CPRA Cookie Consent — All You Need To Know [2022 Guide]

Does the CPRA Require Consent for the use of Cookies?

No, the CPRA does not require consent for the use of cookies unless those cookies relate to personal information belonging to minors.

  • Businesses can have a single, clearly-labeled link if such a link allows a consumer to opt-out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.
  • To comply with the above obligations, businesses can also rely on preference signals. In such a case, businesses must allow consumers to opt-out through an opt-out preference signal sent with the consumer’s consent. Businesses can respect consumers’ preferences communicated through a cross-platform global privacy control that meets technical specifications established by the Office of the Attorney General. This is an alternate mechanism for compliance. Where a business relies on preference signals, it must state that the business responds to and abides by opt-out preference signals in its privacy policy.

Does the CPRA require opt-in consent for the use of cookies?

Yes, the CPRA requires opt-in consent for the use of cookies if it relates to the sale and sharing of personal information of minors. A minor is someone who is less than 16 years of age and where a business has actual knowledge that the consumer is less than 16 years of age, it must not sell or share the consumer’s personal information without taking explicit opt-in consent. This means businesses must obtain opt-in consent from consumers where the consumer is at least 13 years of age and less than 16 years of age. Businesses must obtain consent from parents or guardians of consumers where the consumer is less than 13 years of age.

What is Consent Under the CPRA?

The CPRA clearly explains what constitutes consent and what doesn’t constitute consent. As mentioned earlier, consent means any freely given, specific, informed, and unambiguous indication of a consumer’s wishes.

  • Hovering over, muting, pausing, or closing a given piece of content; or
  • The use of dark patterns to manipulate or mislead consumers into providing consent.

How Is The CPRA Different From The CCPA?

The CPRA is an improvement of the existing CCPA. With several additions made to the CPRA, such as introducing the definition of consent and sensitive personal information, consent for minors, and multiple other obligations for businesses, the CPRA takes the privacy of Californians to another level. Learn more about CPRA vs. CCPA.

Cookie Policy under the CPRA

In light of the above, we recommend including the following details in a CPRA compliant cookie policy:

  • Information on essential cookies, their purposes, and that they will always be activated,
  • Categories of any sensitive personal information collected via cookies and their purposes,
  • Cookie expiration dates,
  • Categories of third parties to whom personal data via cookies is sold and disclosed along with the purposes of such sale and disclosure/list of data processors,
  • Information on consumers’ right to opt-out, and
  • Information on minor consumers’ right to opt-in and the right to opt-out after they have opted-in.

How Can Securiti Help?

Securiti ensures CPRA compliance with a modern PrivacyOps platform powered by AI Automation. The world-class tools support enterprises in their journey toward compliance with the CPRA through automation, enhanced data visibility, and identity linking. Get in touch to learn more.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store