it is not clear whether persistent third party cookies do, or do not, constitute “personal information” under the CCPA. Among other things, whether the cookie can “reasonably be linked” to a particular consumer or household (as opposed to simply a particular device that may, or may not, be shared among a number of individuals) may be determinative.
Assuming that a third-party persistent cookie does constitute “personal information” under the Act, the California Attorney General has made clear that the Act’s requirement that consumers be provided with a “notice at collection” does not necessitate that websites that utilize third party cookies deploy a pop-up cookie notice. Indeed, in response to a request that the Attorney General clarify that a pop-up cookie notice is required by the Act, the Attorney General stated:
A pop-up notice is not required but businesses have discretion to determine how to provide notice in compliance with § 999.305 [Notice at Collection of Personal Information], which requires that the notice be readily available where consumers will encounter it as or before the point of collection.1
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. FSOR Appendix A at 49 (Response 164) (emphasis added).
2. CCPA Reg. § 999.305(c).