Practitioner's Corner is a monthly focus on topics of interest to in-house counsel in the implementation of their privacy programs.
To advertisers, publishers, and AdTech companies alike, it is not news that third-party cookies—which are used to support all kinds of online activity, but primarily known for their role in serving personalized ads—are facing particular scrutiny under the growing pro-consumer privacy wave in the United States. There is no better evidence of this trend than the CCPA, which specifically calls out unique, persistent identifiers such as those contained in cookies as a type of "personal information" for which businesses must provide transparency and consumer rights.
Google's recent announcement that it will phase out support for third-party cookies in its Chrome browser by 2022 (as part of its "Privacy Sandbox" initiative to build a more private online ecosystem) is causing businesses to reevaluate whether and how to use third-party cookies. At its most recent Annual Leadership Meeting, the IAB called upon its membership base to collaborate in developing a new digital advertising framework that relies on a new type of identifier in lieu of third-party cookies.
For consumer-facing businesses, the immediate issue is understanding to what extent they should change their third-party cookie practices today. We examine potential paths forward below.
Using Cookies Under the CCPA
At first glance, the statutory requirements appear straightforward: Prior to or at the point it collects personal information about a consumer, a business must notify the consumer about how it collects, uses, and discloses such information; and if the business sells such information, it must also disclose that fact and provide the consumer with an opportunity to opt-out (or opt-in, if the business knows that the consumer is 15 years old or younger). Third-party cookies, which can be used to persistently identify a consumer, family, household, or a device linked to them, are "unique personal identifiers" and therefore "personal information."
But as many businesses have discovered, operationalizing these requirements can present a number of challenges. The CCPA leaves open a critical question: Is deploying a third party cookie on a business's website a "sale"?
Sale means "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration." This covers a broad range of activities that businesses might not consider to be "sales" in the more traditional sense of the word. In particular, a sale occurs if a business "mak[es] available" personal information to a third party, which suggests that actively or passively enabling a third party to collect personal information is a sale (assuming there is consideration). If that's the case, the fact that a business places third-party cookies on its website suggests that there is a sale of personal data from the business to the third party. On the other hand, viewed from a more technical standpoint, the analysis might change. A business might argue that there is no sale because third-party cookies collect information for the third party directly (i.e., without the involvement of the business), which suggests that the business itself is not selling anything.
Looking Forward: Revival of "Do Not Track"?
The CA Attorney General's draft regulations under the CCPA further complicate the issue. As written, the draft regulations require that businesses honor user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism that communicates or signals the consumer’s choice to opt-out of the sale of their personal information. The February updates to the draft regulations add detail to the original proposal, stating that: (1) the global setting must be an affirmative opt-in (i.e., browsers cannot make the global setting "default on") and (2) if there is a conflict between the global privacy control and the user's choice, the business must respect the global privacy control but can inform the consumer of the conflict. If promulgated as currently written, the proposed CCPA regulations will effectively revive browser "do not track" signals and force businesses that sell personal information to honor them—despite a lack of standards around how to do so.
How Can Businesses React to This Uncertainty?
There is a clear trend in privacy law toward giving consumers more transparency and the ability to control disclosures of their personal information to third parties. Businesses may be well-served to look beyond the CCPA.
Understand your cookie practices: Businesses can proactively analyze how the third party services they use are collecting their users' personal information and identify the business purposes served by such collections. Businesses may be able to create "service provider" relationships with the third parties collecting such information. Businesses might also consider internal controls prior to the implementation of cookies to ensure risks are analyzed in advance.
Prepare to offer more comprehensive choices to consumers: Businesses can acknowledge the trend toward greater consumer choice by proactively offering consumers both global and granular choices with respect to personal information the business and third parties collect.
The CCPA introduced a lot of uncertainty into the online advertising ecosystem. The unresolved questions about the CCPA's application to cookies will continue to cause businesses, and particularly AdTech providers, to ask hard questions about their legal obligations and whether the changing AdTech landscape warrants a complete reevaluation of third party cookie use. Right now, the prudent course seems to be to start exploring technology options and tools that are less reliant on personal information collected by third-party cookies for personalized advertising.