Does the CCPA require a cookie banner when a business uses third-party persistent cookies?

Bryan Cave Leighton Paisner


it is not clear whether persistent third party cookies do, or do not, constitute “personal information” under the CCPA.  Among other things, whether the cookie can “reasonably be linked” to a particular consumer or household (as opposed to simply a particular device that may, or may not, be shared among a number of individuals) may be determinative. 

Assuming that a third-party persistent cookie does constitute “personal information” under the Act, the California Attorney General has made clear that the Act’s requirement that consumers be provided with a “notice at collection” does not necessitate that websites that utilize third party cookies deploy a pop-up cookie notice.  Indeed, in response to a request that the Attorney General clarify that a pop-up cookie notice is required by the Act, the Attorney General stated:

A pop-up notice is not required but businesses have discretion to determine how to provide notice in compliance with § 999.305 [Notice at Collection of Personal Information], which requires that the notice be readily available where consumers will encounter it as or before the point of collection.1

The regulations implementing the CCPA further specify that a website can comply with the Act’s notice at collection requirements by “providing a link to the section of the business’s privacy policy that contains the information required.”2  This suggests that a website that contains a link to the privacy notice in its footer may satisfy the CCPA’s notice at collection requirements.

For more information and resources about the CCPA visit

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. FSOR Appendix A at 49 (Response 164) (emphasis added).

2. CCPA Reg. § 999.305(c).

[View source.]

Written by:

Bryan Cave Leighton Paisner

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide