“Why should I care about cookies?”
The question was a privacy attorney that Odia Kagan heard from a client prior to January 2020, when California’s privacy law went into effect, and companies involved in cookie tracking thought there could be more leeway with the law. At the time, said Kagan, chairman of the GDPR Compliance and International Privacy Practice Group at Fox Rothschild, it wasn’t clear whether or not cookies or trackers would be an enforcement priority in California.
Now that enforcement letters are pouring out of the California Attorney General’s office to advertisers, social media sites, data brokers, and ad tech firms, it’s clear that enforcement of the California Consumer Privacy Act isn’t all about privacy breaches. It’s about cookies and tracking technologies – including analytics trackers. And the penalties for violations could be steep.
These latest signals from the AG “sort of narrow down the gray area some people assumed,” Kagan said.
In addition to the indicators from certain enforcement letters, attorneys are reading the tea leaves left over in a number of CCPA general case studies the agency released on July 19, and evidence of enforcement tracking for analytical purposes and opt-out notifications show.
Analytics trackers are “definitely something to watch out for”
That sign that sharing data through analytics trackers could be a data sale “is definitely something to look out for”. [because] That’s something the AG has in mind, ”said Kagan.
Lee said there are a variety of factors the AG could consider when assessing compliance with regards to analytics trackers – e.g. B. which units are involved in data flows, what analytics trackers are used for and whether they track people across multiple websites or offline. “The way these tools work is very nuanced, so it’s difficult to get a straight line,” she said.
A separate violation for each cookie could add up
A large part of the enforcement activities to date revolves around so-called “notice-to-cure letters”, which serve as information and warning letters for companies, requesting information and giving them a 30-day period in which they can work directly with the authorities Make corrections that bring them in line with the law. But if companies using cookies and other trackers for ads or analytics fail to make the necessary changes and discover a breach, the penalties could cost a lot to companies using dozens of trackers, said a privacy attorney who refused to be named.
The state could charge companies for each individual cookie-related breach; for example, it could be billed for every time a California resident interacts with a website without proper notice or opt-out, the attorney said, adding, “In cases like these, the number of violations can be large . ” A large number of violations can lead to severe civil penalties. If violations are found to be unintentional, each individual could result in a fine of $ 2,500. If found to be deliberate, the fine increases to $ 7,500 for each violation.
“The law allows for this interpretation, but I don’t know how the working group will calculate a ‘breach’,” said Jessica Lee, partner and co-chair of the data protection, security and data innovation practice group at Loeb and Loeb.
Threatening to count as a separate violation each time a cookie is used is likely more of a tactical tool to incentivize compliance than an actual plan to calculate penalties, said Alysa Hutnik, partner and chairwoman of the Privacy and security practice with the law firm Kelley Drye and Warren.
She said it was “unlikely” that penalties would be assessed that way. However, she said the California Department of Justice had “quite a bit of flexibility” in setting penalties; for example, it could be based on the number of days a company is non-compliant or the amount of records affected, she said.