By Aaron Bisla[i]
The California Consumer Protection Act (CCPA) was enacted to address increasing concerns about the collection and sale of Californian residents’ personal information as online activities grew more frequent and more detailed.[ii] The CCPA provides data collection rights for California residents as well as regulations for certain businesses that sell personal information. However, the consequences under CCPA for third party analytic cookies was left open to interpretation. In response, an amendment addressing these gaps was created in the form of Prop. 24 which passed in November of 2020.[iii] The California Privacy Rights Act (CPRA) augments the CCPA and, as such, calls for a re-examination of the landscape of privacy and, in particular, the management of digital trackers as the law strives to keep pace with technology.
What are digital tracking technologies?
Digital tracking technologies are used to monitor user movements, preferences and activities across web pages to provide a personalized and efficient web browsing experience. Tracking technology records and analyzes a range of activities, from the frequency of web page visits to purchase histories. The two main types of digital tracking technologies are Cookies and Device Fingerprinting. The use of trackers to build user profiles across websites is known as Cross-Context Behavioral Advertising.[iv]
Cookies are small text files stored on devices by a website to enable more complicated functions related to persistent activity.[v] They can be classified as essential or non-essential based on their use. Cookies do not obtain personal information directly from a computer. However, they can be used to track users across different websites, allowing for the creation of detailed profiles based on user history.
Device Fingerprinting operates differently than cookies. Instead of storing information on a user’s browser or hard drive, a combination of computer and browser specifications unique to a user’s device is logged and retained to create a unique profile that may be used to track behavior across different websites. This enables a site to track browsing behavior without the use of persistent identifiers and subverts attempts by browsers to prevent the tracking of its users.[vi]
The use of these technologies is essential for many websites to function effectively, such as persistent cookies that remember items added to the ‘shopping cart’ on an online retailer’s website. However, the collection of information that can be combined and linked to individuals means that some companies will have to comply with notification and consent requirements tied to the collection and retention of personal information.
Treatment of Personal Information by CPRA v CCPA?
The definition of personal information includes using any information that “identifies, relates to, describes […] or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[vii] If a business could use data to identify an individual, it is subject to the same restrictions that apply to processing personal information. This does not include publicly available information “that is lawfully made available from federal, state, or local government records.”[viii]
The CPRA enhances the CCPA by adding an enforcement mechanism as well as prescribing requirements for businesses that sell or share data. Additionally, the CPRA distinguishes between cross-context behavioral advertising and non-personalized advertising.
The CPRA’s language broadens from the sale of data to include the sale and sharing of data which means that companies can no longer argue they do not actually sell data to other companies if any sharing with a third party for cross-context behavioral advertising also takes place, whether or not for monetary or other valuable consideration. Furthermore, the CPRA defines Cross-Context Behavioral Advertising as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally Interacts.”[ix] This means that businesses will have to offer consumers a right to opt-out from third-party ads’ cookie collection happening on their website or app.[x]
The CPRA’s specificity in addressing cross-contextual behavioral advertising means that previous loopholes that companies could leverage when sharing data with third party advertisers are essentially closed.
Digital fingerprinting falls squarely under personal information under CCPA if it is used to associate individuals or households with devices and track behavior across multiple websites. A combination of unique hardware or browser specifications can easily be used to “recognize a […] device that is linked to a consumer or family, over time and across different services.”[xi] Separately, one device data might not report much, but when that seemingly innocuous information is stored alongside other data points, it becomes statistically impossible to not link back to a unique device and user. If that information could reasonably link back to a consumer, it counts as personal information and is subject to the disclosure obligations of CPRA.
Cookies often have more uses outside of device recognition. Analytic cookies in particular should meet at least three conditions to qualify as personal information. First, the cookie must be persistent.[xii] Second, the cookie must be used to track a user across multiple websites or services.[xiii] The third and final condition is whether the cookie can “reasonably be linked” to a consumer or household.[xiv]
The CPRA revised the CCPA’s definition of personal information. One notable exclusion refers to data that is “lawfully obtained, truthful information that is a matter of public concern” and information “made available to the general public by the consumer or from widely distributed media.”[xv] Additionally, there is a new sub-category with new rights attached to sensitive information.[xvi] The CPRA’s new rights for sensitive personal information include the right to limit the use and disclosure of such data, and applies to information such as social security number, government IDs, account log-in information with password, precise geographic location, racial or ethnic origin, religious or union membership, contents of mail, email or text message, genetic information, biometric information, personal health information, and personal information related to sexual orientation or activity.[xvii]
Treatment of Sale or Sharing under CPRA v CCPA?
The CCPA broadly defines sale as either disclosing or otherwise making available personal information “for monetary or other valuable consideration.”[xviii] This definition applies to the exchange for value of all consumer information, including sharing personal data captured by cookies and other tracking technologies with third parties. A business does not sell personal information when the consumer directs the business to “(i) intentionally disclose personal information or (ii) intentionally interact with one or more third parties.”[xix] This applies to when businesses share “an identifier for a consumer who has opted out of the sale of […] personal information […] for the purposes of alerting persons”[xx]
When websites authorize third party behavioral advertising networks to access information transmitted by users, this counts as making the information available to another party and constitutes a ‘sale.’ In order minimize risk when permitting other parties to deploy cookies, a website can ask for consent from the user, which would count as directing the “business to intentionally disclose personal information,” an exemption from the definition of sale.[xxi] Alternatively, the website could disclose that information is being sold to third parties and include a Do Not Sell or Share My Personal Information link on its homepage while honoring opt-out requests.
The CPRA seemingly closes the gap left by CCPA regarding whether websites need to disclose the use of digital trackers if that data may have not constituted a “sale” to third party advertisers. In considering CPRA compliance readiness, companies that do business with California residents should be prepared to clearly notify users when sharing personal information with third parties and provide an opt-out for the sale or sharing of personal information on their webpage.
While the CPRA’s amendments to the CCPA, in their entirety, do not become fully operative until the January 1, 2023,[xxii] businesses should strive to become compliant with the updated law by January 1st of 2022 in the context of the CPRA’s 12 month look back provision. With the exception of the right to access, the CPRA will only apply to personal information collected by businesses on or after January 1, 2022.[xxiii]
The impact of newly enacted legislation cannot be immediately measured but at the very least the updated definitions clearly indicate an intent to close some gaps to keep up to date with developments in the ad space. In the meantime, businesses that sell or share user personal information with third parties should clearly notify users and provide the opportunity to opt out or risk being made an example of the California Privacy Protection Agency’s new regulatory powers.
[i] Aaron Bisla is a J.D. Candidate, Class of 2021 from the Santa Clara University School of Law and holds a CIPP/US certification from the International Association of Privacy Professionals.
[ii] CALIFORNIA CONSUMER PRIVACY ACT, 2018 Cal. Legis. Serv. Ch. 55 (A.B. 375) (WEST).
[iv] Ryan, Johnny. California Privacy Rights Act to define and limit “cross-context behavioral advertising.” 22 June 2020. https://bestofprivacy.com/privacy/california-privacy-rights-act-to-define-and-limit-cross-context-behavioral-advertising/
[v] Marshall Brain, How Internet Cookies Work. 20 March 2021. https://computer.howstuffworks.com/cookie.htm
[vi] Szymielewicz, Katarzyna and Bill Budington. The GDPR and Browser Fingerprinting: How It Changes the Game for the Sneakiest Web Trackers. 19 June 2018. 13 March 2021.
[vii] CCPA §1798.140(o)(1).
[viii] CCPA §1798.140(o)(1)(K)(2)
[ix] CPRA §1798.140(k)
[x] Engel, Serafin Lion. What Is CPRA (CCPA 2.0) And Its Implications for Ad Tech? 31 July 2020. 22 March 2021. https://www.admonsters.com/what-is-cpra-ccpa/
[xi] CCPA §1798.140(x)
[xii] CCPA §1798.140(o)(1)(A), (F).
[xiii] Bryan Cave Leighton Paisner LLP. Does the CCPA apply to cookies that are used for data analytics? 26 June 2020. 17 March 2021. https://www.bclplaw.com/en-GB/insights/does-the-ccpa-apply-to-cookies-that-are-used-for-data-analytics.html referencing §1798.140(x)
[xv] CPRA §1798.140(v)(2)
[xvi] CPRA §1798.140(v)(1)(L)
[xvii] JDSupra.com. California’s new privacy law, the CPRA, was approved: Now what? 10 November 2020. 21 April 2021. https://www.jdsupra.com/legalnews/california-s-new-privacy-law-the-crpa-93354/
[xviii] CPRA §1798.140(ad)(1).
[xix] CPRA §1798.140(ad)(2)(A).
[xx] CPRA §1798.140(ad)(2)(B).
[xxi] CCPA, §1798.140(t)(2)(A).
[xxii] See CPRA Prop. 24 Section 31. Effective and Operative Dates. https://vig.cdn.sos.ca.gov/2020/general/pdf/topl-prop24.pdf
[xxiii] JDSupra.com. Businesses Nationwide Face New Privacy Obligations Thanks To California Vote. 05 November 2020. 21 April 2021. https://www.jdsupra.com/leganews/businesses-nationwide-face-new-privacy-46342/ referencing CPRA Sec. 31.
To join the IPLC, submit an application at this link: https://calawyers.org/business-law/business-law-section-standing-committee-application/. Business Law Section members may apply at no additional cost. For more information, contact IPLC leadership.