In some California privacy cases, analytics trackers are in the crosshairs — and violators could be charged by the cookie
“Why would I care about cookies?”
The question was one privacy lawyer Odia Kagan heard from a client back before January 2020 when California’s privacy law went into effect, and companies engaged in cookie tracking thought there might be more wiggle room with the law. Back then, said Kagan, who serves as chair of the GDPR compliance and international privacy practice group at Fox Rothschild, it wasn’t clear whether or not cookies or trackers were going to be an enforcement priority in California.
Now, as enforcement letters stream out to advertisers, social media sites, data brokers and ad tech firms from the California Attorney General’s office, it is clear that California Consumer Privacy Act enforcement is not just about data breaches. It’s about cookies and tracking technologies — including analytics trackers. And the penalties for violations could be steep.
These recent signals from the AG are “kind of narrowing down the gray area that some people were assuming,” said Kagan.
In addition to indicators from specific enforcement letters, lawyers are reading the tea leaves left in a series of generic CCPA case examples the agency published on July 19 which show evidence of enforcement around tracking for analytics purposes and opt-out notices.
Analytics trackers are “definitely something to pay attention to”
This sign that data sharing via analytics trackers could constitute a data sale “is definitely something to pay attention to [because] this is something that the AG is looking at,” said Kagan.
Lee said there are a variety of factors the AG might take into consideration when assessing compliance when it comes to analytics trackers — such as which entities are involved in data flows, what analytics trackers are used for and whether they are tracking people across multiple sites or offline. “There is a lot of nuance in how these tools work, so it’s hard to create a bright line rule,” she said.
A separate violation for each cookie could add up
Much of the enforcement activity thus far revolves around so-called notice-to-cure letters which serve as fact-finders and warning notices to companies, asking for information and giving them a 30-day period during which they can work directly with the agency to make fixes that bring them into compliance with the law. But if companies using cookies and other trackers for ads or analytics fail to make necessary changes and are found in violation, the penalties could cost companies using tens of trackers a great deal, said one privacy lawyer who asked not to be named.
The state could charge companies for each individual instance of a cookie-related violation; for instance, it could charge for each time a California resident interacts with a website without proper notice or opt-out capabilities, said the lawyer, adding, “In cases like these, the number of violations may be large.” A big tally of violations can add up to high civil penalties. When violations are found to be unintentional, each one could result in a $2,500 fine. If found to be intentional, that fine soars to $7,500 for each violation.
“There is room for that interpretation in the statute, but I don’t know how the AG plans to calculate a ‘violation,'” said Jessica Lee, partner and co-chair of the privacy, security and data innovation practice group at law firm Loeb and Loeb.
The threat of counting each time a cookie is used as its own separate violation is probably more of a tactical means of incentivizing compliance than an actual plan for calculating penalties, said Alysa Hutnik, partner and chair of the privacy and security practice at law firm Kelley Drye and Warren.
She said it is “unlikely” that penalties would be assessed that way. However, she said California’s Department of Justice has “a fair amount of flexibility” in how it might tabulate penalties; for instance, it could base them on the number of days a company is non-compliant, or according to an amount of data records affected, she said.
‘Catalyst for growth’: GroupM’s Brian Wieser bumps up his 2021 and 2022 global and U.S. ad forecasts
The latest global ad revenue forecast from WPP’s GroupM is out — and if it’s accurate, media is going to have a pretty great 2022 with almost 10 percent growth.
Member ExclusiveMedia Buying Briefing: ‘There’s a real strain’ on media agencies as they try to staff up after mediapalooza gains
How will media agencies staff up when employees are leaving in droves, either from burnout or more lucrative offers from brands and tech firms?
How Reuters Events maintains a role for virtual as it returns to in-person events
After a successful two years running mostly virtual conferences, Reuters Events is exploring more hybrid and in-person components to its events for next year.
SponsoredMarketer’s playbook: Delivering performance alongside privacy
Jonathan Meltzer, director of marketing, ads privacy, platforms and measurement, Google One way to prepare any business for what’s next in 2021 and 2022 is to invest in data and insights. However, shifts in consumer expectations challenge even the most experienced marketing team to find safer ways to show people ads and measure campaigns. To […]
‘Lens of the West Coast’: Inside the L.A. Times’ new head of audio’s plan to focus the publisher’s podcasts
Aguilera wants people to one day associate the newspaper publisher with its podcasts and their West Coast "vibe and tone." But first, she is tasked with growing the L.A. Times' daily news show "The Times."
Member ExclusiveMedia Briefing: What publishers should watch for when meeting with blockchain vendors
In this week's Media Briefing, media editor Kayleigh Barber explores the primary questions publishers should be asking when evaluating potential blockchain partners.