The California Attorney General was asked to clarify whether the use of “website cookies shared with third parties” constituted the sale of personal information. The Attorney General declined to answer, stating only that whether a particular situation constitutes the sale of information “raises specific legal questions that would require a fact-specific determination, including whether or not there was monetary or other valuable considerations involved, the consumer directed the business to intentionally disclose the personal information, and whether the parties involved were service providers.”¹ The Attorney General advised businesses that were unclear as to whether the use of a particular cookie constituted the sale of personal information to “consult with an attorney who is aware of all pertinent facts and relevant compliance concerns.”²

As discussed below, the three factors identified by the Attorney General may lead to different conclusions based upon how a company intends to use the behavioral advertising cookies and the terms of the behavioral advertising company’s contract.

First, a transfer of personal information is only considered a sale under the CCPA if the party that transfers such information receives “monetary or other valuable consideration.”³ Most websites do not receive money from behavioral advertising companies in return for the placement of behavioral advertising cookies on their website. Ambiguity exists, however, as to whether participation in certain forms of behavioral advertising campaigns may, in of itself, constitute sufficient “valuable consideration” to the extent that such participation is conditioned on a website utilizing a behavioral advertising cookie. So, for example, some privacy advocates might argue that if a website utilizes a behavioral advertising network to post their own advertisements, perhaps they have received sufficient consideration (i.e., the ability to post their advertisements) in exchange for allowing the ad network to place cookies on their website.

Second, the definition of “sale” under the CCPA contains an exception for situations in which a consumer “directs” the business to disclose personal information to a third party.⁴ To the extent that a website obtains the direction of a consumer to share personal information through the use of a notice and opt-in consent banner, there may be a strong argument that the use of behavioral advertising cookies does not constitute the sale of personal information. It is worth noting that the CCPA conditions this exception, however, on the recipient of the personal information (i.e., the adtech provider) not selling “the personal information, unless that disclosure [i.e., the recipient’s salewould be consistent with the provisions of this title.” ⁵ The CPRA amended this exception, such that, as of January 1, 2023, there are no conditions upon the actions of the recipient.⁶

Third, the definition of “sale” under the CCPA contains an exception for situations in which personal information is shared with a service provider.⁷ Whether a particular company qualifies as a service provider under the CCPA depends, in part, on whether the contract between the companies prohibits the behavioral advertising company from “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”⁸

¹ FSOR Appendix A at 13 (Response 47).

² FSOR Appendix A at 13 (Response 47).

³ Cal. Civ. Code 1798.140(ad)(1).

⁴ Cal. Civ. Code 1798.140(t)(2)(A) (Oct. 2020).

⁵ Cal. Civ. Code 1798.140(t)(2)(A) (Oct. 2020).

⁶ Cal. Civ. Code 1798.140(ad)(2)(A)(i).

⁷ Cal. Civ. Code 1798.140(t)(2)(C) (Oct. 2020).  Note that the service provider exception was deleted by the CPRA, however, the CPRA redefined a sale as only applying to transfers of personal information to “third parties” where the term “third party” is defined as not including a service provider.  Cal. Civ. Code 1798.140(ad)(1), (ai)(2).

⁸ Cal. Civ. Code 1798.140(t)(2)(C)(ii), (v) (Oct. 2020).