CCPA Privacy FAQs: Does the CCPA require that a company allow consumers to opt-out (e.g., toggle off) analytics cookies?

It depends.

The CCPA requires that a business that “sells” personal information disclose within its privacy policy a “list of the categories of personal information it has sold about consumers in the preceding 12 months.”1  The CCPA broadly defines the term “sell” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration.”2  “Personal information” is also defined broadly as including any information that “could reasonably be linked, directly or indirectly, with a particular consumer or household” such as, in certain instances, IP addresses, unique online identifiers, browsing history, search history and “information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”3

While the definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider, whether the exception applies to analytics cookies operated by third parties may depend in part upon the contract in place (or terms and conditions) with the third party.4  Specifically, the service provider exception requires that following three conditions be present:

  1. The transfer of information to the service provider must be “necessary” for the website’s business purpose.5 It is uncertain whether a court would view analytics cookies (and the information that they provide) as a necessity.
  2. The transfer of the information to the service provider must be disclosed to consumers.  Many websites arguably meet this requirement by disclosing their use of third party cookies or analytics cookies in their privacy policies.
  3. The agreement with a service provider must “prohibit” the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”6 Whether the contract in place with the provider of an analytics cookie meets these requirements may be a case-by-case inquiry.

In order to mitigate the risk that permitting analytics cookies to deploy on a website will be interpreted as a “sale” of information, a website has at least three options:

  1. Verify that the contract fits the definition of a “service provider.” If the analytics cookies are necessary for the efficient operation of the website, and if a website verifies that its contract with the analytics cookie provider qualifies as a “service provider,” the cookie can be placed without offering consumers the ability to opt-out or toggle the cookie off.
  2. Ask for consent. The CCPA excepts from the definition of “sale” the situation where a “consumer uses or directs the business to intentionally disclose personal information.”7 As a result, if a website deploys a cookie banner, and a consumer agrees or “opts-in” to the use of analytics cookies, the website arguably has not “sold” information to the company that provides the analytics cookie.  Note that if the consumer agrees to the deployment of the analytics cookie, nothing within the CCPA would require the website to present them with an automatic ability to opt-out (i.e., toggle off) the cookie.
  3. Disclose the sale of information and offer opt-out. If an analytics vendor does not fit the definition of a “service provider,” and opt-in consent is not obtained, a website could disclose within its privacy policy that it is “selling” information (as that term is defined within the CCPA) to an analytics cookie provider.  Note, however, that if a company sells personal information, the CCPA requires that the company provide a “Do Not Sell My Personal Information” link on its homepage, and honor requests to opt-out from such sales.8 Assuming that a business provides such a link, it is not clear that a mechanism currently exists for the business to communicate to analytics cookie providers that a particular consumers’ information cannot be collected.  One possible alternative might be to adopt a cookie management tool that provides consumers with the ability to “toggle off” the analytics cookie.  A cookie management tool solution, however, has not been validated by the Office of the Attorney General or California courts and may raise conceptual questions concerning whether the “toggle-off” feature is sufficient given that the consumer may be re-presented with a request to accept analytics cookie the next time that the consumer clears their cache, or visits the website from a different browser.

The net result is that while the CCPA does not expressly require that websites offer to consumers the ability to “toggle-off” analytics cookies, some companies may offer such a feature as part of a risk mitigation strategy.