Click here to listen to the audio.

California’s Consumer Privacy Act goes live on January 1, 2020. It forces businesses beyond California to review their data streams and digital operations to determine if they must comply, and if they do, how to comply. One sleeper here is the issue of cookies.

Cookies in the internet sense are packets of data that a persons’ computer receives when visiting a website. These packets are sent back to the cookie sender without change. The delivered cookie gets stored in the computer of the browser (literally inside the web browser). Cookies help a website a person is visiting to track visits and activity on the website. Without a cookie sent by an online retailer, for example, every time one moves to a different page on a site, the visitor would need once again to supply account and other information – a terrible burden! But cookies also represent a potential threat, as disguised cookies can install viruses or malware on our computers, and supercookies and zombie cookies pose other threats to personal privacy.

Because a cookie can represent a third party that is accessing personal information of someone visiting a website, website owners and operators must consider whether the data streams arising from this use and the sharing with cookie senders amount to activity governed by the CCPA (or other states with similar or evolving data protection laws). Compliance may require changing a website operator’s notice to web visitors about how their personal data may be shared with such third parties or require other actions. This point is not limited to cookies but extends to pixels and API calls to third-party servers – any access that a site provides to third parties whose cookies are part of the activity when someone visits a site.