Piggyback Tags, Part 2: Piggyback Tags and the California Consumer Protection Act

The U.S. Data Privacy Legal Landscape is Highly Fragmented 

The US data privacy legal landscape is a patchwork of federal and state laws. At the federal level, data privacy laws vary by business sector. For example, the federal Gramm-Leach-Bliley Act regulates data collection and use by financial institutions and the Health Insurance Portability and Accountability Act governs collection and disclosure of protected health information. No federal law provides comprehensive protection for our personal information (“PI”).    

Since 2018, when the EU’s General Data Protection Regulation (“GDPR”) took effect, twenty-four states have considered data privacy laws with new laws arising in California, Maine, Vermont, and Nevada. Regardless of where you are physically based, if you “do business” in the EU or any US state that regulates business collection and use of personal information, then you are subject to that jurisdiction’s law. 

Any legal analysis begins with understanding two highly variable terms:   

1. How does a law define PI?
2. What constitutes a “sale” of PI? 

Legal Implications of Piggyback Tags Under the California Consumer Privacy Act 

Given the fragmented legal backdrop, this blog post will focus on California’s Consumer Privacy Act ("CCPA"), which broadly defines PI so that it includes identifiers such as the IP address of the device that a Californian used to access your website. Given the CCPA’s broad definition of PI, Piggyback Tags are almost certainly collecting PI from your site’s visitors.

Similarly, the CCPA’s definition of “sale” is also very broad and includes any form of disclosure in exchange for money or “other valuable consideration.”  So, if a tag discloses PI to a Piggyback Tag, it is almost certainly a sale under the CCPA. However, the CCPA also has something of a “safe harbor” for disclosures of PI if they are consistent with all other provisions of the CCPA and: 

1. a consumer uses or directs the business to disclose PI; or 
2. the consumer uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information; or
3. the business uses or shares PI with a service provider in order to perform a business purpose so long as:
   1. the business notified the consumer of the PI it is using or sharing
   2. the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose. 

Before you draw comfort from the safe harbor exceptions, consider other provisions of the CCPA and the unauthorized nature of Piggyback Tags.

Why Safe Harbor Exceptions May Not Apply

The provisions of CCPA's safe harbor exceptions cover topics like intentional interaction of your users, disclosed vendors, prohibition of the sale of data, and data breaches. Here is why Piggyback Tags are likely to violate these exceptions:

1. An “intentional interaction” occurs from the consumer’s deliberate actions and does not include certain specified behaviors.
   A business whose website includes Piggyback Tags that collect PI from Californians who hover over, mute, pause, or close a piece of content is not entitled to the safe harbor.
2. While the safe harbor may protect your company if you disclose vendors with tags on your website, it probably will not help if Piggyback Tags exist because they are, by definition, not authorized by your business and therefore not disclosed to consumers.
   The mere existence of Piggyback Tags on your website will likely prevent your business from successfully using the CCPA’s safe harbor as a liability shield.
3. Remember that the CCPA empowers Californians to prohibit businesses from selling their data.
   If a California resident instructs your company not to sell his or her PI but your site has tags disclosing PI to Piggyback Tags, then your company is probably violating that resident’s express prohibition.
4. Finally, because the CCPA defines a “breach” as “unauthorized access to a consumer’s nonencrypted or nonredacted personal information,” any time a tag discloses PI to a Piggyback Tag, a breach has occurred.
   This precise definition was arguably added to the provision because Piggyback Tags are unauthorized by both the website owner and the PI’s owner. If a Piggyback Tag collects any kind of PI, then your company will be in breach of the provisions of CCPA.
   

Breaches are interesting because there are multiple courses of action that can be taken in the incident of breach. While the California Attorney General enforces the law, individual Californians also have a private right of action for breaches. Piggyback Tags on your website open the door not only to enforcement actions by California’s AG, but also to consumer lawsuits.

What Steps You Can Take

If you are affected by CCPA, you have likely already taken steps to ensure that users have an effective means of opting into or out of the different services provided by vendors on your website, from analytics data collection to cookies and ad targeting. However, opting out of known services does nothing for Piggyback Tags, which is why you should vet your vendorsas well.

Vetting your vendors is essential, and includes obtaining a list of additional services used by that vendor and vetting each code source to ensure compliance with privacy laws. Malicious attacks can still occur, however, and controlling the content that is allowed to load on your site is another step in protecting yourself from violations of privacy and security law.

The final part of this series will cover blocking any unwanted content from loading on your site, including malicious content and Piggyback Tags.

<<< PART 1: Piggyback Tags