Have you ever looked at a product online and realized it was following you around the internet? Have you ever visited a different website and seen the item you were just thinking about purchasing? These friendly reminders are due to cookies–small text files stored on your browser when you visit or interact with a website or advertisement.
In order to deliver ad content, cookies assign website visitors “unique identifiers”, which are used to track people on an individual level across the internet. These unique identifiers are considered by the CCPA (and the GDPR) to be “personal information.” Because targeted advertising generates significant revenue to companies within the ad tech ecosystem, and relies on unique identifiers to identify an individual to whom an advertisement will be shown, privacy advocates have argued that website publishers will need to provide an opt-out to consumers once the CCPA becomes effective in January 2020.
The argument works like this. The CCPA requires that businesses provided an opt-out where they sell the personal information of Californians. The definition of “sale” includes “making available” personal information in exchange for money or other “valuable consideration.” Neither the CCPA, nor the proposed Regulations, define what “valuable consideration” means. Privacy advocates argue that by allowing third parties, such as Google, to place tracking cookies on the browsers of website visitors, the website has “made available” the personal information of Californians. And what is the valuable consideration? Participation in the targeted advertising ecosystem, which in its current form relies on tracking cookies to optimize ad placement.
This argument is not universally accepted, and the adtech community has raised some good arguments against such a reading of the CCPA. For one, many websites don’t allow targeted advertising on their sites, in which case it is difficult to see what valuable consideration the website is receiving in return for allowing tracking cookies on its website. The actual sale of personal information arguably occurs between adtech companies—data aggregators, ad brokers—and not by the website publisher or advertiser. But these are only theoretical arguments at this stage. There is no clear consensus. The California Attorney General, notably, has remained silent on the issue.
In the meantime, for online retailers, media, and tech companies with sophisticated digital advertising, it is worth considering the alternatives if tracking cookies eventually require an opt-out. One idea is to broaden the scope of advertising so it is not performed on an individual level, but rather on a group level. Before the advertising industry was able to target individuals, they targeted groups of individuals whom they believed to have similar interests based on a variety of factors. Contextual advertising – in which advertising is placed by evaluating the content of a website — may also be explored as an alternative to individual targeted advertising. Both methods are a less precise way of targeting ads, but adopting these advertising models would arguably preclude a business from being categorized as “selling” personal information.
Neither the CCPA nor the proposed CCPA Regulations directly address whether use of tracking cookies requires an opt-out. But even if the final Regulations come down on the side of narrowly defining sale in a way that excludes tracking cookies, online retailers and other businesses may need to prepare for a world where tracking cookies are used less freely. This is particularly true for global companies subject to the GDPR, where the currents are clearly moving toward more robust disclosure requirements and an opt-in model for tracking cookies. As more and more states consider CCPA-like privacy laws, it may only be a matter of time before U.S. states adopt a European view of tracking cookies. Businesses will need to consider the privacy implications of their digital advertising practices and adjust their practices accordingly.