Tag Governance

Part 2: Piggyback Tags and the California Consumer Protection Act

By Tricia Dunlap on May 1, 2020
Tricia Dunlap

Tricia Dunlap is the Founding Principal of Dunlap Law PLC, a boutique law firm on a mission to help business leaders thrive. A member of the Virginia State Bar and the D.C. Bar, Tricia is a Certified Information Privacy Professional (CIPP/US) and the co-chair of the International Association of Privacy Professionals ( IAPP) KnowledgeNet chapter in Richmond, Virginia.

The U.S. Data Privacy Legal Landscape is Highly Fragmented 

The US data privacy legal landscape is a patchwork of federal and state laws. At the federal level, data privacy laws vary by business sector. For example, the federal Gramm-Leach-Bliley Act regulates data collection and use by financial institutions and the Health Insurance Portability and Accountability Act governs collection and disclosure of protected health information. No federal law provides comprehensive protection for our personal information (PI).    

Since 2018, when the EU’s General Data Protection Regulation (GDPR) took effect, twenty-four states have considered data privacy laws with new laws arising in California, Maine, Vermont, and Nevada. Regardless of where you are physically based, if you “do business” in the EU or any US state that regulates business collection and use of personal information, then you are subject to that jurisdiction’s law. 

Any legal analysis begins with understanding two highly variable terms:   

  1. How does a law define PI?
  2. What constitutes a “sale” of PI? 

Legal Implications of Piggyback Tags Under the California Consumer Privacy Act 

Given the fragmented legal backdrop, this blog post will focus on California’s Consumer Privacy Act ("CCPA"), which broadly defines PI so that it includes identifiers such as the IP address of the device that a Californian used to access your website. Given the CCPA’s broad definition of PI, piggyback tags are almost certainly collecting PI from your site’s visitors.

Similarly, the CCPA’s definition of “sale” is also very broad and includes any form of disclosure in exchange for money or “other valuable consideration.”  So, if a tag discloses PI to a piggyback tag, it is almost certainly a sale under the CCPA. However, the CCPA also has something of a “safe harbor” for disclosures of PI if they are consistent with all other provisions of the CCPA and: 

  1. a consumer uses or directs the business to disclose PI; or 
  2. the consumer uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information; or
  3. the business uses or shares PI with a service provider in order to perform a business purpose so long as:
    1. the business notified the consumer of the PI it is using or sharing
    2. the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose. 

Before you draw comfort from the safe harbor exceptions, consider other provisions of the CCPA and the unauthorized nature of piggyback tags.

First, an “intentional interaction” occurs from the consumer’s deliberate actions and does not include certain specified behaviors. A business whose website includes piggyback tags that collect PI from Californians who hover over, mute, pause, or close a piece of content is not entitled to the safe harbor.  

Second, while the safe harbor may protect your company if you disclose vendors with tags on your website, it probably will not help if piggyback tags exist because piggyback tags are, by definition, not authorized by your business and therefore not disclosed to consumers. The mere existence of piggyback tags on your website will likely prevent your business from successfully using the CCPA’s safe harbor as a liability shield.

Third, remember that the CCPA empowers Californians to prohibit businesses from selling their data.   If a California resident instructs your company not to sell his or her PI but your site has tags disclosing PI to piggyback tags, then your company is probably violating that resident’s express prohibition.

Finally, because the CCPA defines a “breach” as “unauthorized access to a consumer’s nonencrypted or nonredacted personal information” (arguably added to the provision because piggyback tags are unauthorized by both the website owner and the PI’s owner), any time a tag discloses PI to a piggyback tag, a breach has occurred.  While the California Attorney General enforces the law, individual Californians also have a private right of action for breaches. Piggyback tags on your website open the door not only to enforcement actions by California’s AG, but also to consumer lawsuits.  


Stay up to date