Into month two of my software engineering program, our cohort has been given the task to build a website application using Ruby on Rails, HTML and CSS. Beyond the user experience/interface aspects of styling, and the functionality of built-in models and classes, we were also exposed to the idea of cookies.

Having some experience in the advertising technology world, this was not my first time exploring this topic. Reflecting back, my time in this industry was the driving factor that led me to the Flatiron School. It was there that I first learned of the difference between first and third-party cookies, as well as the implication, functionality and commercialization of users. Heck, I’ll even venture to say that my preceding knowledge simply included the button-clicks involved in clearing my cache and cookies when troubleshooting some software problem.

Although my role was sales development, I was encouraged to meet with members across the organization. I found a home in weekly meetings with one of the lead software engineers, a true badass. Add-in a quick phone call with a representative at Flatiron and my fate was sealed. Eighteen months later, I find myself learning the topic that first peaked my interest in web development from the ground up.

In this article, I am going to cover one of the hottest topics today in the cookie-realm

The California Consumer Privacy Act (CCPA)

While the act was passed over two years ago, CCPA did not go into effect until the start of this year AND enforcement began just eight days ago (July 1st).

It has been in the works for a while as the United States first response to the General Data Protection Regulation enacted in the EU, which you can find more information on here and here.


The purpose of these regulations are to protect user data. Personal Identifiable Information (PII) in the traditional sense is any singular piece of data that can identify a user as an actual person. (ex: name, address, street address, SSN). However, the CCPA goes a little further in this regard.

The act categories a number of categories it will protect: direct and unique identifiers, biometrics (face recording), internet/browsing activity, geolocation data and any other sensitive information (like medical data). Therefore, to understand the legislation, there are a few things to note:

Cookies: are classified as unique identifiers

  • First-Party: alone only collect anonymous data for websites functionality

However, first party cookies are oftentimes combined with other pieces of data to connect users across devices.

Who does it impact?

For profit-businesses

  • Data-Reliant: posses data on 50,000 residents or have half their revenue generated from selling data

Impact on Businesses

Operationally, they have to conform to specific proactive rights for users.

  1. A user must be notified of tracking and

Therefore, companies need to reconfigure their sites to a) have the opt out message apparent and b) functional. Based on the user choice, their tracking systems need to be altered. Interestingly enough, companies are allowed to provide financial incentives for sharing data, so the choice may affect the site’s pricing as well. This is what relates mostly to the learning in our module today. Engineers will be at the forefront of compliance.

3. A user has the right to request the data a company has on them and

4. A user can request the deletion of said data.

These companies have a specific timeframe in which they need to respond to these requests which ties into the financial aspect.

Pulling these data records for companies that are not properly prepared could be a huge holdup. However, larger companies like Facebook are already prepared. They’ve created self-service tools for users to see, access and request deletion of this data.

Financially, there are a number of implications.

The law indicates that penalties can be up to $750 per incident. Individuals will have a right to sue and class action is also allowed. While there is a 30-day window notice for violations, this can still add up massively. For request of data disclosure and deletion, companies will have 45 days to respond.

And so goes the history of the internet — it is a living thing that is created, regulated and created again. Online advertising may be at the forefront of change, but there are implications across all organizations.