Digital technology background showing cookie tracking under GDPR and CCPA

Tracking the Trackers: Cookies Are Subject to Opt-In Under GDPR and a Sale Under the CCPA

Those little automated data tracking mechanisms are subject to special treatment, consent, opt in and opt out requirements under the two most important global consumer privacy regulations in effect today.  Have you properly accounted for cookies in your data privacy compliance?

A 2020 study noted that of the cookies compiled from 10,000 websites, 99% of them were for user tracking or serving targeted advertising and many companies are not fully aware of the risks of using or allowing third parties to use their websites for these ubiquitous tools.

Concerns over the aggressive use of user tracking in the form of “trojan” cookies, privacy implications on the collection of personally-identifiable information like usernames, emails and financial and health information, and the use of personal information in behavioral prediction led to the adoption of enhanced regulation and consent laws for cookies, most notably in the European Union’s General Data Protection Regulation (“GDPR”) and California Consumer Privacy Act (“CCPA”).

Legislation relating to the use of cookies applies to all types of cookies regardless of use or type. Companies need to be aware of how these data protection and privacy regulations implicate their business goals, what liability exists for compliance failures, and whether and how any exemptions apply.

What are cookies?

Cookies are small pieces of data that are created when a user visits a website. The website sends the data to the user’s computer, which stores it in the user’s web browser. Cookies consist of information about the user’s interaction with the website, such as pages visited, buttons clicked, website preferences, or other activity.

For example, a cookie might be used to temporarily remember items in the user’s shopping cart in an online store while the user is browsing the website. Or cookies might store information that the user has previously entered into form fields, such as name, address, or password. Or cookies may store information to help the webpage load faster in subsequent navigation. Cookies can also contain personal information, such as an IP address, email address, unique identifier, or a username.

All cookies are associated with a particular website. First-party cookies are created by the website actually visited by the user. Third-party cookies are created by advertisers, data aggregators and other websites and are included in a website structure when the first-party website adds advertising, social media plugins, or web analytics tools to its website.

So-called tracking cookies may be used to store user activity on a website over multiple visits over time, and in the case of third-parties who provide resources to multiple different websites, can be linked to the user who visits multiple websites–each containing a resource from the same third-party.

This is the mechanism by which cookies are used to track users across websites and even devices and allow third-parties to build a user’s browsing history to serve more relevant advertising. Many websites are not even aware of all of the third- or fourth-parties that are given permission to create and store cookies, because third-party resources may themselves contain code to additional parties, creating a chain of user tracking called “trojan” cookies.

GDPR and cookies

Any cookies capable of identifying an individual are personal information under the GDPR.

GDPR requires user permission for collection of personal information and acknowledges that cookies can contain or be combined with unique identifiers. In these situations where cookies can identify an individual, cookies are considered “personal information.”

Cookies, like other personal information, are subject to the GDPR’s standards of consent.

Under Article 4(11), ‘consent’ of the user means any “freely given, specific, informed and unambiguous indication of the user’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Exemptions from consent requirements according to proposed ePrivacy Regulations.

Proposed ePrivacy Regulations have yet to be adopted but are expected by the end of 2020. They contain exemptions to GDPR consent for creation of cookies.

ePrivacy Regulation: communications exemption to the consent requirement.

The creation of cookies does not require consent when the cookies are solely used to facilitate communication over a network. Cookies within the scope of this exemption include those used for identifying communication origins and destinations, for numbering data packets so information is transmitted in the correct order, or for detecting errors in communication.

ePrivacy Regulation: strictly necessary exemption to the consent requirement.

The creation of cookies does not require consent when they are (i) to deliver a service over the internet and (ii) were requested by the user. Examples are cookies to keep track of items in a user’s online shopping cart and cookies that record a user’s language preferences.

How to obtain consent to create and use cookies.

We strongly encourage companies to seek advice when setting up the click-through process for obtaining user consent for cookies.  The rules are intricate and creativity can be punished. At base, a pop-up banner or link should allow users to opt-in (as opposed to opt-out) to consent of non-necessary cookies. Consent must be explicit. Methods of obtaining implied consent or ‘soft opt-in’ are invalid. For example, pre-ticking checkboxes for a user to agree to is not allowed. All cookies besides those strictly necessary for the function of the website must be subject to affirmative opt-in. Creating or modifying user cookies other than those strictly necessary for functionality is not allowed prior to the user affirmatively opting-in to receive those additional cookies.

Users are allowed to change their minds and must be able to alter or revoke their consent at any time. Documentation of this consent must be stored by the website and may be requested by regulators.

CCPA and cookies

Third-party cookies and some first-party cookies are considered personal information under the CCPA.

The CCPA includes a non-exhaustive list of data types that fall within its definition of personal information. That list includes “unique personal identifiers,” a term which itself is defined as including “cookies” that are used to “recognize a . . . device that is linked to a consumer or family, over time and across different services.”

Third-party cookies are personal information, but it is unclear whether this language includes all first-party cookies, because first-party cookies typically do not track the consumer over time and across websites or devices. However, as a best practice, the use of first-party session cookies should be disclosed in the business’ website privacy policy.

Third-party cookies are treated differently depending on whether they come from service providers or non-service-providers.

Third-party cookies fall into two categories: service provider cookies and non-service provider cookies. Whether a third-party is a service provider depends on the nature of the business relationship with the third-party. A service provider is an entity under contract to perform a service for the company and in order to provide that service also processes personal information on behalf of the company.

This is relevant to cookie use because the CCPA imposes certain restrictions on the “sale” of personal information to third parties (such as through the use of cookies).  “Sale” is broadly defined under the CCPA but contains an exception for situations in which personal information is shared with a “service provider”, subject to certain conditions. Whether the service provider exception applies to third-party cookies depends upon the contract in place (or terms and conditions) with the third party and compliance therewith.

For a third party to be a “service provider,” it must have a contract with the company who collects personal information that, among other things, provides for the processing of personal information “on behalf of a business” and “prohibits the [third party] receiving the personal information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract.”   Notably, the CCPA does not restrict either party’s ability to “collect, use, retain, sell, or disclose consumer information “that is “deidentified or in the aggregate consumer information.”

As an example, advertisers and analytics companies operate by aggregating cookie information across all of their affiliated websites and sources and using the aggregated information for better ad targeting / analytics tools. Advertisers and analytics companies must carefully examine their arrangements with first-party websites to ensure a proper business purpose, and any cross-client aggregation and use of personal information in the form of cookies must be done in a deidentified or aggregated manner designed to comply with the CCPA requirements and the individual users’ other rights.

The Proposed Regulations to the CCPA expressly state that cross-client use of personal information disqualifies a third-party from being a service provider. This is unlikely to change, but we will be keeping an eye on this point.

Cookies are subject to users’ rights to opt-out of the sale of their personal information, unless the service provider exception applies.

Given that third-party cookies are squarely in the definition of personal information, third-party non-service provider cookies may fit the definition of “sale” and would be subject to the users’ rights to opt-out.  However, third-party service provider cookies may be excluded from the definition of “sale” as discussed above, and therefore excluded from the users’ sale opt-out rights.

Many companies are still not fully aware of the risks of using cookies or allowing third parties to use their websites for #usertracking or serving #targetedadvertising. #GDPR #CCPA #respectdataClick to Tweet
Browser plug-ins restricting the creation of cookies must be honored under the current proposed regulations to the CCPA.

The proposed regulations to the CCPA state that “[i]f a business collects personal information from consumers online, the business shall treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted… for that browser or device, or, if known, for the consumer.”

We do not have much clarity on this requirement yet; however, operationally, this will be difficult to implement as there is no standard technology for these plugins, nor a standard procedure for honoring these requests. We will be keeping a close eye on developments in this area as well.


Corporate Special Council at Baker Botts
Corporate Partner at Baker Botts
Intellectual Property Associate at Baker Botts