This requires a detailed understanding of cookie functionalities and a proper system for managing user preferences, adding complexity to website management under CCPA regulations.
What is the CCPA/CPRA?
The California Consumer Privacy Act (CCPA) is a groundbreaking data privacy law in the United States, which stood as a game-changer for global companies. In effect since January 1, 2020, and enforceable since July 1, 2020, the CCPA enforces privacy rights and consumer safeguards for California residents. Regardless of a company's location, if it collects personal information from California residents, compliance with CCPA protocols and procedures is mandatory.
The California Consumer Privacy Act, or CCPA, went through an update in 2022 with the introduction of the California Privacy Rights Act (CPRA), also known as CCPA 2.0. The new comprehensive set of measures, effective from January 1, 2023, brought forth profound changes to the data privacy and security landscape. A common misconception when the CPRA came was that it was a new data privacy law, however it’s essential to understand that the CPRA didn’t create a new law but amended the CCPA.
Another noteworthy update marked the enforcement of the long-awaited CCPA Regulations on March 23, 2023. These regulations, among various clarifications, eliminated the exemption of employment-related information from privacy laws. Now, the scope extends to cover California employees, job applicants, and independent contractors—collectively termed HR Data Subjects—similarly to California consumers.
What is the difference between consent and cookie consent?
Privacy laws such as the CCPA, require organizations to get permission (consent) from users before using their personal information. For that permission to be valid, it must be freely given, specific, informed, and clear. Users need to take a positive action, like clicking a button or ticking a box.
When referring to cookie consent, which is stricter than general consent, we understand this to mean that organizations must get clear permission before using non-essential cookies. Essential cookies, necessary for a website to work properly, can be used without explicit permission.
Cookies under the CCPA/CPRA
The California Consumer Privacy Act (CCPA) introduced a number of provisions for companies processing the personal data of individuals. Website cookies and tracking scripts collect IP address information, which is considered to be personal data for purposes of CCPA, so it's crucial for companies to understand and fulfil their obligations regarding the management of cookie consent in accordance with CCPA guidelines.
Cookie consent requirements under the CCPA/CPRA
The CCPA doesn’t require websites to include a cookie banner, however - and this is an important however - your website needs to provide a mechanism for consumers to “opt-out” of cookie collection. Under CCPA, data collected by cookies is considered personal information. While CCPA doesn’t require businesses to gain opt-in consent for cookies, it does require them to disclose what data is being collected by cookies and what is done with the data in a transparent and easily accessed way. Additionally, businesses need to take steps to comply with the right to opt-out of the sale of personal information collected by cookies using a consent manager, like Clym.
What this means for your organization is that you need a flexible compliance solution which helps you display a cookie banner on your website for those visitors located in the European Union, and as such covered by the GDPR, while also allowing you to hide the cookie banner for residents of the states of California, and other states where a cookie banner isn’t required. Instead, your compliance solution has to give you a way to provide these users with a link located in the footer of your website, facilitating compliance with the CCPA’s opt-out requirements.
Clym's compliance solution is not only user-friendly and ready to use right out of the box, but it also offers extensive adaptability with over 25 different configurations tailored to meet various regulations around the world. This means that without needing any initial setup, you get a comprehensive, plug-and-play solution that effortlessly aligns with a wide range of international compliance standards. Despite its ease of use, Clym provides you the option to customize these settings, particularly the geographic settings, allowing you to fine-tune the solution according to different regional laws and regulations. This level of customization ensures that while the solution is immediately operational, it also offers the versatility to conform to specific legal requirements across different countries, making it an ideal choice for organizations operating on a global scale.
- The third parties that provide the scripts behind each cookie;
- The types of cookies used within the website;
- The categories of personal data that these cookies collect;
- The purpose for collecting that data; and
- The retention period.
There are some cases where cookies or scripts can be placed without the user's consent, and in such cases, the website may rely on legitimate interest instead. This can happen when a cookie or script falls under the exemption for cookie consent and is considered essential for website performance, security, or required to deliver services that users have requested. The same will apply to any other technology that works through the storing of information on a user's device or gaining access to information on a user's device, such as pixels, flash cookies, and all kinds of devices.
Strictly necessary cookies (the ones required to make websites function) do not require consent, and though it is advisable to disclose their use to the website visitors, these visitors generally can’t deactivate these cookies because without them the website would not function properly. Other types of cookies, such as functionality, performance, or analytics cookies are not strictly necessary, and you should both disclose these cookies to visitors and provide a mechanism for visitors to opt-out of their collection.
The answer is Yes; cookie policies are required to maintain compliance with the CCPA and other data privacy regulations.
What are cookies and other tracking technologies?
Cookies are small files of information that are generated by a web server and sent to the user's device (web browser, phone, etc.). Once there, they are stored either for a predetermined amount of time or for the duration of a browsing session. Cookies are used to track a user’s behavior on a website, analyze his/her activity, to help deliver users with targeted content, to ensure security, and many other useful things to keep a website running properly.
Cookies can be classified as first party, third party, essential, non-essential, and so on, and we have made it easy for you to understand the differences between these in our two part guide on cookies, which you can find here and here.
- disclose what types of cookies you (or any third parties) are using,
- let users know how they can opt out of having cookies placed on their devices.
What are other steps and best practices for CCPA cookie compliance?
Every data privacy law has its own consent rules, generally either “opt-in” - meaning that you need to obtain explicit consent prior to collecting information - or “opt-out” - meaning that you can collect information until a consumer requests that you stop. However, the CCPA stands out as one of the most strict data privacy laws out there.
Compared to the GDPR, which is an opt-in jurisdiction, the CCPA is an opt-out jurisdiction. This means that your website can load cookies, but you have an obligation to provide users with an easy way of opting out of them at any moment; so you don’t have an obligation to have a cookie banner, but you do have an obligation to have an opt-out method that is easily available.
The CCPA text of the law requires businesses to inform consumers before or at the point of collection of their personal data, but does not require prior, explicit cookie consent. Similarly to the GDPR, the CCPA prohibits the collection of consumers’ personal information for any other purposes or any other categories that the ones presented to the customer.
In order to ensure a CCPA-compliant cookie management, you should consider the following best practices:
- Check your site's cookies and correctly classify them: a website admin might not know all the cookies on the website, but a web developer can use tools to find out which cookies your website uses. One such tool is a compliance tool that can automatically detect and classify your website’s cookies, such as Clym’s compliance solution.
- Let users choose the types of cookies they want to opt-in to: If your site has different types of cookies, let your users decide which ones they want to opt-in to. Correctly classifying the cookies on your website will go a long way to help make this happen.
- Make the cookie notification accessible: Whether you use a banner or a popup, you should ensure that this is accessible to users with disabilities, such as, for example, those with low vision or those who use screen readers. Although the CCPA doesn't specifically ask this, the web accessibility regulations currently in force, such as the ADA’s Title III, do so, and California is considering a new web accessibility bill.
- Get expert advice: If your business lacks the know-how, consulting with Clym’s compliance experts is a good start towards facilitating compliance both with the CCPA and web accessibility for your website.
How can Clym help me with my CCPA/CPRA compliance?
At Clym, we believe in harmonizing digital compliance with your business needs, offering a suite of benefits, including an all-in-one platform that combines Privacy and Accessibility compliance with global regulations at an affordable price. Experience seamless integration into your website, adaptability to users' locations and applicable regulations, customizable branding, ready compliance covering CCPA plus more than 40 other data privacy regulations, and accessibility options, which include six preconfigured accessibility profiles and more than 25 display adjustments for visitors to tailor their individual experiences. Clym is not just a solution; it's a commitment to simplifying and enhancing your digital compliance journey.
What is the difference between consent and cookie consent?
Consent involves getting permission from users before collecting their personal information. Cookie consent is more specific and requires clear permission from users before setting non-essential cookies on their devices. Essential cookies do not require explicit consent but must still be disclosed.
Are there specific requirements for cookie consent under the CCPA?
While the CCPA does not mandate a cookie banner, it requires websites to provide a clear opt-out mechanism for users to refuse the collection of their personal information via cookies. This means disclosing how cookies collect data and providing an accessible way for users to opt-out.
What types of cookies are covered under the CCPA?
All types of cookies that collect personal information are covered under the CCPA. This includes both first-party and third-party cookies, regardless of whether they are considered essential or non-essential.
The CCPA requires businesses to review and update their privacy policies, including cookie policies, at least once a year. This ensures that your policies reflect current practices and regulatory requirements.
How can Clym help my business comply with the CCPA regulations beyond the CCPA?
Clym's compliance solution is designed to facilitate compliance with a wide range of data privacy regulations, making it suitable for businesses operating globally. Clym provides a comprehensive compliance solution in the form of a customizable CMP that is easy to implement which helps businesses manage cookie consent and document user preferences in line with CCPA requirements and various other international regulations.