First CCPA Fine Shows Need for Cookie Governance and Vendor Management

in
Several open lipstick tubes of various shades of pink and red forming the shape of a dollar sign.

Last week the California Attorney General’s office announced a settlement with beauty retailer Sephora for $1.2 million - the AG’s first monetary penalty for CCPA violations. Sephora has also agreed to a 2-year consent decree with ongoing monitoring and reporting obligations. This enforcement action confirms the AG’s interpretation that: (1) the CCPA requires specific CCPA-mandated contractual terms with each cookie, pixel, and tracking technology provider that companies use on their websites for personal information sharing not to be a “sale” of data under the CCPA, and (2) companies that engage in “sales” of personal information on their websites must honor the Global Privacy Control signal from consumers who choose to use the GPC.

 If your company is in-scope for the CCPA and has been delaying digging into which third parties it allows to collect data from website visitors, this action is a reminder that it’s time to do so.  If your company has a website and is like most other companies, it is likely using at least a few—if not dozens—of third-party tracking technologies to help with marketing, analytics, personalization, A/B testing, fraud, security, and a number of other legitimate use cases. Here are some steps to help get into compliance:

 1.       Confirm your company’s position on “sales”.  The CCPA requires your company’s privacy policy to indicate whether or not your company sells personal information. If it does, you need a “Do Not Sell My Personal Info” link on every webpage where personal information gathered may be “sold.” Confirm whether your company appropriately discloses that it sells personal information, or has taken a position that it does not.

2.       Understand what’s happening on your website.  Take a trust but verify approach to exploring what types of third-party cookies, pixels, and tracking technologies your website uses. Trust your marketing, technology, and other stakeholder teams to tell you which third-parties they use, even if they say that all the data is “anonymous” (when they do, dig deeper to understand whether the data is individual or device level—if it is, it’s likely personal information under the CCPA, even if it isn’t PII). Note too that “sharing” under CCPA (a concept that raises similar obligations to “sales”) can include allowing third parties to access data through your website. Verify what your company shares by consulting website scans from cookie consent solutions your company uses, or by visiting website main pages and subpages while using a browser plugin like Ghostery to see for yourself what third-party tracking technologies are collecting data.

3.       Validate contract terms.  If your company says it doesn’t “sell” personal information, or doesn’t have processes in place to block every third party cookie, pixel, or tracking technology, make sure you have the CCPA-required contract terms in place to make the third party a service provider. The fact that your company has contracted with a vendor to receive services may not be good enough—the CCPA-required contract terms require that vendor to commit to specific contractual terms, including terms that require it to use the data it receives solely to provide the services to your company. Many vendors’ online and other standard contract terms do not contain these required provisions, which could indicate that they are monetizing or making independent use of the data they collect from your website visitors. Under the CCPA, data shared with these vendors is likely a “sale.” 

4.       Validate opt-out protocols and honor GPC signals.  If your company does “sell” personal information, make sure the protocols referenced from the “Do Not Sell My Personal Information” link on your website work to terminate data sharing with the third parties to which you “sell” personal data via cookies, pixels, or tracking technologies.  Also, make sure that your website responds appropriately to GPC signals that individuals’ browsers send when they come to your site.  If your company says it doesn’t “sell” personal information, make sure you stop use of any third-party cookie, pixel, or tracking technology from third parties that don’t agree to the CCPA-required service provider contract terms, or that your company changes its position on CCPA data “sales.” 

5.       Establish and reinforce responsibility for practices.  The steps above are not one-and-done exercises.  It’s likely that the third-party cookies, pixels, and tracking technologies used on your website will change as your business, staff, and vendors change.  The marketing team may add new trackers from an ad agency or to try a proof of concept, the product or tech teams may add new analytics or A/B testing capabilities, and the security and fraud teams may add new solutions to help protect your site.  All of this means that an ongoing cookie, pixel, and tracking technology governance framework is needed.  Work to define accountability and responsibility for what teams can add or change these practices; set standards and expectations for the types of third-party data practices that are appropriate; establish and reinforce protocols to ensure that the third-parties used align with those standards and expectations; and decide how ongoing compliance will be monitored (and by whom). 

 Each of the steps above were at issue, directly or indirectly, in the AG’s enforcement action, and along with announcing this settlement, AG Rob Bonta has previewed his office’s view on website tracking technologies and data “sales” moving forward:

 “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.” (emphasis added).

Sam Castic is a partner with Hintze Law with 15 years of global privacy and cybersecurity experience. Sam counsels e-commerce, fintech, technology, telecom, social media, retail, and advertising clients from early-stage startups to the biggest global companies, on privacy and data protection.

Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.