From compliance automation through audit, the Thoropass compliance delivery platform helps you get and stay compliant.
Modern audits delivered by expert auditors
Maintain compliance with real-time monitoring and alerts
Identify vulnerabilities with CREST-accredited pentest experts
Leverage AI for smarter compliance solutions
Streamline audits and improve accuracy with evidence automation
Simplify user reviews to enhance security
Automate responses to security questionnaires
Track and mitigate security risks in one place
Build trust with a professional, public-facing portal
Seamlessly connect your tools for streamlined compliance
Audits done the modern way. Leverage AI-powered compliance solutions with expert guidance for seamless, scalable audits.
From controls to audit, rapidly achieve infosec compliance with a single vendor
Manage your risk and streamline compliance
Meet your auditor on day 1 and eliminate any surprises
Discover proven compliance outcomes in the words of our customers.
Catch up on the latest industry trends and expert insights
Watch the latest webinar or meet us in person
Expert-curated resources for your compliance journey
A "true crime" styled podcast for anyone in the compliance industry
Actionable tools for your compliance journey
Implement audit-ready compliance solutions for friction-free infosec compliance outcomes.
Go beyond readiness with unmatched expertise
Stay updated with the latest Thoropass news and insights
Join the team that's reimagining compliance
Let's make compliance easier—together
We're committed to unbiased audits and superior service
Oro provides content designed to educate and help audiences on their compliance journey.
The California Consumer Privacy Act (CCPA) laid the groundwork for data privacy laws in the United States. With the addition of the California Privacy Rights Act (CPRA) in 2020, privacy protections for California residents were strengthened, including new definitions for consent, sensitive personal information, and additional business obligations.
The CPRA amended the CCPA with varied consent levels based on personal information usage, encompassing the traditional opt-out approach and opt-in consent in specific situations. In addition, Californians now have more rights under the CPRA, such as personal information relating to:
Under the CPRA’s amendment, consent is defined similarly to the General Data Protection Regulation (GDPR). For consent to be valid, it needs to be ‘freely given, specific, informed, and unambiguous,’ signified by an unambiguous indication or a clear affirmative action for a specifically defined purpose, which signifies agreement.
In this blog post, we’ll delve into CCPA cookie consent and implementing a compliant cookie policy. But first, let’s get crisp on whom CCPA applies to!
The CCPA/CPRA applies to businesses handling the personal information of Californians, regardless of their location. Its purpose is to provide privacy protection to California residents.
The CCPA imposes certain duties on for-profit businesses meeting certain criteria. This includes those businesses having annual gross revenue over $25 million OR buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices OR derives 50% or more of annual revenue from selling California resident’s personal information.
To abide by this data privacy law, businesses must gain user consent as per the regulations, which includes showcasing a clear link to their privacy policy detailing the personal information collected, including the consumer’s personal information and its usage. It should be highlighted that under the CCPA/CPRA, cookies, and other ‘unique identifiers’ are regarded as personal information.
Although the CCPA doesn’t generally demand user consent for cookies, there are particular scenarios where consent becomes necessary.
For example, businesses must obtain opt-in consent when it comes to minors’ personal information. Apart from that, the CCPA requires businesses to implement opt-out frameworks, providing users with clear ways to exercise their right to opt-out.
Businesses must also be aware of the CCPA’s consent requirements for cookies related to sensitive personal information. Explicit consent is needed for cookies related to minors or sensitive personal information, such as health data or information on a person’s race or ethnicity. In all other cases, the CCPA operates on an opt-out consent system for cookies.
Third-party cookies, often used for tracking and advertising purposes, also fall under the purview of the CCPA. These cookies are usually placed on a user’s device by a website other than the one they are currently visiting, hence the name “third-party.” These cookies are often used to track a user’s internet activity and personalize advertising content.
Under the CCPA, businesses must clearly inform users about the use of third-party cookies and obtain their consent before these cookies can be placed. Furthermore, users should be given an easy and accessible way to opt out of the use of such cookies.
A step-by-step comprehensive guide on how to comply with California’s privacy act
A clear opt-out option for cookie usage must be provided to users by businesses. This can be achieved by including “Do Not Sell” and “Limit Sensitive Info” links on the website, which allow users to easily exercise their rights under the CCPA. These links should be easily visible and accessible to users, ensuring they can make informed decisions about the use of their personal information.
Keep in mind: Businesses can consolidate these two links, given both options are provided and clearly labeled with a clear and conspicuous link. By providing users with a user-friendly opt-out framework, businesses not only comply with the CCPA but also foster trust and transparency with their customers.
The CCPA/CPRA defines a sale as any exchange of personal information for monetary or other valuable consideration. This means that when a business transfers personal information to another entity in exchange for something of value, it is considered a sale. This includes:
Grasping the definition of a sale under the CCPA/CPRA is pivotal for businesses to comply with the law and safeguard their users’ personal information.
The CCPA places specific consent requirements on businesses when it comes to minors’ personal information. CCPA designates under 13 requiring parental consent and at least 13 and less than 16 as being able to provide their own consent. This means that businesses must ensure they have mechanisms in place to obtain opt-in consent from minors and parental consent for those under 13.
Adherence to these consent requirements for minors allows businesses to obtain consent and comply with the CCPA, safeguarding the privacy and security of their younger users. This fosters a safe online environment where minors and their parents can feel confident in the handling of their personal information.
Several factors must be considered by businesses to formulate a CCPA-compliant cookie policy. These include identifying and categorizing cookies used on the website, ensuring transparency and disclosure, and providing accessible opt-out mechanisms.
The following subsections will guide you through each of these steps, helping you establish a compliant cookie policy for your business.
Businesses need to identify and classify the cookies used on their website, inclusive of their purposes and expiration dates. Cookie categories typically include HttpOnly, SameSite, and secure cookies, which serve different functions depending on the website and the type of cookie.
For example, HttpOnly cookies are often used for authentication information, while SameSite cookies protect against cross-site request forgery. By understanding the various categories and purposes of cookies used on your website, you can ensure your cookie policy is comprehensive and CCPA-compliant.
Promoting transparency and disclosure in your cookie policy is vital for building trust and accountability. To achieve this, businesses should provide a clear and accessible privacy policy including information about cookies and their usage. This policy should detail the types of cookies used, their purposes, and how users can opt out of their usage.
By providing users with transparent information about cookies, businesses can inform consumers and:
The incorporation of accessible opt-out mechanisms is a significant element of a CCPA-compliant cookie policy.
One way to achieve this is by using a cookie consent banner that provides clear options for users to opt out of the use of cookies. These banners should be easy to use and understand, ensuring that users can exercise their right to opt out without difficulty.
However, the website does not need a separate cookie banner if the website discloses information relating to the collection and use of personal information through cookies, and permits consumers to exercise their rights, if this information is included in the website privacy policy and is provided at or before the point of collection.
By providing accessible opt-out mechanisms, businesses not only comply with the CCPA, but also demonstrate their commitment to respecting their users’ privacy. This fosters a positive user experience and helps build trust between businesses and their customers.
Noncompliance with CCPA / CPRA can result in severe financial consequences. Penalties can range from $2,500 to $7,500 USD per violation, with intentional violations carrying a higher penalty of up to $7,500 USD per violation, while unintentional violations have a maximum penalty of $2,500 USD each.
The CCPA / CPRA provides a 30-day cure period, allowing businesses to take corrective action and avoid penalties if they remedy the situation within that time frame. It’s important to note that breaking the law when it comes to children’s personal information can result in a penalty as high as $7,500 for each offense.
Businesses must be diligent in ensuring their compliance with the California Consumer PrivacyAct. This involves understanding the law itself, its applicability, and the specific requirements for cookie consent.
By implementing a compliant cookie policy covering cookie categories and purposes, transparency and disclosure, and accessible opt-out mechanisms, businesses can safeguard their users’ personal information while fostering trust and accountability.
Now is the time to review your business’s cookie policy and make any necessary adjustments. By doing so, you can confidently navigate the ever-evolving landscape of data privacy laws, ensuring a safe and secure online environment for both your business and your users.
Thoropass’s end-to-end platform and bundled expert services deliver the fastest, most efficient path to continuous compliance with frameworks like CCPA/CPRA and PIPEDA.
Yes, cookies can be considered personal information under CCPA, depending on the situation, as they may require the same notices and to provide for the rights of consumers, including deletion or opt-out of sale as other personal information collected on the website.
Yes, cookie consent is required in California if the collected personal information is sold to other businesses; users have the right to opt out of it.
The CPRA is an amendment to the CCPA, introducing stricter regulations and additional consumer privacy protections. Unlike the CCPA, the CPRA establishes the California Privacy Protection Agency, a dedicated enforcement authority for privacy laws.
The CCPA regulations in California provide consumers with the right to know what personal information is being collected, the right to request deletion of personal information, and the right to opt out of the sale of their personal information.
These rights are important for protecting consumer privacy and ensuring that companies are transparent about their data collection practices.
The California Consumer Privacy Act (CCPA) applies to for-profit businesses that do business in California, have an annual gross revenue of over $25 million, and buy, sell, or share the personal information of 100,000 or more California residents, households, or devices OR derives 50% or more of annual revenue from selling California resident’s personal information.
Businesses subject to the CCPA must meet the requirements outlined in the law to be compliant.
Free Quiz
Take this quiz to discover the frameworks and standards required for your business and the best path to achieving comprehensive compliance.
The California Consumer Privacy Act (CCPA) and its update, the California Privacy Rights Act (CPRA) is a comprehensive data privacy law providing Californians with more control over their personal information and sets requirements for businesses collecting, using, and selling their data.
To help you navigate this complex regulation, we’ve created a step-by-step guide on how to comply with CCPA, ensuring your business is CCPA compliant.
At its core, the CCPA provides more transparency and control to consumers over how their personal data is collected, used, and sold. Businesses must be aware of their obligations under the CCPA, as failure to comply can result in hefty fines and legal action.
You may wonder what qualifies as personal data and how the CCPA impacts your business practices. Let’s explore these aspects.
Under the CCPA, personal data includes any information linking to an individual or household. The following are considered personal data:
It is crucial to understand the implications of personal information collected and how it can impact individuals’ privacy.
However, not all information falls under this category; public information from government records, aggregated data, and certain consumer-shared information are exempt from CCPA regulations.
The CCPA and CPRA applies to for-profit businesses that collect and sell the personal information of California residents, maintain reasonable security procedures, and meet at least one of three specific criteria:
If your business aligns with any of these categories, understanding and adhering to the CCPA requirements is required. Compliance with the CCPA not only safeguards your California customers’ privacy rights but also exhibits your dedication to data security and transparency, thereby enhancing trust among your clientele.
Here are the key details of CCPA at-a-glance:
The CCPA empowers California consumers with a set of key rights regarding their personal information. By understanding these rights, businesses can better address consumer concerns and ensure their practices remain compliant with the CCPA.
The right to notice requires businesses to inform consumers about what type of personal information they are collecting and how they plan to use it, either before or at the point of collection. This disclosure must include:
The right of access, also known as the right to request, allows consumers to obtain the personal information a business has collected about them. To comply with this right, businesses must provide at least two ways for consumers to submit requests, such as a:
Note: A business operating exclusively online that has a direct relationship with a consumer is only required to provide an email address.
Once a request is received, businesses must confirm receipt of request within ten (10) days with a response in 45 days (and an additional 45 days once the consumer is notified.)
The right to know grants consumers the ability to learn how their personal information is being used, sold, or shared by businesses. This includes the categories of personal information collected, the sources from which it was obtained, the purpose for which it was collected or sold, and the third parties with whom it is shared, disclosed, or sold. To comply with the right to know, businesses must provide the requested information within 45 days, with the possibility of an additional 45-day extension if the consumer is notified.
The right to opt out enables consumers to tell businesses not to sell or share their personal information. Businesses must provide a clear and conspicuous link on their website, usually labeled “Do Not Sell My Personal Information,” where consumers can exercise this right.
The California Privacy Rights Act amended CCPA and provides new guidance and additional privacy protections for consumers.
Under the right to delete, consumers can request businesses delete any personal information they have collected. To comply with this right, the consumer’s identity needs to be verified for a deletion to occur. Businesses must also provide at least two methods for consumers to submit deletion requests, such as a:
Once a request is received, businesses must respond within 45 days, with the possibility of an additional 45-day extension if the consumer is notified.
The right to notification of financial incentive requires businesses to inform consumers of any financial incentives offered in exchange for the collection, sale, or deletion of their personal information. Businesses must clearly explain the material terms of the incentive program, including the categories of personal information involved, the value of the consumer’s data (along with the method used to calculate this value), how the consumer can opt in or out of the program, and a statement the consumer can withdraw at any time (or exercise their right).
The right not to be discriminated against ensures consumers cannot be denied goods or services, charged different prices, or receive lower quality goods or services due to exercising their CCPA rights.
This protection encourages consumers to exercise their rights without fear of negative consequences, promoting a fair and transparent marketplace.
Ensuring your business is CCPA-compliant requires adherence to a series of steps covering all necessary requirements and obligations. These steps include:
Each of these steps holds a significant role in CCPA compliance. Let’s examine each one…
The first step in CCPA compliance is understanding your business’s obligations under the law. This involves familiarizing yourself with the key provisions of the CCPA, such as the consumer rights it grants, the types of personal information it covers, and the specific rules and requirements it imposes on businesses.
A crucial step in CCPA compliance is updating your privacy policy to reflect the requirements of the law. This involves:
Frequent reviews and updates of your privacy policy can uphold transparency and exhibit your dedication to data privacy.
To comply with the CCPA’s right to notice, businesses must implement data collection notices informing consumers about the types of personal information being collected and the purposes for which it will be used.
These notices should be provided before or at the point of collection and must be clear, conspicuous, and easy to understand.
Implementing data collection notices can help businesses maintain transparency and build trust with their customers by informing them about the data collected and managing their data inventory effectively.
Another essential aspect of CCPA compliance is effectively managing consumer requests and responses. This includes:
Data security is a critical component of CCPA compliance, and businesses must implement reasonable security measures to protect consumers’ personal information.
In the event of a data breach, businesses are required to notify affected consumers and, in some cases, the California Attorney General. Investing in data security and establishing a breach notification plan can reduce the risk of expensive penalties and reputational harm linked to data breaches.
CCPA compliance extends to your business’s relationships with third-party processors, making it crucial to audit and update your third-party contracts. This process involves:
Finally, staff training and awareness are essential for CCPA compliance. Employees who handle customer inquiries about a company’s privacy policies or process personal information must be knowledgeable about the CCPA and its requirements.
Regular training on the CCPA, consumer rights, and data security best practices can help ensure your staff is well-equipped to handle any privacy-related issues and maintain compliance with the law.
Keep in mind, CCPA compliance is a continuous process, and staying informed about any law updates or changes is vital. Regularly reviewing your practices and policies, as well as maintaining open communication with consumers, will help your business remain compliant and foster trust with your clientele.
Non-compliance with the CCPA can result in significant penalties and legal action. The California Attorney General is responsible for enforcing the law, and businesses failing to comply can face fines of up to $7,500 per violation.
Additionally, consumers affected by a data breach may take legal action against the business, with potential damages ranging from $100 to $750 per consumer per incident.
Potential financial and reputational consequences of non-compliance underline the importance of sticking to the CCPA regulations. By following the steps outlined in this guide and maintaining a strong commitment to data privacy, your business can avoid costly penalties and protect the privacy rights of California consumers.
Businesses must comply with consumer requests to delete their data, provide notices explaining their privacy practices, and update third-party contracts. Additionally, they must require vendors to provide data inventories, due diligence questionnaires, records of processing, and ensure data syncability.
Examples of CCPA compliance include a business:
The CCPA provides consumers with key protections, such as the right to know what information is collected about them and how it’s used, the right to delete their personal information, and the right to opt out of data sales or sharing.
Businesses collecting and selling personal information of California residents meeting certain criteria must comply with CCPA. This includes for-profit companies with annual gross revenues exceeding $25 million, handling personal information of 100,000 or more consumers, or earning more than 50% of their annual revenue from selling personal data.
