The California Consumer Privacy Act (CCPA) extends broad protections to personal information, including data collected by cookies—requiring businesses to disclose data collection purposes and offering California residents control over their data.
To comply with CCPA, businesses must provide a way for consumers to opt-out of the sale of personal data, regularly update privacy notices, and conduct compliance audits.
It's also worth understanding the key differences in consent requirements between CCPA and GDPR to create efficient compliance programs, foster consumer trust, and avoid potential penalties.
The California Consumer Privacy Act, enacted in 2018 and effective from January 2020, represented a significant step for U.S. data privacy legislation.
Designed to give California residents more control over the personal information collected by businesses, the CCPA set new benchmarks for privacy and transparency, influencing how domestic and global companies handle personal data.
CCPA’s definition of personal information
Under CCPA, "personal information" is broadly defined to include information that identifies, relates to, describes, or could be linked with an individual or a household.
This definition encompasses a wide range of data types, from basic identifiers like names and addresses to more sensitive personal information such as:
Biometric data
Internet activity
Geolocation data
CCPA places particular emphasis on ensuring that businesses disclose to consumers what personal information is being collected and the purposes for which it's used.
Scope and applicability
The CCPA applies to any for-profit entity that collects personal information of California residents and meets certain thresholds, which are any of the following:
Annual gross revenues exceeding $25 million
Buys or sells the personal information of 50,000 or more California residents, households, or devices annually
Derives 50% or more of its annual revenue from selling California residents’ personal information
This broad scope means that the CCPA not only affects businesses based in California, but also companies across the globe that collect personal information from any of California's 39 million California residents.
Practically speaking, the rules put forth in the California Consumer Privacy Act (CCPA) will most commonly affect the way businesses use cookies on their websites (but may go beyond that).
Let's explore the different types of internet cookies and how they intersect with the CCPA.
The role of cookies under CCPA
Cookies are small data files stored on users' devices while they browse the internet. Their functionality ranges from playing an essential role in a website’s operation (think saving your shopping card on retail sites) to collecting and disseminating vast amount of data about consumers' preferences and activities online.
The CCPA focuses on cookies that collect personal information. There are several types of cookies, each with different implications.
Essential Cookies: Necessary for basic site functionality and typically do not collect personal information.
Preference Cookies: Save user preferences and are less likely to pose compliance issues, as long as they don't collect personal data beyond what's necessary.
Analytics Cookies: Gather data about user behavior on the site. If they collect personal information, they must comply with CCPA.
Advertising Cookies: Often used to track users across websites for targeted ads and are most scrutinized under CCPA for privacy concerns.
Understanding the 'sale' of personal information
One of the key aspects of CCPA is its definition of the 'sale' of personal information, which includes exchanging personal data for monetary or other valuable consideration.
You may be thinking, "how often are businesses selling consumers' personal information?" That seems like such a deceptive, outdated process employed by direct-mail scammers.
Well, the CCPA defines that term in a much broader sense, especially when it comes to internet cookies. Under the CCPA, if a website uses cookies that collect personal information and shares this data with third parties (like advertisers), it could be considered a 'sale'.
Implications for first-party and third-party cookies
The impact of CCPA varies between first-party and third-party cookies.
First-Party Cookies: Directly set by the website a user is visiting, they are less likely to be affected by CCPA—unless they are used in ways that involve the sale of collected personal information.
Third-Party Cookies: Set by domains other than the one the user is visiting. More likely to be impacted by CCPA, especially if used for tracking and advertising purposes that involve selling personal information.
Example: Third-Party Advertising Cookies
Imagine a website that partners with third-party advertising networks. This website places third-party cookies on its visitors' browsers.
These cookies track the visitors' online activities, not just on the original website but across various sites they browse. The information gathered by these cookies, which can include browsing history, preferences, and potentially identifiable data, is then sent back to the third-party advertising network.
This third-party network uses the collected data to build user profiles and deliver targeted ads both on the original website and on other websites the user visits.
In this scenario, the website is effectively participating in the "sale" of personal information due to:
Valuable Consideration: The website receives a benefit (often monetary, such as advertising revenue) in exchange for allowing the third-party network to collect data via cookies.
Data Transfer: There is a transfer of personal information (data collected via cookies) from the website to the third-party advertiser.
Under CCPA, this constitutes a sale of personal information because the website is allowing third parties to access and use personal data (collected through cookies) in exchange for something valuable (advertising revenue or other benefits).
To comply with CCPA in such a scenario, the website needs to:
Provide clear notice to users about this practice.
Offer a straightforward way for users to opt-out of the sale of their personal information, typically through a “Do Not Sell My Personal Information” link.
Ensure that if a user opts out, their data is not shared with the third-party advertisers.
Compliance requirements for CCPA cookie consent
1. Notice and transparency
The cornerstone of CCPA compliance is providing clear and transparent information to users about cookie usage. This includes:
Privacy Notices: Websites must display privacy notices that clearly outline the types of cookies in use, the nature of the personal information collected, and how this information is used or shared.
Accessibility: Notices should be easily accessible, ideally on the landing page or through a conspicuous link.
Updates: Regularly update privacy notices to reflect any changes in cookie usage or data practices.
2. Implementing "Do Not Sell My Personal Information" options
One of the critical requirements of the CCPA is to allow users to opt-out of the sale of their personal information.
Clear opt-out link: Websites should include a clear and conspicuous link titled “Do Not Sell My Personal Information” that allows users to opt-out of the sale of their personal information.
Functionality: Ensure the opt-out process is straightforward, not requiring the user to create an account or go through unnecessary steps.
Compliance for cookies: This means disabling any that are used for selling personal information upon a user's opt-out request.
[Free download] 5 steps for identifying an effective consent management platform
Effective management of user opt-out requests is a vital aspect of CCPA compliance. Organization's should implement a modern consent management solution to address this piece of compliance, one that enables specifically enable full-stack fulfillment of consent preferences.
To be compliant, business must be about to synchronize consumer consent preferences across different web applications, mobile applications, backend databases, and third party tools—using a solution like Transcend Consent Management.
4. Record-Keeping and Documentation
Clear records of consent are key for demonstrating compliance with CCPA. A modern consent management platform will allow your organization to document how and when consent was obtained, giving you the audit trail you need in the even of an audit or potential enforcement action.
Best practices for CCPA cookie consent compliance
While adhering to the legal requirements of the CCPA is important, adopting best practices can further enhance compliance and build consumer trust.
Here are key strategies for businesses to effectively manage cookie consent under CCPA.
Clear communication and cookie notices
User-friendly language: Use clear, straightforward language in your cookie notices and privacy policies. Avoid legal jargon to ensure users can easily understand how their data is used.
Visibility and accessibility: Make sure your cookie notices are easily visible and accessible on your website.
Detailed information: Provide comprehensive details about the types of cookies used, their purpose, and how users' data will be processed.
Data inventory and discovery
Understanding what data your organization collects, where it lives, and how it's used is a key component of any compliance program. Though not specifically required under CCPA, a comprehensive data inventory can provide a few significant benefits, mainly:
Better visibility and understanding of your data flows: Real-time insights into your data ecosystem allows you to conduct a thorough analysis of the data collected through cookies—giving you visibility into where it comes from, how it’s used, where it’s stored, and who it’s shared with.
Real-time updates: As your website evolves, automated data discovery will help you to maintain visibility into new cookies or changes in data use.
Align cookie use with business needs: Ensure that the cookies used are necessary for your business objectives and that data collection is minimized to what’s essential.
Regular compliance audits and updates
Scheduling regular check-ins and internal audits is a key part of maintaining CCPA compliance. The rulemaking process for CPRA, which amended CCPA is still in flux, so it's always a good idea to ensure your program is in line with the latest updates. To support this motion, you should:
Conduct regular audits: Regularly review your website’s cookie practices and CCPA compliance. This includes checking the functionality of opt-out mechanisms and the accuracy of privacy notices.
Stay informed about legal changes: The legal landscape regarding data privacy is constantly evolving. Stay informed about any changes in the CCPA or new regulations that might affect your business.
Employee training: Regularly train your employees, especially those handling customer data and privacy inquiries, to ensure they are up-to-date with CCPA requirements and best practices.
Navigating CCPA vs. GDPR: A comparative analysis
Understanding the differences between the CCPA and General Data Protection Regulation (GDPR) consent requirements is key for businesses that operate both in California and the EU.
This comparison highlights key similarities and differences between the two regulations.
1) Consent model
CCPA: Primarily operates on an opt-out model. Businesses can collect and use consumer's personal information unless the consumer opts out, particularly in the context of selling personal data.
GDPR: Requires businesses to obtain opt-in consent before collecting or processing personal data in many cases. This proactive approach demands explicit permission from users before data collection.
2) Definition of personal information/data
CCPA: Defines personal information in a broad sense, including any information that can be linked, directly or indirectly, with a consumer or household.
GDPR: Focuses on personal data that can identify an individual either directly or indirectly, including a wider range of data categories.
3) Rights granted
CCPA: Grants California consumers rights such as the right to know about the personal information collected, opt-out of sale, and request deletion of their personal information.
GDPR: Offers a broader set of rights, including the right to access, rectify, erase personal data, and data portability.
4) Scope of application
CCPA: Applies to for-profit entities doing business in California that meet specific criteria.
GDPR: Applies to all entities processing the personal data of individuals in the EU, regardless of where the entity is based.
5) Penalties and enforcement
CCPA: Penalties are enforced per violation, with a maximum of $7,500 per intentional violation.
GDPR: Fines can be much steeper, up to €20 million or 4% of the annual global turnover, whichever is higher.
Harmonizing compliance for global businesses
While the GDPR's requirement to obtain opt-in consent is generally more stringent than the CCPA’s opt-out approach, adopting the higher standard of GDPR can often help in meeting CCPA requirements as well. Here are some strategies:
Unified consent mechanism: Implementing a consent mechanism that accommodates both opt-in (GDPR) and opt-out (CCPA) can streamline user experience and compliance efforts.
Comprehensive data rights management: Develop systems to efficiently handle user requests, whether it’s to opt-out, request deletion, or access their data, as required under both regulations.
Regular policy review and update: Continuously monitor changes in both legislations and adjust your data protection and privacy policies accordingly.
CCPA penalties for non-compliance (and how to avoid them)
Navigating CCPA compliance is not just about adhering to legal standards but also about avoiding the significant penalties associated with non-compliance.
Overview of CCPA penalties
The CCPA sets forth clear penalties for businesses that fail to comply with its requirements.
Civil Penalties: For businesses, civil penalties can reach up to $7,500 per intentional violation and $2,500 per unintentional violation if not rectified within 30 days of notification. These fines can accumulate quickly, especially for companies handling large volumes of data.
Consumer Lawsuits: The CCPA also empowers consumers to file lawsuits for certain data breaches. If a business fails to implement reasonable security measures and a breach occurs, it may be liable for damages between $100 to $750 per consumer per incident, or actual damages, whichever is greater.
Mitigation strategies
To avoid these penalties, businesses need to proactively implement CCPA compliance strategies.
Obtain consent appropriately: Ensure that mechanisms to obtain consent, especially for new visitors via a cookie consent banner, are clear, conspicuous, and meet CCPA requirements. This consent mechanism should allow users to opt-out easily of the sale of their personal information.
Stay within revenue thresholds: For businesses close to the CCPA applicability threshold, which includes an annual gross revenue over $25 million, keeping track of this threshold is important. Understanding your business’s status in relation to these thresholds can help in ensuring the necessary compliance measures are in place.
Inform consumers effectively: Use clear and understandable language to inform consumers about their rights under the CCPA, including how their data is used, the purpose of data collection, and their rights to access, delete, or opt-out of the sale of their personal information. Transparency in communication is key.
Implement and test your cookie consent banner: Regularly review and test the functionality of your cookie consent banner to ensure it is working as intended and is CCPA compliant. This banner should be a part of your website’s first point of interaction with the user.
Regular compliance audits: Conduct regular audits to ensure ongoing adherence to CCPA requirements. These audits should review all aspects of CCPA compliance, including data collection practices, consent mechanisms, consumer rights response processes, and data security measures.
How a Fortune 500 technology company upgrades their consent management for improved compliance and reduced costs.
Frequently asked questions about CCPA cookie consent
What is the California Privacy Protection Agency?
The California Privacy Protection Agency (CPPA) is a newly established regulatory agency responsible for implementing and enforcing the California Consumer Privacy Act (CCPA).
Created by the passage of Proposition 24, the California Privacy Rights Act (CPRA) in 2020, the CPPA is tasked with overseeing and enforcing consumer data privacy laws, providing guidance to businesses and consumers, and ensuring that consumer privacy rights are respected in California.
The agency represents a significant step towards more stringent and proactive privacy regulation, reflecting an increasing emphasis on data protection in the digital age.
Do all businesses need to comply with the CCPA?
CCPA compliance is required for businesses that meet certain criteria, such as having an annual gross revenue exceeding $25 million, buying, receiving, selling, or sharing the personal information of 50,000 or more California residents, households, or devices, or deriving 50% or more of their annual revenues from selling California residents’ personal information.
What steps should a business take to comply with the CCPA for cookie consent?
Businesses should ensure clear disclosure about cookie usage, provide an accessible and straightforward option for users to opt-out of the sale of their personal information (such as a “Do Not Sell My Personal Information” link), obtain proper consent for data collection, and implement procedures to respond to consumer requests regarding their data rights under CCPA.
How often should a business update its privacy policy under CCPA?
Businesses should review and update their privacy policies at least once every 12 months. Any significant changes in data processing activities, such as the introduction of new cookies or changes in data sharing practices, should prompt an immediate review and update of the privacy policy.
Final thoughts
CCPA compliance is not just a legal requirement but an opportunity for businesses to reinforce their commitment to protecting consumer data.
Adopting best practices for CCPA compliance, such as regular data audits, clear cookie consent banners, and staying informed of revenue thresholds, not only helps in avoiding significant penalties but also enhances consumer trust.
By embracing these regulations, companies can build stronger, trust-based relationships with their customers, setting a standard for privacy and transparency in the digital age.
About Transcend Consent Management
For when your legacy solution relies on static site scans, requires tedious maintenance, and still leaks unconsented data. TranscendConsent Management collects consent and automates enforcement across every interface, from websites to mobile apps, offering your organization:
Continuous detection of 200+ kinds of trackers across every inch of your site.
Automatic network-level enforcement–no manual tag manager configuration.
Out of the box support for IAB TCF, Google Consent Mode, and Do Not Sell (eg. Meta LDU).