CPRA cookie consent: Your ultimate guide for 2024

Oro provides content designed to educate and help audiences on their compliance journey.

The California Consumer Privacy Act (CCPA) laid the groundwork for data privacy laws in the United States. With the addition of the California Privacy Rights Act (CPRA) in 2020, privacy protections for California residents were strengthened, including new definitions for consent, sensitive personal information, and additional business obligations. 

The CPRA amended the CCPA with varied consent levels based on personal information usage, encompassing the traditional opt-out approach and opt-in consent in specific situations. In addition, Californians now have more rights under the CPRA, such as personal information relating to:

  • The right to restrict the processing of sensitive personal information, including data processing
  • The right to correct inaccuracies in their personal information
  • The right to limit the use of profiling technologies

Under the CPRA’s amendment, consent is defined similarly to the General Data Protection Regulation (GDPR). For consent to be valid, it needs to be ‘freely given, specific, informed, and unambiguous,’ signified by an unambiguous indication or a clear affirmative action for a specifically defined purpose, which signifies agreement.

In this blog post, we’ll delve into CCPA cookie consent and implementing a compliant cookie policy. But first, let’s get crisp on whom CCPA applies to!

Key takeaways

  • The CCPA includes new definitions for consent, sensitive personal information, and additional obligations for businesses
  • Businesses must obtain opt-in consent for minors’ personal info and explicit consent for cookies related to sensitive data
  • Provide easily visible & accessible opt-out frameworks so users can control their personal information

Who does the CCPA/CPRA apply to?

The CCPA/CPRA applies to businesses handling the personal information of Californians, regardless of their location.  Its purpose is to provide privacy protection to California residents.

The CCPA imposes certain duties on for-profit businesses meeting certain criteria. This includes those businesses having annual gross revenue over $25 million OR buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices OR derives 50% or more of annual revenue from selling California resident’s personal information.

To abide by this data privacy law, businesses must gain user consent as per the regulations, which includes showcasing a clear link to their privacy policy detailing the personal information collected, including the consumer’s personal information and its usage. It should be highlighted that under the CCPA/CPRA, cookies, and other ‘unique identifiers’ are regarded as personal information.

Although the CCPA doesn’t generally demand user consent for cookies, there are particular scenarios where consent becomes necessary. 

For example, businesses must obtain opt-in consent when it comes to minors’ personal information. Apart from that, the CCPA requires businesses to implement opt-out frameworks, providing users with clear ways to exercise their right to opt-out.

Businesses must also be aware of the CCPA’s consent requirements for cookies related to sensitive personal information. Explicit consent is needed for cookies related to minors or sensitive personal information, such as health data or information on a person’s race or ethnicity. In all other cases, the CCPA operates on an opt-out consent system for cookies.

Third-party cookies and the CCPA

Third-party cookies, often used for tracking and advertising purposes, also fall under the purview of the CCPA. These cookies are usually placed on a user’s device by a website other than the one they are currently visiting, hence the name “third-party.” These cookies are often used to track a user’s internet activity and personalize advertising content.

Under the CCPA, businesses must clearly inform users about the use of third-party cookies and obtain their consent before these cookies can be placed. Furthermore, users should be given an easy and accessible way to opt out of the use of such cookies. 

A narrow road in a California suburb
RECOMMENDED FOR YOU
How to comply with CCPA

A step-by-step comprehensive guide on how to comply with California’s privacy act

Read more icon-arrow-long

Opt-out frameworks and user rights

A clear opt-out option for cookie usage must be provided to users by businesses. This can be achieved by including “Do Not Sell” and “Limit Sensitive Info” links on the website, which allow users to easily exercise their rights under the CCPA. These links should be easily visible and accessible to users, ensuring they can make informed decisions about the use of their personal information.

Keep in mind: Businesses can consolidate these two links, given both options are provided and clearly labeled with a clear and conspicuous link. By providing users with a user-friendly opt-out framework, businesses not only comply with the CCPA but also foster trust and transparency with their customers.

What is the CCPA/CPRA’s definition of a sale?

The CCPA/CPRA defines a sale as any exchange of personal information for monetary or other valuable consideration. This means that when a business transfers personal information to another entity in exchange for something of value, it is considered a sale. This includes:

  • Selling
  • Renting
  • Releasing
  • Disclosing
  • Disseminating
  • Making personal information available to a third party
  • Transferring 
  • Otherwise communicating orally, in writing, or by electronic (or other) means

Grasping the definition of a sale under the CCPA/CPRA is pivotal for businesses to comply with the law and safeguard their users’ personal information.

The CCPA places specific consent requirements on businesses when it comes to minors’ personal information. CCPA designates under 13 requiring parental consent and at least 13 and less than 16 as being able to provide their own consent. This means that businesses must ensure they have mechanisms in place to obtain opt-in consent from minors and parental consent for those under 13.

Adherence to these consent requirements for minors allows businesses to obtain consent and comply with the CCPA, safeguarding the privacy and security of their younger users. This fosters a safe online environment where minors and their parents can feel confident in the handling of their personal information.

Several factors must be considered by businesses to formulate a CCPA-compliant cookie policy. These include identifying and categorizing cookies used on the website, ensuring transparency and disclosure, and providing accessible opt-out mechanisms.

The following subsections will guide you through each of these steps, helping you establish a compliant cookie policy for your business.

Businesses need to identify and classify the cookies used on their website, inclusive of their purposes and expiration dates. Cookie categories typically include HttpOnly, SameSite, and secure cookies, which serve different functions depending on the website and the type of cookie.

For example, HttpOnly cookies are often used for authentication information, while SameSite cookies protect against cross-site request forgery. By understanding the various categories and purposes of cookies used on your website, you can ensure your cookie policy is comprehensive and CCPA-compliant.

Transparency and disclosure

Promoting transparency and disclosure in your cookie policy is vital for building trust and accountability. To achieve this, businesses should provide a clear and accessible privacy policy including information about cookies and their usage. This policy should detail the types of cookies used, their purposes, and how users can opt out of their usage.

By providing users with transparent information about cookies, businesses can inform consumers and:

  • Comply with the CCPA
  • Empower users to make informed decisions about their personal information
  • Build trust between businesses and their customers
  • Create a more responsible online environment

Opt-out mechanisms and accessibility

The incorporation of accessible opt-out mechanisms is a significant element of a CCPA-compliant cookie policy. 

One way to achieve this is by using a cookie consent banner that provides clear options for users to opt out of the use of cookies. These banners should be easy to use and understand, ensuring that users can exercise their right to opt out without difficulty. 

However, the website does not need a separate cookie banner if the website discloses information relating to the collection and use of personal information through cookies, and permits consumers to exercise their rights, if this information is included in the website privacy policy and is provided at or before the point of collection.

By providing accessible opt-out mechanisms, businesses not only comply with the CCPA, but also demonstrate their commitment to respecting their users’ privacy. This fosters a positive user experience and helps build trust between businesses and their customers.

Penalties for non-compliance

Noncompliance with CCPA / CPRA can result in severe financial consequences. Penalties can range from $2,500 to $7,500 USD per violation, with intentional violations carrying a higher penalty of up to $7,500 USD per violation, while unintentional violations have a maximum penalty of $2,500 USD each.

The CCPA / CPRA provides a 30-day cure period, allowing businesses to take corrective action and avoid penalties if they remedy the situation within that time frame. It’s important to note that breaking the law when it comes to children’s personal information can result in a penalty as high as $7,500 for each offense.

Concerned about CCPA compliance? We can help!

Businesses must be diligent in ensuring their compliance with the California Consumer PrivacyAct. This involves understanding the law itself, its applicability, and the specific requirements for cookie consent. 

By implementing a compliant cookie policy covering cookie categories and purposes, transparency and disclosure, and accessible opt-out mechanisms, businesses can safeguard their users’ personal information while fostering trust and accountability.

Now is the time to review your business’s cookie policy and make any necessary adjustments. By doing so, you can confidently navigate the ever-evolving landscape of data privacy laws, ensuring a safe and secure online environment for both your business and your users.

Thoropass’s end-to-end platform and bundled expert services deliver the fastest, most efficient path to continuous compliance with frameworks like CCPA/CPRA and PIPEDA.

More FAQs

Yes, cookies can be considered personal information under CCPA, depending on the situation, as they may require the same notices and to provide for the rights of consumers, including deletion or opt-out of sale as other personal information collected on the website.

Yes, cookie consent is required in California if the collected personal information is sold to other businesses; users have the right to opt out of it.

The CPRA is an amendment to the CCPA, introducing stricter regulations and additional consumer privacy protections. Unlike the CCPA, the CPRA establishes the California Privacy Protection Agency, a dedicated enforcement authority for privacy laws.

The CCPA regulations in California provide consumers with the right to know what personal information is being collected, the right to request deletion of personal information, and the right to opt out of the sale of their personal information.

These rights are important for protecting consumer privacy and ensuring that companies are transparent about their data collection practices.

The California Consumer Privacy Act (CCPA) applies to for-profit businesses that do business in California, have an annual gross revenue of over $25 million, and buy, sell, or share the personal information of 100,000 or more California residents, households, or devices OR derives 50% or more of annual revenue from selling California resident’s personal information.

Businesses subject to the CCPA must meet the requirements outlined in the law to be compliant.

Share this post with your network:

Related Posts

How ISO 42001 training can help create a culture of compliance and ethical AI

As more industries worldwide adopt more sustainable practices, ISO 42001 training is becoming crucial for businesses seeking to build and integrate artificial intelligence (AI) responsibly.  In particular, fintech, health tech,...
Read Article icon-arrow

Research and trends: State of Healthcare Security 2025

The healthcare industry stands at a critical juncture in cybersecurity, facing unprecedented challenges and technological opportunities. The State of Health Security 2025 report reveals a complex landscape where data vulnerability,...
Read Article icon-arrow