How The CCPA Affects The Cookie Policy

    by Michael Williams
    1 min read

    The  California Consumer Privacy Act “CCPA” introduces a number of provisions for companies processing the personal data of individuals. Website cookies and tracking scripts collect IP address information, which is considered to be personal data for purposes of CCPA, so companies need to be aware of their responsibilities related to cookie consent management for purposes of CCPA.

    Cookie Consent Banner Requirements

    Before we go in-depth on cookies, we should note that CCPA doesn’t require websites to include a cookie banner, however (and keep reading, because this is a massive HOWEVER) your website needs to provide a mechanism for consumers to “opt-out” of cookie collection. That’s one reason Clym provides a flexible solution with multiple user interfaces so that you can show a cookie banner on your site to European visitors (as required by GDPR), but California residents (and other states where one isn’t required) won’t see one when visiting your website. Rather, you can provide them a link in the footer of your website to comply with CCPA’s opt-out requirements.

     

    Why Are Cookies Subject to CCPA?

    Website operators use cookies (and beacons, pixel tags, etc.) to obtain a “Unique identifier” or “Unique personal identifier”, meaning they can recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services. Personally identifiable information, which can be obtained by using cookies, is covered by CCPA.

    Do I Need a Cookie Policy?

    CCPA requires companies to have policies which disclose information about their use of cookies and data collection practices. In order for businesses to have a truly CCPA-compliant cookie policy, it should include information regarding:

    • The third parties that provide the scripts behind each cookie;
    • The types of cookies used within the website;
    • The categories of personal data that these cookies collect;
    • The purpose for collecting that data; and
    • The retention period.

    Pro Tip: Clym customers get the benefit of compliant cookie policy templates that they can use on their website!

    How Can I Get My Website Compliant with CCPA?

    Every data privacy law has its own consent rules, generally either “opt-in” (meaning that you need to obtain explicit consent prior to collecting information) or “opt-out” (meaning that you can collect information until a consumer requests that you stop). GDPR is an opt-in jurisdiction, but CCPA is an opt-out jurisdiction. Thus, websites can load cookies, but are obliged to provide users with an easy way of opting out of them at any moment (like we mentioned above regarding not needing to have a cookie banner). CCPA requires businesses to inform consumers before or at the point of collection of their personal data, but does not require prior, explicit cookie consent. Similarly to the GDPR, the CCPA prohibits the collection of consumers’ personal information for any other purposes or any other categories that the ones presented to the customer. 

    CCPA Cookie Disclosure Requirements

    Strictly necessary cookies (the ones required to make websites function) do not require consent, and though it is advisable to disclose their use to the website visitors, these visitors generally can’t deactivate these cookies because without them the website would not function properly.  Other types of cookies, such as functionality, performance, or analytics cookies are not strictly necessary, and you should both disclose these cookies to visitors and provide a mechanism for visitors to opt-out of their collection. Just like with the GDPR, if you’re  using a cookie wall with language like “by continuing to use this website you agree with our use of cookies”, you’re not in compliance. Instead, you should provide a clear description of each type of cookie used, how many cookies are used for each type, and the option to opt-out of anything that isn’t mandatory for the website to function.  CCPA’s major provisions, such as transparency, data subjects’ right to access and to be informed, data minimization, and others should be reflected in the cookie policy of each company.

    What are GDPR and CCPA Cookie Consent Requirements?

    GDPR requires websites to collect explicit consent to utilize all cookies other than those absolutely necessary to the running of the site. GDPR has strict requirements for what counts as consent, requiring a “clear affirmative act” that users are opting-in to having their data collected. It’s no longer good enough to use a pre-checked box or a banner that tells the user that by continuing to use the website they agree to cookies. Additionally, when companies request consent, they must do so in a way that is “clear, concise, and not unnecessarily disruptive”, meaning that your site can’t bury a consent mechanism in the middle of a lot of legal jargon.

    Finally, under GDPR, websites must provide a way for users to withdraw their decision to grant data collection consent, aka the “right to be forgotten”. Under CCPA, data collected by cookies count as personal information. While CCPA doesn’t require businesses to gain opt-in consent for cookies, it does require them to disclose what data is being collected by cookies and what is done with the data.  Additionally, businesses need to take steps to comply with the right to opt-out of the sale of personal information collected by cookies.

    What is a cookie policy?

    A cookie policy is a statement that you provide to your website users regarding what cookies are active on your website, what user data they track, for what purpose, and where in the world this data is sent. A cookie policy should also contain information regarding how your users may opt out of the cookies or change their settings relating to the cookies on your website.

    Is a cookie policy a legal requirement?

    Yes, cookie policies are required to maintain compliance with both GDPR and CCPA.

    What information should a compliant cookie policy contain?

    To be compliant with privacy and cookies laws, your Cookies Policy or cookies clause should:

    1. state that you use cookies on your website and explain briefly what cookies are,
    2. disclose what types of cookies you (or any third parties) are using,
    3. inform users why you use cookies, and 4) let users know how they can opt out of having cookies placed on their devices.

    Pro Tip: Clym offers its clients compliant cookie policy templates as part of the subscription which are kept up to date with GDPR and CCPA.

    Learn how to be Compliant with CCPA or Schedule a Demo and let our experts show you how to make your website CCPA compliant in a 1:1 demo.

    If you’re compliant with GDPR, we can help you can become compliant with CCPA with a few modifications. Even if you’re compliant with neither, Clym can help!

    ‍Become CCPA compliant with Clym and manage consent, cookies, policies, procedures, terms & data subject requests while automatically building evidence through consent receipts.

    Get Compliant Today!