Does the CCPA apply to cookies that are used for data analytics?

It is not clear.

The California Attorney General was asked to clarify whether the CCPA applies to a website that utilizes “cookies to track traffic” assuming that such cookies were not utilized to sell data or to market products.1  The Attorney General refused to provide guidance stating only that the determination as to whether cookies that track website traffic (e.g., analytics cookies) are governed by the Act “raises specific legal questions that may require a fact-specific determination.”2  The Attorney General further advised a business that utilizes such cookies to “consult with an attorney who is aware of all pertinent facts and relevant compliance concerns.”3

Although the California Attorney General did not specify what “facts” and “concerns” he believes are relevant to the analysis, whether an analytics cookie is governed by the CCPA arguably turns on the Act’s definition of “personal information.”

The phrase “personal information” is defined within the CCPA to mean any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”4 The CCPA includes a non-exhaustive list of data types that might fall within that definition.  That list includes “unique personal identifiers,”5 a term which itself is defined as including “cookies” that are used to “recognize a . . . device that is linked to a consumer or family, over time and across different services.”6  When the qualifiers found within the definition of “personal information” are combined the CCPA suggests that an analytics cookies should not be considered personal information regulated by the statute unless, at a minimum, the following three conditions are met:

  • The analytics cookie is persistent (i.e., tracks “over time”),
  • The analytics cookie is used to track across multiple websites (i.e., “across different services”), and
  • The analytics cookie can “reasonably be linked” to a particular consumer or household (as opposed to a particular device that may, or may not, be shared among a number of individuals).