The California AG’s comments are a departure from Global Regulators on the treatment of Session Cookies under the CCPA.
In the lead up to the publication of the Final Regulations, the AG entertained 1000’s of comments. Many commenters asked about whether “session cookies” were personal information.
“Exempt session cookies from CCPA’s definition of ‘unique personal identifier.’ Session cookies are required for many websites to function and, unlike persistent cookies and tracking cookies, are automatically deleted by a browser when the user closes the browser.”
From the AG:
“Civ. Code § 1798.140(x) defines ‘unique identifier’ or ‘unique persistent identifier’ as a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services. If a session cookie cannot be used to recognize a consumer, family, or device that is linked to a consumer or family, over time and across services, it would not fall within this definition. This conclusion, however, is fact-specific and contextual.” Appendix A, Comment 892
the extent that the comment asks whether the IP address it collects are “personal information,” and thus subject to the CCPA, that is fact-specific and contextual determination. The commenter should consult with an attorney who is aware of all pertinent information facts and relevant compliance concerns.”
-Apendix A, Comment 401