR as “any information relating to an identified or identifiable natural person.”4 The Article 29 Working Party has taken the position that when a cookie “[i]s not linked to identifiable data of a specific person” it can be considered “anonymous.”5
Conversely, if a company links a cookie to an identifiable person the cookie becomes part of the set of “personal data.” For example, the Working Party has opined that if a “customer fills an order form on the web site where the advertiser has placed the banner ad” then “identifiable data could be linked or merged with existing data already placed on a cookie, and provide for an identifiable profile of the person concerned.”6
1. CCPA, Section 1798.140(o)(1).
2. CCPA, Section 1798.140(o)(1)(A).
3. CCPA, Section 1798.140(x).
4. GDPR, Article 4(1).
5. Article 29 Working Party, WP 37: Privacy on the Internet – An Integrated EU Approach to On-line Data Protection, at 74, adopted on Nov. 21, 2000.
6. Article 29 Working Party, WP 37: Privacy on the Internet – An Integrated EU Approach to On-line Data Protection, at 74, adopted on Nov. 21, 2000.
[View source.]
