Here’s why a cookie consent manager won’t get you CCPA-compliant.

Here’s why a cookie consent manager won’t get you CCPA-compliant.

It’s a wild time in the world of data privacy. With the California Consumer Privacy Act becoming eligible for legal enforcement on July 1, companies all over the US are rushing to get compliant with the country’s first truly far-reaching privacy law. When a marketplace is full of urgency, it can be hard to separate truth from fiction.

I’m writing to put paid to one of the more pervasive myths I’ve seen out on the front lines of CCPA compliance: the idea that you can adhere to the CCPA’s “Do Not Sell My Personal Information” requirement using just a cookie consent tool. You can’t. If you could, it wouldn’t be called a cookie consent tool. Here’s what I mean:

Data sales under CCPA

The CCPA is an unclear law in lots of different ways. But most everyone understands that “data sales” under CCPA is an umbrella term corresponding to an area far beyond the direct exchange of money for data. It’s right there in text. The CCPA defines “data sales” as:

selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

The only way to test the exact boundaries of this definition will be in a court of law, but let’s take a look at how some of these verbs and nouns stack up, for example:

transferring…a consumer’s personal information…to a third party…for valuable consideration.

Today this exact sort of data “transfer” is a foundational part of the flywheel for any B2C company. It has been for a decade. In addition to the surface-level webpage data exchange, an ocean of data is captured in the form of ongoing activity tracking, backend monitoring, and backend conversion into your application. In other words, a huge amount of the data you produce that is included in “value exchanges” is totally removed from any pure cookie tool’s visibility. As just one example, think of the booming enrichment and intent data tools that have become stock-in-trade for marketers over the last five years. The data exchanges that allow these tools to function occur between backend systems via API calls, far from the surface level of the browser window.

Cookies can’t cover deep data flows

To emphasize: the data that these tools use to do their work often isn’t related to a cookie. It could be purchase data, account data, engagement data – there are lots of different actions you can take a website that circumvent cookie tracking because in order for the action to be processed, data flow must occur. An ecommerce purchase is a perfect example.

An even more obvious example to drive the point home? An offline purchase! The data that’s created when you walk into a store and purchase a pair of jeans is winding its way through a maze of backend business systems. Do you think, if you said “Do Not Sell My Personal Information”, that a tool reliant on browser cookies could link your request to offline conversion data?

You should see where this is going. If a loyal customer says “Do Not Sell My Personal Information”, a modern business needs to be able to enact a cascading flow of data suppression that goes into the very guts of multiple business systems. It should be able to go into databases containing account info, purchase history, and similar, and suppress that data from flowing into all the backend platforms the business is using for things like segmentation, enrichment, and audience modeling.

The idea that this could be accomplished by an accept/deny cookies box on a homepage is fantasy. If such a tool existed, as I said earlier, it wouldn’t be called a cookie consent manager. It would be called, I don’t know, “Ethyca” or similar.

In all seriousness, this isn’t a plug for our product. It’s a caution to businesses that believe, or have been led to believe, that putting a checkbox on their homepage will bring them into CCPA compliance. Going by the text of the law, it’s clear this isn’t achievable. Perhaps there is a future where this law is challenged in court and a judge will interpret the definition of “data sale” to make requirements less onerous on businesses. But I’m confident that no one wants their business to be the guinea pig in this scenario.

If you’d like to speak more about this, or any pressing privacy topic, book a free consult with one of Ethyca’s Privacy Pros.