CCPA Cookie Consent: What Do You Need To Know? | Securiti
Organizations heavily rely on cookies for various ways of online advertising. Cookies collect user’s personal information, share, disclose or sell it to other parties including ad-tech companies for the purposes of marketing. Since cookies are likely to identify website users, build their profiles, and collect and sell their information to other parties, there has been a growing concern for user’s data privacy.
Most global privacy regulations use notices to inform users about cookies. These can be classified as either opt-in or opt-out consent regime.
In an opt-in consent regime, the user’s consent is required before the use of cookies. Such jurisdictions function on explicit consent requirements, i.e. the website users are explicitly asked to provide their consent to collect and process their information. Users on the other hand can grant or deny consent. On the other hand, in the opt-out consent regime, the user’s consent is not required before the use of cookies. However, organizations are still required to provide users an option to object to collect or sell their personal information and inform users about the use of cookies.
CCPA — an opt-out cookie consent regime:
The California Consumer Privacy Act (CCPA) is based on an opt-out cookie consent regime. Website publishers can only load non-essentials cookies once they have displayed the cookie notice consisting of relevant information about the use of cookies.
A CCPA compliant cookie notice must include the following:
— Information about the use of cookies and their purposes:
Under the CCPA, organizations that collect personal information from users must inform users at or before the point of collection, about the categories of personal information collected and the purpose for which the personal information will be used. This can be done by providing conspicuous links at or before the point of collection of personal information.
The California Privacy Rights Act (CPRA), which will replace the CCPA soon, enhances this obligation by requiring organizations to also include in their notices information on whether personal information is sold or shared and the length of time the organization intends to retain each category of personal information, or if not possible, the criteria used to determine such period.
— Notice of the right to opt-out of the sale of personal information:
Under the CCPA, organizations must allow users to opt-out of the sale of their personal information by displaying a clear message and prominent link titled “Do Not Sell My Personal Information” enabling users to opt-out of the sale of their information. This link should be easy to read and understandable for users. The link will provide users a description of the user’s right to opt-out, an interactive form and instructions by which users can submit their request to opt-out of the sale of their personal information.
The CPRA further enhances this requirement by requiring organizations to allow users to not only opt-out of sale of their information but also from sharing of their personal information including opting-out in the context of cross-site behavioral advertising. The CPRA also requires organizations to enable users to limit the use or disclosure of their sensitive personal information.
— A link to organization’s privacy policy
Under the CCPA, organizations must display a link to the organization’s privacy policy, or in the case of offline notices, a link to an online notice at the point of collection of personal information. The privacy policy should be posted online through a prominent link through a conspicuous link using the word “privacy” on the organization’s website homepage or the download or landing page of a mobile application. It should be easy to read and understandable for users.
The privacy policy should contain all the relevant details including the information about a user’s right to know about personal information collected, disclosed, or sold, right to request deletion of personal information, right to opt-out of the sale of personal information, right to non-discrimination, information about authorised agent, contact for more information, the date on which the privacy policy was last updated and the description of the required processes if an organization sells personal information belonging to minors.
— Opt-in consent for the sale of personal information belonging to minors
Where an organization has actual knowledge that the consumer or a website user is less than 16 years of age, it must rely on the explicit opt-in consent for the sale of their personal information. Organizations must obtain consent from users if they are at least 13 years of age and less than 16 years of age and from parents or guardians of users where they are less than 13 years of age.
It is clear that organizations cannot drop any cookies that have not been disclosed to users via notice. If an organization intends to use any additional cookies, it must inform the user.
In addition to the requirements mentioned above, organizations must maintain updated cookie consent records. Such records must include the date of the request of opt-in/opt-out, the nature of such request, the manner in which the request was made, the date of the organization’s response to the request, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part. Such consent records must be maintained for at least 24 months.
How Securiti can help?
With the legal requirements pertaining to cookies and consent becoming stricter with time, organizations need to be mindful and adopt their consent policies accordingly. In particular, organizations must devise ways to ensure that cookies are not dropped without the consent or knowledge of the website user.
Securiti’s Cookie Consent Management Solution enables organizations to build cookie consent notices in accordance with the applicable legal requirements with cookie auto-blocking, periodic scanning, and preference center features.
Securiti’s Universal Consent Management Solution captures consent and automates revocation fulfillment.
Request a DEMO to understand how Securiti can help you comply with the cookie consent requirements of CCPA, GDPR, and other global privacy laws and regulations.