CCPA and Session Cookies

The California AG’s comments are a departure from Global Regulators on the treatment of Session Cookies under the CCPA.

CCPA and Session Cookies – In the lead-up to the publication of the Final Regulations, the AG entertained thousands of comments. Many commenters asked about whether “session cookies” were personal information.

“Exempt session cookies from CCPA’s definition of ‘unique personal identifier.’ Session cookies are required for many websites to function and, unlike persistent cookies and tracking cookies, are automatically deleted by a browser when the user closes the browser.”

From the AG:

“Civ. Code § 1798.140(x) defines ‘unique identifier’ or ‘unique persistent identifier’ as a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family over time and across different services. If a session cookie cannot be used to recognize a consumer, family, or device that is linked to a consumer or family over time and across services, it would not fall within this definition. This conclusion, however, is fact-specific and contextual.”

-Appendix A, Comment 892

the extent that the comment asks whether the IP address it collects is “personal information” and thus subject to the CCPA that is fact-specific and contextual determination. The commenter should consult with an attorney who is aware of all pertinent information, facts, and relevant compliance concerns.”

-Appendix A, Comment 401

Follow us on LinkedIn:

Elevate your compliance efforts with BlueSky Privacy’s guidance and experience. Let us help you get it done. Schedule a call.