As cookie usage becomes more widespread today, its associated privacy risks become more evident. In order to help businesses observe open and ethical cookie practices, privacy regulations worldwide, including the comprehensive California Privacy Rights Act (CCPA/CRPA), have provided specific guidance.
In this article, we'll discuss cookies and their privacy implications, the CCPA/CRPA's position on cookies, and the steps businesses must take to stay on the right side of the law when it comes to cookie compliance.
Cookies are tiny data files stored on users' computer or mobile device browsers when they visit a website. These files typically contain basic information about user browsing patterns and activities, but they can also store a wide range of personal information.
The CCPA/CRPA is an amendment to the CCPA. Approved on November 3, 2020, the CCPA/CRPA substantially modifies and improves upon the CCPA's provisions, bringing it a few steps closer to the GDPR.
The CCPA/CRPA also addresses key areas of digital privacy unexplored by the CCPA, including dark patterns, behavioral advertising, and profiling. As a result, the CCPA/CRPA is informally referred to as "CCPA 2.0."
The amendments became fully operative on January 1, 2023.
The CCPA/CRPA expands several privacy rights already established in the CCPA and grants California residents additional rights over their personal information.
These rights are as follows:
What's more, the CCPA/CRPA establishes the California Privacy Protection Agency (CPPA) to oversee data protection standards and enforce California's consumer privacy laws.
Finally, the CCPA/CRPA updates the CCPA's definition of a business, thereby amending its scope of coverage. Let's take a look.
According to the CCPA/CRPA, a "business" refers to any profit-driven organization that:
Operates in California
Decides the purposes and means of processing consumers' personal information, and
Meets one or more of the following criteria:
Now that we have a basic understanding of cookies and the CCPA/CRPA, let's answer a few common questions about the CCPA/CRPA's treatment of cookies.
To clear up confusion about the privacy implications of using cookies under the CCPA/CRPA's jurisdiction, consider the following questions.
The CCPA/CRPA amendments consider cookies and similar technologies as personal information.
The CCPA/CRPA brings an end to a long-standing debate about whether using third-party cookies constitutes a "sale" of personal information.
A sale occurs when you disclose a consumer's personal information to a third party for money or other valuable consideration.
Given the CCPA's ambiguous term, "valuable consideration," it's no surprise that businesses have struggled to determine if their use of third-party cookies can be flagged as a "sale."
The CCPA/CRPA resolves this issue by simply introducing the term "sharing."
Sharing occurs when you disclose a consumer's personal information to a third party, whether or not for money or other valuable consideration.
Note that the standard CCPA exceptions apply to the definition of "sharing" under Section 1798.40 (ah) (2):
Now, while the CCPA grants consumers the right to opt out of the "sale" of their personal information, the CCPA/CRPA extends this right to include the "sharing" of personal information and sensitive personal information.
In other words, as long as you disclose a consumer's personal or sensitive information to a third party, you must provide a way for the consumer to opt out.
Notably, the CCPA/CRPA's definition of "sharing" covers any disclosure of personal information for cross-context behavioral advertising. This means you are either selling or sharing data once you use third-party cookies (unless one of the above exceptions apply).
In any case, you must observe the CCPA/CRPA's additional obligations for businesses that sell or share personal information (which we'll cover in the next section).
Now, let's go over what the CCPA/CRPA requires if you use cookies, including if you sell or share personal information through third-party cookies.
Businesses that use cookies on their websites or apps are subject to a number of requirements under the CCPA/CRPA amendments. The regulation also outlines additional obligations for companies that sell or share personal information, including through third-party cookies.
Here are some significant steps to take if you fall under either or both of these categories.
The CCPA/CRPA is a strong advocate of transparency. Accordingly, the law requires you (as a website owner) to provide consumers with a detailed account of your cookie practices.
Like with the CCPA, you can either address cookie information in a section of your Privacy Policy or on a separate webpage in your Cookies Policy. It's simply a matter of preference.
Importantly, you must perform periodic cookie audits to identify relevant web domains and categorize cookies appropriately.
Your compliant Cookies Policy must address the following:
For example, Nike presents information about cookies and similar technologies within a section in its Privacy Policy:
Notably, Nike doesn't cover all of the essential details listed above. However, the CCPA/CRPA's criteria can be met by merely updating this clause to reflect the necessary information.
As previously mentioned, the CCPA/CRPA broadens the scope of the CCPA's opt-out provision by adding the word "sharing."
Effectively, if you either sell or share personal information (including through third-party cookies), you must set up a page explaining how consumers can exercise their right to opt out.
In addition, you must provide a link to this page titled, "Do Not Sell or Share My Personal Information," and place this link in conspicuous locations around your website (such as your footer section and Privacy Policy).
The CCPA/CRPA expands the required information businesses must address in their CCPA "Notice at Collection." If your business collects consumers' personal information, including through cookies, you must present this notice at or before the data collection point.
Like with the CCPA, the CCPA/CRPA allows you to insert this notice as a section within your Privacy Policy.
Briefly, your "Notice at Collection" must provide the following details:
A cookie consent banner is commonly used as an alternative medium to help consumers submit opt-out requests specifically regarding cookies.
To use this medium appropriately, businesses must provide "a single, clearly-labeled link" on their website or app. Moreover, this link must allow consumers to simultaneously opt out of selling or sharing their personal information and limit the use or disclosure of their sensitive personal information.
Here's how the CCPA/CRPA discloses this requirement in Section 1798.135 (a) (3):
Since the CCPA/CRPA adopts the opt-out consent system, you can store cookies on consumers' devices without explicit consent through your cookie preference center.
However, your cookie consent banner must reveal this practice to consumers and provide an "I decline" button or a link to your settings/preference center for consumers to submit opt-out requests. You must also include a link to your Privacy/Cookies Policy for a more detailed explanation of your practices.
Remember to obtain opt-in consent before using third-party cookies for minors (below 16 years). They must click an "I accept" button or tick an empty checkbox before you can place cookies on their devices.
In light of this, you may consider implementing the opt-in consent system for all consumers, as it also helps protect you from accidentally selling or sharing personal information through third-party cookies.
Cookies are a core component of modern web technology. While most cookies are harmless, others are quite invasive of user privacy and have stirred up a lot of controversies.
For this reason, privacy laws like the CCPA have been enacted to regulate how companies collect and manage consumers' personal information, including information collected through cookies. And the CCPA's amendment of the CCPA/CRPA adds more privacy protection for consumers.
In order to strengthen digital privacy in California, the CCPA/CRPA introduces several new terminologies, such as consent, profiling, cross-context behavioral advertising, sensitive personal information, and sharing.
The CCPA/CRPA also clarifies several vague provisions in the CCPA, including the complicated relationship between third-party cookies and the sale of personal information.
To recap, if you use cookies and are subject to the CCPA/CCPA/CRPA, here's a quick rundown of your cookie compliance responsibilities: