Learn about the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) and their impact on businesses. Discover the differences between cookie consent requirements in CCPA and GDPR and why CCPA compliance is crucial for data privacy. Find out how Secure Privacy can help you implement a CCPA-compliant cookie consent banner notice on your website.
Explore more privacy compliance insights and best practices
The California Consumer Privacy Act (CCPA) is a data protection regulation that came into effect on January 1, 2020, to protect the personal information of California residents.
It requires businesses like yours to allow users to opt out of personal information processing. At the same time, it provides consumers with increased transparency, control, and security over their personal data.
It is important to note that the CCPA does not apply to every business. CCPA applies only to for-profit companies that collect and process consumer personal information and conduct business in California if the business meets at least one of the following criteria:
If your business does not meet these legal requirements, the CCPA does not apply to you, and you are not required to provide privacy notices. But if you do meet these requirements, keep reading.
The California Consumer Privacy Act (CCPA) is a privacy law in California, USA that went into effect on January 1, 2020. The CCPA gives California residents certain rights over their personal information, such as the right to know what personal information a business collects about them, the right to request deletion of their personal information, and the right to opt-out of the sale of their personal information. The CCPA applies to for-profit businesses that collect personal information of California residents, have annual gross revenues over $25 million, or buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices.
The California Privacy Rights Act (CPRA) is a ballot initiative passed by California voters on November 3, 2020, that builds upon and expands the CCPA's privacy protections. The CPRA provides California residents with additional rights over their personal information, including the right to restrict the processing of sensitive personal information, the right to correct inaccuracies in their personal information, and the right to limit the use of certain technologies that profile individuals. The CPRA also establishes a new state agency, the California Privacy Protection Agency, to enforce privacy laws in California. The CPRA has gone into effect on January 1, 2023.
Consent requirements are the general rules that organizations must follow when collecting and processing personal data from individuals. Cookie consent requirements are a specific type of consent requirement that applies to the use of cookies and similar tracking technologies.
Consent requirements
Consent requirements are typically set out in privacy laws and regulations, such as the GDPR in the EU and the CCPA in the United States. These laws require organizations to obtain consent from users before collecting and processing their personal data.
To be valid, consent must be:
Cookie consent requirements
Cookie consent requirements are typically stricter than general consent requirements. For example, the GDPR requires organizations to obtain explicit consent from individuals before setting non-essential cookies on their devices. Explicit consent means that individuals must take a clear positive action to indicate their consent, such as clicking a button or ticking a box.
The GDPR also allows organizations to set essential cookies without obtaining explicit consent. Essential cookies are cookies that are necessary for the proper functioning of a website, such as cookies that are used to remember items in an online shopping cart.
Differences between consent requirements and cookie consent requirements
The main difference between consent requirements and cookie consent requirements is that cookie consent requirements are more specific and stricter. This is because cookies can be used to track individuals' online activity across different websites, and to collect a wide range of personal data, such as their browsing history, interests, and location.
Another difference is that consent requirements apply to all types of personal data, while cookie consent requirements only apply to personal data that is collected and processed using cookies and similar tracking technologies.
If you fail to get cookie consent under CCPA/CPRA, you could be subject to significant fines and other penalties. The CCPA and CPRA both allow consumers to file complaints with the California Attorney General's Office, and the Attorney General has the power to investigate complaints and bring enforcement actions against businesses that violate the laws.
The maximum penalty for a CCPA or CPRA violation is USD 7,500 per violation per consumer. The fine can be reduced but not increased. Furthermore, one consumer equals one violation. If you fail to get cookie consent from 1,000 California residents, that is equivalent to 1,000 violations. 1,000 violations multiplied by USD 7,500 equals USD7,500,000. As a result, the fines can get quite hefty quickly.
In addition to fines, the Attorney General also has the power to order businesses to stop violating the CCPA and CPRA, and to take other corrective actions. For example, the Attorney General could order a business to delete all of the personal information it collected without consent, or to provide consumers with a way to opt-out of the sale of their personal information.
The CCPA and the CPRA are privacy laws in California that regulate the collection, use, and sharing of personal information of California residents. These laws require businesses that collect, use, or disclose the personal information of California residents to take appropriate measures to protect the data. Identifiers such as a credit card number, social security number, or passport number, which can be used to identify a natural person, are considered sensitive personal information and require additional protection.
CCPA consent requirements:
CPRA consent requirements:
In summary, the CCPA sets the foundation for consumer privacy rights in California, while the CPRA strengthens and expands these rights.
The CCPA and the CPRA have similarities with the European Union's GDPR in terms of personal data processing requirements. Both laws place significant emphasis on giving consumers control over their personal information and require businesses to provide certain rights to consumers, such as the right to access, delete, and opt-out of the sale of their personal information.
However, there are also some differences between the CCPA/CPRA and the GDPR. For example, the CCPA/CPRA applies only to California residents, while the GDPR applies to all individuals in the EU. The CCPA/CPRA also have different definitions of personal information and differ in their enforcement mechanisms.
Overall, businesses operating in California or handling the personal information of California residents should familiarize themselves with both the CCPA/CPRA and the GDPR to ensure they are meeting the requirements of all relevant privacy laws. For more information on consent management best practices, check out our blog.
The CCPA and CPRA give California residents certain rights over their personal information, including the right to know what information is collected, the right to have it deleted, and the right to opt-out of its sale. Businesses subject to these laws must provide consumers with certain disclosures and notices, and obtain their consent before collecting or selling their personal information.
Businesses must also be mindful of the financial incentives they offer to consumers for their personal information, and not discriminate against consumers who exercise their rights. In the event of a data breach, businesses must promptly notify affected consumers and the attorney general.
To ensure CCPA and CPRA compliance, businesses should have a functional consent management platform in place, obtain opt-in consent for the collection of sensitive information, and obtain legal advice to assess their data collection practices.
Recently the California Privacy Protection Agency (CPPA) issued draft regulations on risk assessment and cybersecurity audits under the CCPA. Learn about CCPA Risk Assessments.
The simple answer is - no. You can send cookies and other tracking technologies to your website visitors’ devices without asking anyone and still comply with the CCPA and CPRA. They do not require opt-in consent for website cookies.
The only exception is the collection of the personal information of minors. If you reasonably know you are collecting children’s data, you must ask their parents or guardians for explicit user consent. These consent requirements apply even if you collect data such as IP address or any other unique identifier of a child online.
However, businesses must provide a notice of collection, which can be achieved using a cookie banner on their website. A cookie banner serves as a notice of the collection and informs users about the website's data collection practices, including using cookies.
One of the most important CCPA and CPRA requirements actually is the notice of collection. A business provides disclosure to inform consumers about the categories of personal information collected and the purposes for which the information will be used. The collection notice must be provided at or before the point of collection and should be easy to read and understand.
In most online business scenarios, this means serving the notice when the user lands on your webpage. And the most common way to serve them with such a notice is a cookie consent banner. Only, this time, it won’t request consent. It will only inform consumers that you use cookies.
According to the CCPA, this simple cookie notice on collection must contain the following elements:
CCPA and GDPR are quite different regarding cookies consent.
The General Data Protection Regulation of the EU requires an explicit opt-in, which means that you must not use cookies or other trackers until the consumer agrees. GDPR-compliant businesses must show the user a pop-up cookie banner, ask for freely given, specific, unambiguous, and informed consent, and keep the response records.
Moreover, the cookie consent manager shall allow users to customize cookie preferences in the preference center.
CCPA, on the other hand, requires businesses only to tell consumers that they use cookies. That’s all. No need to request permission to use any kind of cookies.
Consumers can opt out by clicking the “Do Not Sell My Personal Information” link, requesting the deletion of their data, or limiting the use of sensitive data.
Secure Privacy is a CCPA cookie consent service provider that helps businesses create and implement a CCPA-compliant cookie banner notice on collection. By using Secure Privacy, businesses can use a cookie consent management platform to ensure their cookie banners meet the CCPA requirements and provide users with the necessary information to make informed decisions about their personal data.
Features and benefits of using Secure Privacy for cookie banner notices on the collection include:
To create and implement a CCPA-compliant cookie banner notice on collection with Secure Privacy, follow these steps:
Here are some of the most common questions related to CCPA cookie consent services:
Do we need to record CCPA cookie consent? You don’t need to collect or record cookie consent unless you process children's personal information. The privacy protection of children requires obtaining explicit consent for using cookies or other trackers.
Do we need a cookie consent manager to comply with the CCPA? You need a cookie consent manager for CCPA compliance. If you process the personal information of minors, then you need to collect and log consent. Otherwise, it will help you only to serve the notice of collection.
Does CCPA cookie compliance mean we comply with other US states’ data privacy laws, such as Colorado, Virginia, and Connecticut? Although CCPA cookie requirements are similar to those in other US states, it is best to take a state-by-state approach to cookie compliance. That’s the safe road to avoiding penalties and reputation loss.
What are Global Privacy Controls (GPC), and must we comply with these signals? Global Privacy Control is a mechanism that informs websites that users opt out of the sale or sharing of their personal information. The California Attorney General first mentioned it, and now it has been part of the most recent CCPA regulations.
California is the only state or country worldwide that explicitly requires compliance with such signals regarding consumer data.
How to allow consumers to opt out of the sale of personal information? You can let your consumers opt out of the sale of their personal information by providing a link, “Do Not Sell or Share My Personal Information,” on the banner of your website.
Honoring GPC opt-out signals is a valid way to honor an opt-out request. To comply with GPC signals, you should implement a mechanism on your website to detect and respect these signals when received from a user's browser or device.
In conclusion, CCPA compliance regarding cookies is less stringent than GDPR, requiring businesses to inform users about their cookie usage rather than seeking explicit consent. However, staying up-to-date with privacy regulations and using tools like Secure Privacy to ensure compliance with the CCPA and other data privacy laws is crucial.
