The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the latter of which expanded upon and largely replaced the former, dictate consumer rights around the collection, sharing, and sale of personal data.
Qualifying businesses that process California residents’ personal data need to give users the option to opt out of the sale or sharing of their personal information.
A CCPA cookie banner is a valuable tool for helping you comply with California data privacy law. It communicates your data privacy and protection practices to your customers while simultaneously giving them more control over how you use their information.
This article explores what the CCPA says about cookie banners and outlines five steps you can take to achieve CCPA/CPRA cookie and consent compliance.
What the CCPA says about cookie banners
The CCPA doesn’t explicitly require websites to feature cookie banners. Instead, it stipulates that they must feature a “Do Not Sell Or Share My Personal information” link that enables visitors to opt out of the business selling, sharing, or using their data for targeted advertising.
Including a cookie banner with direct opt-out controls and a link to your “Do Not Sell Or Share” notice is a great first step towards compliance. However, there are also other requirements that you’ll need to fulfill to achieve compliance with the Act.
How the CCPA and CPRA interpret cookies
Cookies — like other technologies that can be used to recognize website visitors, their families, or their devices — fall under the CCPA’s definition of “unique identifier” or “unique personal identifier”:
“Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to . . . cookies . . . or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.
If an ecommerce website uses cookies to remember which items a user has viewed and later serve retargeted ads to them, the website must inform visitors about the information it collects and how it’s used, and give them the option to opt out of it being sold, shared, or used for targeted advertising.
A cookie banner is an effective tool for providing this information and complying with other regulations, such the data privacy laws of other US states. However, in order to achieve compliance you must pair it with other important documentation, like a detailed privacy notice or cookie policy.
Cookie consent requirements under the California privacy laws
The CCPA and CPRA require businesses to be transparent about their data collection practices, provide mechanisms for website visitors to opt out of their data being sold or shared, and obtain appropriate consent when handling sensitive personal information or the personal information (PI) of minors under age 16.
These laws don’t explicitly require businesses to obtain opt-in consent for cookies in most cases. However, organizations that collect PI — such as users’ IP addresses and browsing history — must disclose the fact that they do so and for what purpose in their privacy policy.
While a cookie banner is useful for informing users that their data is being collected, a cookie popup alone isn’t enough to enable visitors to opt out of the sale or sharing of their PI. According to the California Code Regulations. Title 11, Section 7026:
A notification or tool regarding cookies, such as a cookie banner or cookie controls, is not by itself an acceptable method for submitting requests to opt-out of sale/sharing because cookies concern the collection of personal information and not the sale or sharing of personal information.
As a result, you must include a “Do Not Sell Or Share My Personal Information” link on pages of your website where user data is collected to enable visitors to exercise their opt-out rights. Your website’s footer is a visible and convenient location.
Usercentrics CMO Adelina Peltea points out that “companies need to take extra precautions if the data is sensitive or belongs to children”. For website visitors under the age of 13, you need to obtain explicit opt-in consent from the visitor’s parent or guardian before selling or sharing their PI. For visitors between the ages of 13 and 16, that individual must opt in to allow the sale or sharing of information.
Prior consent is also required before you can collect or process sensitive personal information of consumers. This includes things like driver’s license and Social Security numbers, precise geolocation data, racial or ethnic origin, genetic data, and debit/credit card information.
You must give users the option to opt out of the use or disclosure of their sensitive personal information for unauthorized purposes through a clear and conspicuous link “Limit The Use Of My Sensitive Personal Information” link.
You can also include this information, along with your “Do Not Sell Or Share My Personal Information” notice as long as it effectively enables consumers to:
- opt out of the sale, sharing, targeted advertising, or profiling from their personal information
- limits the use or disclosure of their sensitive personal information
Penalties for failing to comply with CCPA/CPRA requirements
Failure to comply with the requirements of the CCPA and CPRA can result in significant financial penalties. Unintentional violations can lead to fines of up to USD 2,663 per incident, while intentional violations can result in fines of up to USD 7,988 per incident.
These fines can add up quickly. For instance, the CCPA enforcement authority, the California Privacy Protection Agency, recently found that the car manufacturer Honda violated the privacy rights of California residents in numerous ways.
Their infringements ranged from requiring users to provide excessive personal information in order to exercise their privacy rights to sharing user PI with ad tech companies without consent or contracts with the necessary terms for privacy protection. As a result, the business was ordered to pay USD 632,500.
5 steps to achieve CCPA/CPRA cookie and consent compliance
There are a number of requirements you need to fulfill when creating a CCPA-compliant website and cookie banner. We’ve broken the process down into five easy to follow steps.
1. Determine whether your business needs to comply with the CCPA/CPRA
Not every business with customers in California needs to comply with the CCPA and CPRA. These privacy laws apply to businesses that meet at least one of the following criteria:
- generate USD 26,625,000 or more in annual revenue
- buy, sell, or share the PI of 100,000 or more California residents or households per year
- earn 50 percent or more of their annual revenue from selling or sharing PI
To see if you meet these criteria, thoroughly review your financial statements to determine your gross annual revenue and what percentage of your income comes from selling or sharing PI.
You should also conduct an audit to determine how many California residents’ PI your business handles annually.
2. Create a transparent and easily accessible privacy policy
A clear and accessible privacy policy is one of the core requirements of the CCPA. It must tell website visitors what PI you intend to collect, how you plan to use it, and whether you’ll sell it to or share it with other businesses.
You also need to include provisions that inform consumers of their rights, including the right to access their PI, request that it be deleted, and opt out of it being sold, shared, or used for targeted advertising or profiling. Additionally, you must inform customers how they can exercise their rights and include contact information to enable them to do so easily.
You also need to include a “Do Not Sell Or Share My Personal Information” link to an opt-out mechanism. Users will then have easy access to all the information they need about your data collection practices, and the ability to exercise their rights.
3. Create a user-friendly cookie banner that makes opt out easy
Although there aren’t any specific CCPA cookie banner requirements, California’s privacy laws do mandate that you provide users with a notice at the point where you collect their PI, often referred to as a notice at collection.
“Companies need to provide easily accessible privacy notices with all the required information about the data that’s processed, what it’s used for, who can access it, user rights, and other factors,” states Peltea, and this should appear as soon as the first page they visit loads.
A well-designed cookie banner can help you meet this requirement. To comply with the California cookie law, your banner should:
- be prominently displayed when users first visit your website
- clearly disclose what types of cookies you use and what PI they collect
- specify why you collect that data (e.g. for analytics, personalization, or targeted advertising)
- indicate how long you will keep each category of PI
- inform users how they can refuse the sale, sharing of their information, or its use for targeted advertising or profiling
With Usercentrics, you can easily set up a fully customized cookie banner that enables users to opt out easily. This not only helps protect your business from fines and other risks but also builds customer trust.
4. Give users the option to opt out of the sale or sharing of their personal data, as well as targeted advertising or profiling
The CCPA requires businesses to provide website visitors with clear options to opt out of the sale or sharing of their PI.
Include a “Do Not Sell Or Share My Personal Information” link in your cookie banner or elsewhere on web pages where you collect users’ data, such as in the footer of your site.
When users click on this link, they should be directed to an opt-out mechanism like a popup or page where they can refuse the sale or sharing of their personal data, and/or its use for targeted advertising and profiling.
“The most important step for complying with the CCPA/CPRA is to ensure users have clear and accessible opt-out options using the ‘Do Not Sell Or Share My Personal Information’ link and can request that the company stop processing their data for sale, sharing, profiling, or targeted advertising.” — Adelina Peltea, CMO of Usercentrics
5. Handle opt-out requests in a timely manner
The CCPA requires businesses to process users’ opt-out requests within 15 business days. This timeline can be a challenge for organizations that handle large volumes of requests. However, you can streamline the process by automating aspects of your data handling and consent workflow.
A consent management platform (CMP) like Usercentrics CMP accurately records user preferences at collection, as well as future changes, and stores them in an easily accessible database. This helps streamline request management processes and supports timely compliance.
While the 15-day rule applies in most cases, there are some instances where a business may deny an opt-out request. For example, an organization is not required to honor a request if the sale or sharing of PI is necessary for the business to comply with its own legal obligations or to exercise or defend legal claims or rights.
Consumers may make a different rights request, like a request to know, a request to correct, or a request to delete. In this case, you have 45 days to process this request with the potential to extend that deadline by another 45 days if you notify the user.
Create a CCPA-compliant website and cookie banner
While the CCPA and CRPA don’t explicitly require websites to have cookie notices, they do mandate that you provide visitors with clear disclosures about your data collection practices and offer easily accessible opt-out mechanisms for data sharing.
A CCPA-compliant cookie consent banner can help your business to meet those obligations. It’s an efficient way to inform users about the tracking technologies on your website while providing granular controls to opt out of data collection, sales, sharing, and other related practices.
That said, you’ll need more than just a cookie popup to achieve compliance. It’s also essential to create a detailed privacy policy and a “Do Not Sell Or Share My Information” link. In combination, these elements offer your website visitors all the information and consent choices required by the CCPA.
Usercentrics makes it easy to generate CCPA-compliant cookie banners and automate consent management. We’ll help you put your customers in control of their data while helping you to achieve and maintain compliance with evolving privacy laws.