CCPA Privacy FAQs: If a company collects personal information through a cookie, is it required to provide a consumer with a privacy policy?


Section 1798.100(b) of the CCPA states that a “business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.”  Plaintiffs and consumer advocates are likely to argue that this requirement applies to information collected through “cookies” based upon the following:

  • The CCPA defines the term “collects” as including situations in which a business “buy[s], rent[s], gather[s], obtain[s], receiv[es], or access[es]” personal information by “any means.”1
  • The CCPA defines “personal information” to include “unique identifiers” which includes “persistent identifier[s] that can be used to recognize a . . . device that is linked to a consumer . . . over time and across different services, including, but not limited to . . . cookies.”2

It is worth noting, however, that notifying a consumer about the type of information collected and the purpose of the collection does not necessarily mean distributing to the consumer a full privacy policy.  The statute does not require, for example, that the notification must be in writing or that the notification must include other types of information that are typically present in a privacy notice (e.g., information on the company’s practices with regard to sharing, etc.).  As a result, it is possible that a company that collects information across websites through the use of cookies is able to fulfill its obligation to inform consumers of the data that it collects and its use for that data orally, contextually, or via a third party (e.g., via the privacy policy of company A that might intend to transmit the information to company B).

Some companies that collect information across websites through the use of cookies (i.e., third party behavioral advertisers) may also take the position that their cookies do not fall within the definition of “unique identifier” (and, through that, the definition of “personal information”) because their cookies are not “persistent.”  For example, they may argue that if their cookie is set to expire in 90 days or 60 days it should be considered transient in nature.  California’s courts and the California Office of the Attorney General have not interpreted whether cookies with set expiration dates should be considered “persistent” for the purposes of the CCPA.