In some California privacy cases, analytics trackers are in the crosshairs — and violators could be charged by the cookie | International Association of Digital Marketing Professionals (IADMP)

“Why would I care about cookies?”

The question was one privacy lawyer Odia Kagan heard from a client back before January 2020 when California’s privacy law went into effect, and companies engaged in cookie tracking thought there might be more wiggle room with the law. Back then, said Kagan, who serves as chair of the GDPR compliance and international privacy practice group at Fox Rothschild, it wasn’t clear whether or not cookies or trackers were going to be an enforcement priority in California.

Now, as enforcement letters stream out to advertisers, social media sites, data brokers and ad tech firms from the California Attorney General’s office, it is clear that California Consumer Privacy Act enforcement is not just about data breaches. It’s about cookies and tracking technologies — including analytics trackers. And the penalties for violations could be steep.

CCPA-related enforcement letters sent to companies recently by Rob Bonta, the state’s AG, make clear his position that data tracking for advertising and analytics purposes, including cookie-based tracking, fits within the CCPA’s definition of a data “sale.” Multiple lawyers Digiday spoke to say letters companies have received, ask them to provide details about data sharing specifically in relation to their use of cookies and other tracking technologies for ads and analytics.

These recent signals from the AG are “kind of narrowing down the gray area that some people were assuming,” said Kagan.

In addition to indicators from specific enforcement letters, lawyers are reading the tea leaves left in a series of generic CCPA case examples the agency published on July 19 which show evidence of enforcement around tracking for analytics purposes and opt-out notices.

Analytics trackers are “definitely something to pay attention to”

In one case example published by the AG’s office, an unnamed social media firm was accused of non-compliance after sharing personal information about people’s website activities with third-party analytics providers without providing appropriate notice or opt-out capabilities. “After being notified of alleged noncompliance, the company updated its privacy policy and removed all third-party trackers from its app and website,” stated the case description.

This sign that data sharing via analytics trackers could constitute a data sale “is definitely something to pay attention to [because] this is something that the AG is looking at,” said Kagan.

Lee said there are a variety of factors the AG might take into consideration when assessing compliance when it comes to analytics trackers — such as which entities are involved in data flows, what analytics trackers are used for and whether they are tracking people across multiple sites or offline. “There is a lot of nuance in how these tools work, so it’s hard to create a bright line rule,” she said.

A separate violation for each cookie could add up

Much of the enforcement activity thus far revolves around so-called notice-to-cure letters which serve as fact-finders and warning notices to companies, asking for information and giving them a 30-day period during which they can work directly with the agency to make fixes that …read more

Source:: Digiday