Understanding the Impact of CCPA and CPRA on Your Website's Cookie Policy: Steps for CCPA Compliance in 2024

It can be quite challenging to align your business’ cookie policy with the requirements of the text of the California Consumer Privacy Act (CCPA) law, particularly in managing user consents and preferences. 

This article will make it easy for you to understand the implications that California’s data privacy law can have over your cookie policy. At the end of it, you will understand that you must ensure that your websites' cookie policies are compliant with CCPA, which involves informing users about the types of cookies used and their purposes, and providing clear options for users to opt-out of non-essential cookies. 

This requires a detailed understanding of cookie functionalities and a proper system for managing user preferences, adding complexity to website management under CCPA regulations. 

Clym’s compliance solution (CMP) provides businesses with a way to streamline this process, offering easy-to-implement solutions for obtaining and documenting user consents and preferences in accordance with CCPA. This helps businesses efficiently manage their cookie policy compliance, reducing the complexity and resource burden associated with these regulations.

What is the CCPA/CPRA?

The California Consumer Privacy Act (CCPA) is a groundbreaking data privacy law in the United States, which stood as a game-changer for global companies. In effect since January 1, 2020, and enforceable since July 1, 2020, the CCPA enforces privacy rights and consumer safeguards for California residents. Regardless of a company's location, if it collects personal information from California residents, compliance with CCPA protocols and procedures is mandatory.

The California Consumer Privacy Act, or CCPA, went through an update in 2022 with the introduction of the California Privacy Rights Act (CPRA),  also known as CCPA 2.0. The new comprehensive set of measures, effective from January 1, 2023, brought forth profound changes to the data privacy and security landscape. A common misconception when the CPRA came was that it was a new data privacy law, however it’s essential to understand that the CPRA didn’t create a new law but amended the CCPA.

The CPRA (California Privacy Rights Act) law and the CCPA text of the law function together as a unified legal framework referred to as CPRA.

Another noteworthy update marked the enforcement of the long-awaited CCPA Regulations on March 23, 2023. These regulations, among various clarifications, eliminated the exemption of employment-related information from privacy laws. Now, the scope extends to cover California employees, job applicants, and independent contractors—collectively termed HR Data Subjects—similarly to California consumers. 

What is a Cookie Policy? 

A cookie policy is a statement that you provide to your website users regarding what cookies are active on your website, what user data they track, for what purpose, and where in the world this data is sent. A CCPA cookie policy should also contain information regarding how your users may opt out of the cookies or change their settings relating to the cookies on your website. Additionally, in compliance with the California Consumer Privacy Act, the CCPA policy should include guidance on how visitors can opt-out (refuse) or adjust their cookie preferences on your website.

What is the difference between consent and cookie consent? 

Consent rules dictate how organizations handle personal data collection and processing. They are like the basic guidelines for organizations when they collect and use people's personal information. Cookie consent, on the other hand, is more specialized; it is a specific type of consent related to the use of cookies and similar tracking tech.

Privacy laws such as the CCPA, require organizations to get permission (consent) from users before using their personal information. For that permission to be valid, it must be freely given, specific, informed, and clear. Users need to take a positive action, like clicking a button or ticking a box.

When referring to cookie consent, which is stricter than general consent, we understand this to mean that organizations must get clear permission before using non-essential cookies. Essential cookies, necessary for a website to work properly, can be used without explicit permission.

The main difference between consent and cookie consent is that cookie consent rules are more specific and strict because cookies can track online behaviours and collect various personal data. Consent rules apply to all personal data, while cookie consent rules only apply to data collected through cookies and similar tech.

Cookies under the CCPA/CPRA

The California Consumer Privacy Act (CCPA) introduced a number of provisions for companies processing the personal data of individuals. Website cookies and tracking scripts collect IP address information, which is considered to be personal data for purposes of CCPA, so it's crucial for companies to understand and fulfil their obligations regarding the management of cookie consent in accordance with CCPA guidelines. 

Cookie consent requirements under the CCPA/CPRA

The CCPA doesn’t require websites to include a cookie banner, however - and this is an important however - your website needs to provide a mechanism for consumers to “opt-out” of cookie collection. Under CCPA, data collected by cookies is considered personal information. While CCPA doesn’t require businesses to gain opt-in consent for cookies, it does require them to disclose what data is being collected by cookies and what is done with the data in a transparent and easily accessed way.  Additionally, businesses need to take steps to comply with the right to opt-out of the sale of personal information collected by cookies using a consent manager, like Clym.

What this means for your organization is that you need a flexible compliance solution which helps you display a cookie banner on your website for those visitors located in the European Union, and as such covered by the GDPR, while also allowing you to hide the cookie banner for residents of the states of California, and other states where a cookie banner isn’t required. Instead, your compliance solution has to give you a way to provide these users with a link located in the footer of your website, facilitating compliance with the CCPA’s opt-out requirements. 

Clym's compliance solution is not only user-friendly and ready to use right out of the box, but it also offers extensive adaptability with over 25 different configurations tailored to meet various regulations around the world. This means that without needing any initial setup, you get a comprehensive, plug-and-play solution that effortlessly aligns with a wide range of international compliance standards. Despite its ease of use, Clym provides you the option to customize these settings, particularly the geographic settings, allowing you to fine-tune the solution according to different regional laws and regulations. This level of customization ensures that while the solution is immediately operational, it also offers the versatility to conform to specific legal requirements across different countries, making it an ideal choice for organizations operating on a global scale.

Website operators use cookies and other tracking technologies to obtain a “Unique identifier” or “Unique personal identifier,” in effect collecting certain data about the visitors of the website. Over time this means they are able to recognize a consumer, a family, or a device that is linked to a consumer or family, across different services. Personally identifiable information, which can be obtained by using cookies, is covered by the CCPA. In order to be in compliance with the CCPA, your organization needs to clearly show on your website the policies that explain how you use cookies and what data you collect from visitors. In addition to this, in order for your business to have a CCPA cookie policy, it should include information regarding:

• The third parties that provide the scripts behind each cookie;
• The types of cookies used within the website;
• The categories of personal data that these cookies collect;
• The purpose for collecting that data; and
• The retention period.

There are some cases where cookies or scripts can be placed without the user's consent, and in such cases, the website may rely on legitimate interest instead. This can happen when a cookie or script falls under the exemption for cookie consent and is considered essential for website performance, security, or required to deliver services that users have requested. The same will apply to any other technology that works through the storing of information on a user's device or gaining access to information on a user's device, such as pixels, flash cookies, and all kinds of devices.

Strictly necessary cookies (the ones required to make websites function) do not require consent, and though it is advisable to disclose their use to the website visitors, these visitors generally can’t deactivate these cookies because without them the website would not function properly.  Other types of cookies, such as functionality, performance, or analytics cookies are not strictly necessary, and you should both disclose these cookies to visitors and provide a mechanism for visitors to opt-out of their collection. 

Just like with the GDPR, if you’re  using a cookie wall with language like “by continuing to use this website you agree with our use of cookies,” you’re not in compliance with the CCPA. Instead, you should ensure that you respect the CCPA privacy policy requirements and provide a clear description of each type of cookie used, how many cookies are used for each category, and the option to opt-out of anything that isn’t mandatory for the website to function.  CCPA’s major provisions, such as transparency, data subjects’ right to access and to be informed, data minimization, and others should be reflected in your company's privacy policy.

So the question arises: Is the cookie policy a legal requirement?

The answer is Yes; cookie policies are required to maintain compliance with the CCPA and other data privacy regulations.

What are cookies and other tracking technologies? 

Cookies are small files of information that are generated by a web server and sent to the user's device (web browser, phone, etc.). Once there, they are stored either for a predetermined amount of time or for the duration of a browsing session. Cookies are used to track a user’s behavior on a website, analyze his/her activity, to help deliver users with targeted content, to ensure security, and many other useful things to keep a website running properly. 

Cookies can be classified as first party, third party, essential, non-essential, and so on, and we have made it easy for you to understand the differences between these in our two part guide on cookies, which you can find here and here. 

When we speak of cookies in the context of data privacy, data protection laws, such as the the California Consumer Privacy Act law, require that users be asked for their freely given, specific, informed, and unambiguous consent for the use of cookies in their browsing session. Users will then have to be given the option to accept all cookies, both essential and non-essential, or to accept only the essential cookies plus any other types of non-essential ones they agree to, if any at all. 

Other tracking technologies commonly found on websites are scripts, which are pieces of code (JavaScript) that come from another location to the website that a user is visiting. When loaded, these scripts enable cookies that are stored on the user’s device from the other location and which are later on used for tracking or for profiling for the purpose of behavioral advertising. Examples of these include social media sharing buttons (i.e. Facebook, Instagram, Twitter, etc.), advertisements, or videos embedded from Youtube. 

What information does my cookie policy need to contain to be compliant? 

To be compliant with privacy and cookies laws, especially with a focus on the CCPA's privacy policy requirements, your Cookie Policy should:

1. state that you use cookies on your website and explain briefly what cookies are,
2. disclose what types of cookies you (or any third parties) are using,
3. inform users why you use cookies, and 
4. let users know how they can opt out of having cookies placed on their devices.

What are other steps and best practices for CCPA cookie compliance?

Not following CCPA rules can lead to hefty fines—$2,500 to $7,500 per violation for each person affected. For instance, a company with 50,000 customers could face a minimum fine of $125 million for not sharing its cookie policy.

Every data privacy law has its own consent rules, generally either “opt-in” - meaning that you need to obtain explicit consent prior to collecting information - or “opt-out” - meaning that you can collect information until a consumer requests that you stop. However, the CCPA stands out as one of the most strict data privacy laws out there. 

Compared to the GDPR, which is an opt-in jurisdiction, the CCPA is an opt-out jurisdiction. This means that your  website can load cookies, but you have an obligation to provide users with an easy way of opting out of them at any moment; so you don’t have an obligation to have a cookie banner, but you do have an obligation to have an opt-out method that is easily available. 

The CCPA text of the law requires businesses to inform consumers before or at the point of collection of their personal data, but does not require prior, explicit cookie consent. Similarly to the GDPR, the CCPA prohibits the collection of consumers’ personal information for any other purposes or any other categories that the ones presented to the customer. 

In order to ensure a CCPA-compliant cookie management, you should consider the following best practices: 

• Check your site's cookies and correctly classify them: a website admin might not know all the cookies on the website, but a web developer can use tools to find out which cookies your website uses. One such tool is a compliance tool that can automatically detect and classify your website’s cookies, such as Clym’s compliance solution. 
• Explain what cookies are: In your website's cookie policy, briefly describe what cookies are and how they collect data.
• Explain how you use cookies: This is a vital practice because it helps you obtain freely given, specific, informed, and clear consent, while also helping you show transparency. You don't have to put this explanation directly on your homepage, instead you can include a button or link in a banner for users to access and get more information.
• Let users choose the types of cookies they want to opt-in to: If your site has different types of cookies, let your users decide which ones they want to opt-in to. Correctly classifying the cookies on your website will go a long way to help make this happen.
• Make the cookie notification accessible: Whether you use a banner or a popup, you should ensure that this is accessible to users with disabilities, such as, for example,  those with low vision or those who use screen readers. Although the CCPA doesn't specifically ask this, the web accessibility regulations currently in force, such as the ADA’s Title III, do so, and California is considering a new web accessibility bill.
• Update your privacy policy yearly: CCPA requires businesses to review and update their privacy policy at least once a year. 
• Get expert advice: If your business lacks the know-how, consulting with Clym’s compliance experts is a good start towards facilitating compliance both with the CCPA and web accessibility for your website. 

CCPA Compliance Checklist

Here is a checklist to facilitate compliance for your business with the California Consumer Privacy Act: 

How can Clym help me with my CCPA/CPRA compliance?

At Clym, we believe in harmonizing digital compliance with your business needs, offering a suite of benefits, including an all-in-one platform that combines Privacy and Accessibility compliance with global regulations at an affordable price. Experience seamless integration into your website, adaptability to users' locations and applicable regulations, customizable branding, ReadyCompliance™ covering CCPA plus more than 40 other data privacy regulations, and accessibility options, which include six preconfigured accessibility profiles and more than 25 display adjustments for visitors to tailor their individual experiences. Clym is not just a solution; it's a commitment to simplifying and enhancing your digital compliance journey.

With our help, you can learn how to make your website CCPA compliant and can even schedule a personalized demo with our experts for step-by-step guidance. Whether you're already compliant with other data privacy laws, such as the GDPR, or starting from scratch, Clym can help you seamlessly adapt to the CCPA’s requirements. With Clym's user-friendly platform, you can manage consent, cookies, policies, web accessibility, and more. Our  customers enjoy access to compliant cookie policy templates for easy website implementation and our flexible solution lets you display a GDPR-compliant cookie banner for European visitors, while for California residents and other US states without such requirements, you can provide them with a link in the footer of your website to comply with CCPA’s opt-out requirements.

Let Clym simplify the journey to compliance for you. You can convince yourself and see Clym in action by booking a demo or contacting us to discuss your specific needs today.