Generally speaking, cookies simply are data files saved to a user’s computer. Certain cookies may qualify as “personal information” under the CCPA, since the CCPA defines “unique personal identifiers,”1 to include “cookies” that are used to “recognize a . . . device that is linked to a consumer or family, over time and across different services.”2
Some cookies allow websites to perform essential functions, like remembering which products you selected for purchase and placed into your shopping cart. These cookies are often referred to as “essential” cookies. Other cookies feed information to retailers, site operators or others who have an interest in which sites a browser visited or other activity on the web browser these are often referred to as “analytics” cookies. A third category of cookies are designed to facilitate targeted advertising to a consumer by tracking a web browser’s viewing behavior and/or correlating that viewing behavior with other information known about the browser or the consumer that likely controls the browser. These are often referred to as “advertising” cookies or “behavioral advertising” cookies. In each case, cookies are simply data files stored on a computer.
What distinguishes a “first party” cookie from a “third party” cookie is the identity of the entity or website storing the cookie on the computer. In the case of “first party” cookies, this is the entity or site that is being visited. For example, a cookie that remembers the previous high score in a game may be installed by site on which the game is played.
“Third party” cookies, by contrast, are data files installed by another program (typically an advertisement of other code that is present on the site but not owned or controlled by the site owner) or that is separate and distinct from the site that is being visited. Third party cookies are frequently used by advertising agencies and other entities to track users’ activity across sites and over a longer period of time.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. CCPA, Section 1798.140(o)(1)(A).
2. CCPA, Section 1798.140(x).