Will the CCPA lead websites to have EU-style cookie banners?


The CCPA defines the phrase “personal information” to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1  The CCPA includes a non-exhaustive list of data types that fall within that definition including “unique personal identifiers,”2 a term that is itself defined to include “cookies” that are used to “recognize a . . . device that is linked to a consumer or family, over time and across different services.”3  As a result, the CCPA appears to treat persistent tracking cookies – such as those used by behavioral advertising networks – as “personal information” or a method of capturing “personal information.”  If a business collects “personal information” it is required under the CCPA to provide California residents with a privacy disclosure “at or before the point of [information] collection.”4

In situations in which a website operator deploys its own persistent tracking cookie, the website can presumably provide a description of its privacy practices via its own privacy policy linked at the bottom of the website.

In situations in which a website deploys the tracking cookies of a third party (e.g., behavioral advertising network cookies), it is unclear how the business that owns and controls the tracking cookie (i.e., the behavioral advertising network) will be able to provide California consumers with its privacy disclosure “at or before the point” of information collection, unless the cookie-owner requires that any website that deploys its cookie provide a copy of the cookie-owner’s privacy notice.  This might be accomplished, for example, by requiring websites to deploy a cookie banner that contains links to the privacy notice of each cookie that deploys on the website.