The California Consumer Privacy Act (CCPA) is a data protection regulation that came into effect on January 1, 2020, to protect the personal information of California residents.
It requires businesses like yours to allow users to opt out of personal information processing. At the same time, it provides consumers with increased transparency, control, and security over their personal data.
It is important to note that the CCPA does not apply to every business. CCPA applies only to for-profit companies that collect and process consumer personal information and conduct business in California if the business meets at least one of the following criteria:
- Have annual gross revenue of more than $25 million
- Processes personal information of at least 50,000 Californians annually
- Earns at least 50% of the annual income from selling consumers' personal information
If your business does not meet these legal requirements, the CCPA does not apply to you, and you are not required to provide privacy notices. But if you do meet these requirements, keep reading.
What are the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)?
The California Consumer Privacy Act (CCPA) is a privacy law in California, USA that went into effect on January 1, 2020. The CCPA gives California residents certain rights over their personal information, such as the right to know what personal information a business collects about them, the right to request deletion of their personal information, and the right to opt-out of the sale of their personal information. The CCPA applies to for-profit businesses that collect personal information of California residents, have annual gross revenues over $25 million, or buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices.
The California Privacy Rights Act (CPRA) is a ballot initiative passed by California voters on November 3, 2020, that builds upon and expands the CCPA's privacy protections. The CPRA provides California residents with additional rights over their personal information, including the right to restrict the processing of sensitive personal information, the right to correct inaccuracies in their personal information, and the right to limit the use of certain technologies that profile individuals. The CPRA also establishes a new state agency, the California Privacy Protection Agency, to enforce privacy laws in California. The CPRA has gone into effect on January 1, 2023.
What is the difference between consent requirements and cookie consent requirements?
Consent requirements are the general rules that organizations must follow when collecting and processing personal data from individuals. Cookie consent requirements are a specific type of consent requirement that applies to the use of cookies and similar tracking technologies.
Consent requirements
Consent requirements are typically set out in privacy laws and regulations, such as the GDPR in the EU and the CCPA in the United States. These laws require organizations to obtain consent from users before collecting and processing their personal data.
To be valid, consent must be:
- Freely given: Individuals must not be coerced or pressured into giving consent.
- Specific: Individuals must be informed about the specific types of personal data that will be collected and processed, and the purposes for which the data will be used.
- Informed: Individuals must be provided with clear and concise information about the organization's privacy practices, including how their personal data will be used and protected.
- Unambiguous: Individuals must take a clear positive action to indicate their consent, such as ticking a box or clicking a button.
Cookie consent requirements
Cookie consent requirements are typically stricter than general consent requirements. For example, the GDPR requires organizations to obtain explicit consent from individuals before setting non-essential cookies on their devices. Explicit consent means that individuals must take a clear positive action to indicate their consent, such as clicking a button or ticking a box.
The GDPR also allows organizations to set essential cookies without obtaining explicit consent. Essential cookies are cookies that are necessary for the proper functioning of a website, such as cookies that are used to remember items in an online shopping cart.
Differences between consent requirements and cookie consent requirements
The main difference between consent requirements and cookie consent requirements is that cookie consent requirements are more specific and stricter. This is because cookies can be used to track individuals' online activity across different websites, and to collect a wide range of personal data, such as their browsing history, interests, and location.
Another difference is that consent requirements apply to all types of personal data, while cookie consent requirements only apply to personal data that is collected and processed using cookies and similar tracking technologies.
What happens if you fail to get cookie consent under CCPA/CPRA?
If you fail to get cookie consent under CCPA/CPRA, you could be subject to significant fines and other penalties. The CCPA and CPRA both allow consumers to file complaints with the California Attorney General's Office, and the Attorney General has the power to investigate complaints and bring enforcement actions against businesses that violate the laws.
The maximum penalty for a CCPA or CPRA violation is USD 7,500 per violation per consumer. The fine can be reduced but not increased. Furthermore, one consumer equals one violation. If you fail to get cookie consent from 1,000 California residents, that is equivalent to 1,000 violations. 1,000 violations multiplied by USD 7,500 equals USD7,500,000. As a result, the fines can get quite hefty quickly.
In addition to fines, the Attorney General also has the power to order businesses to stop violating the CCPA and CPRA, and to take other corrective actions. For example, the Attorney General could order a business to delete all of the personal information it collected without consent, or to provide consumers with a way to opt-out of the sale of their personal information.
What are the consent requirements for CCPA and CPRA privacy laws?
The CCPA and the CPRA are privacy laws in California that regulate the collection, use, and sharing of personal information of California residents. These laws require businesses that collect, use, or disclose the personal information of California residents to take appropriate measures to protect the data. Identifiers such as a credit card number, social security number, or passport number, which can be used to identify a natural person, are considered sensitive personal information and require additional protection.
CCPA consent requirements:
- Businesses must provide clear and conspicuous notice at or before the point of data collection regarding the categories of personal information to be collected and the purposes for which it will be used.
- Consumers have the right to opt-out of the sale of their personal information. Businesses must provide a "Do Not Sell My Personal Information" link on their website.
- Businesses must obtain affirmative consent from consumers before collecting the personal information of minors under the age of 16.
- The CPRA builds upon and expands the CCPA's requirements, adding new consumer rights and protections.
- Businesses must provide more detailed information to consumers about the categories of personal information collected, the purposes for which it will be used, and the rights of consumers to control their personal information.
- The CPRA also introduces a new category of "sensitive personal information," which requires additional protections and restrictions on its collection, use, and sharing.
In summary, the CCPA sets the foundation for consumer privacy rights in California, while the CPRA strengthens and expands these rights.
Do CCPA and CPRA compare to GDPR personal data processing requirements?
The CCPA and the CPRA have similarities with the European Union's GDPR in terms of personal data processing requirements. Both laws place significant emphasis on giving consumers control over their personal information and require businesses to provide certain rights to consumers, such as the right to access, delete, and opt-out of the sale of their personal information.
However, there are also some differences between the CCPA/CPRA and the GDPR. For example, the CCPA/CPRA applies only to California residents, while the GDPR applies to all individuals in the EU. The CCPA/CPRA also have different definitions of personal information and differ in their enforcement mechanisms.
Overall, businesses operating in California or handling the personal information of California residents should familiarize themselves with both the CCPA/CPRA and the GDPR to ensure they are meeting the requirements of all relevant privacy laws. For more information on consent management best practices, check out our blog.
CPRA and CCPA-compliant data collection
The CCPA and CPRA give California residents certain rights over their personal information, including the right to know what information is collected, the right to have it deleted, and the right to opt-out of its sale. Businesses subject to these laws must provide consumers with certain disclosures and notices, and obtain their consent before collecting or selling their personal information.
Businesses must also be mindful of the financial incentives they offer to consumers for their personal information, and not discriminate against consumers who exercise their rights. In the event of a data breach, businesses must promptly notify affected consumers and the attorney general.
To ensure CCPA and CPRA compliance, businesses should have a functional consent management platform in place, obtain opt-in consent for the collection of sensitive information, and obtain legal advice to assess their data collection practices.
Recently the California Privacy Protection Agency (CPPA) issued draft regulations on risk assessment and cybersecurity audits under the CCPA. Learn about CCPA Risk Assessments.
Do businesses need to obtain cookie consent on your website for CCPA/CPRA cookie compliance for data privacy?
The simple answer is - no. You can send cookies and other tracking technologies to your website visitors’ devices without asking anyone and still comply with the CCPA and CPRA. They do not require opt-in consent for website cookies.
The only exception is the collection of the personal information of minors. If you reasonably know you are collecting children’s data, you must ask their parents or guardians for explicit user consent. These consent requirements apply even if you collect data such as IP address or any other unique identifier of a child online.
However, businesses must provide a notice of collection, which can be achieved using a cookie banner on their website. A cookie banner serves as a notice of the collection and informs users about the website's data collection practices, including using cookies.
CCPA/CPRA notice of collection
One of the most important CCPA and CPRA requirements actually is the notice of collection. A business provides disclosure to inform consumers about the categories of personal information collected and the purposes for which the information will be used. The collection notice must be provided at or before the point of collection and should be easy to read and understand.
In most online business scenarios, this means serving the notice when the user lands on your webpage. And the most common way to serve them with such a notice is a cookie consent banner. Only, this time, it won’t request consent. It will only inform consumers that you use cookies.
According to the CCPA, this simple cookie notice on collection must contain the following elements:
- A list of categories of personal information collected by the business
- The purposes for which the personal information will be used
- A description of the consumer's rights, including the right to know, the right to delete, the right to opt-out, and the right to non-discrimination
- A link to the business's privacy policy (Learn about CPRA Policy) or a statement indicating that the privacy policy can be found at the provided link
- The link must lead to the specific privacy policy section where this information is provided. It must not lead to the beginning of the privacy policy and leave the user to search for the required information.
- If the business sells or shares personal information, a link titled "Do Not Sell or Share My Personal Information" allows consumers to opt out.
How does CCPA/CPRA cookie consent requirements compare with GDPR cookie consent requirements?
CCPA and GDPR are quite different regarding cookies consent.
The General Data Protection Regulation of the EU requires an explicit opt-in, which means that you must not use cookies or other trackers until the consumer agrees. GDPR-compliant businesses must show the user a pop-up cookie banner, ask for freely given, specific, unambiguous, and informed consent, and keep the response records.
Moreover, the cookie consent manager shall allow users to customize cookie preferences in the preference center.
CCPA, on the other hand, requires businesses only to tell consumers that they use cookies. That’s all. No need to request permission to use any kind of cookies.
Consumers can opt out by clicking the “Do Not Sell My Personal Information” link, requesting the deletion of their data, or limiting the use of sensitive data.
Get a CCPA-compliant cookie consent solution with Secure Privacy
Secure Privacy is a CCPA cookie consent service provider that helps businesses create and implement a CCPA-compliant cookie banner notice on collection. By using Secure Privacy, businesses can use a cookie consent management platform to ensure their cookie banners meet the CCPA requirements and provide users with the necessary information to make informed decisions about their personal data.
Features and benefits of using Secure Privacy for cookie banner notices on the collection include:
- Customizable cookie banners: Secure Privacy allows businesses to design and customize their cookie banners to match their website's look and feel, ensuring a seamless user experience.
- Automatic cookie scanning: Secure Privacy's solution automatically scans your website to identify and categorize cookies, ensuring compliance with the CCPA's notice on collection requirements.
- Easy implementation: Secure Privacy provides a simple, step-by-step process to create and implement a CCPA-compliant cookie banner notice on the collection, making it easy for businesses to comply with the regulation.
- Comprehensive support: Secure Privacy offers expert guidance and support to help businesses navigate the complexities of CCPA compliance and ensure their cookie banners meet regulatory requirements.
- Regular updates: Secure Privacy continuously updates its platform to stay current with any changes to the CCPA or other privacy regulations, ensuring ongoing compliance for your business.
How to implement a CCPA-compliant cookie consent banner notice on collection with Secure Privacy
To create and implement a CCPA-compliant cookie banner notice on collection with Secure Privacy, follow these steps:
- Sign up for a Secure Privacy account.
- Customize your cookie banner to match your website's design.
- Set up automatic cookie scanning to identify and categorize cookies on your website.
- Implement the generated code snippet on your website.
- Monitor your compliance status and make any necessary adjustments.
FAQ on CCPA cookie consent service
Here are some of the most common questions related to CCPA cookie consent services:
Do we need to record CCPA cookie consent? You don’t need to collect or record cookie consent unless you process children's personal information. The privacy protection of children requires obtaining explicit consent for using cookies or other trackers.
Do we need a cookie consent manager to comply with the CCPA? You need a cookie consent manager for CCPA compliance. If you process the personal information of minors, then you need to collect and log consent. Otherwise, it will help you only to serve the notice of collection.
Does CCPA cookie compliance mean we comply with other US states’ data privacy laws, such as Colorado, Virginia, and Connecticut? Although CCPA cookie requirements are similar to those in other US states, it is best to take a state-by-state approach to cookie compliance. That’s the safe road to avoiding penalties and reputation loss.
What are Global Privacy Controls (GPC), and must we comply with these signals? Global Privacy Control is a mechanism that informs websites that users opt out of the sale or sharing of their personal information. The California Attorney General first mentioned it, and now it has been part of the most recent CCPA regulations.
California is the only state or country worldwide that explicitly requires compliance with such signals regarding consumer data.
How to allow consumers to opt out of the sale of personal information? You can let your consumers opt out of the sale of their personal information by providing a link, “Do Not Sell or Share My Personal Information,” on the banner of your website.
Honoring GPC opt-out signals is a valid way to honor an opt-out request. To comply with GPC signals, you should implement a mechanism on your website to detect and respect these signals when received from a user's browser or device.
Final thoughts
In conclusion, CCPA compliance regarding cookies is less stringent than GDPR, requiring businesses to inform users about their cookie usage rather than seeking explicit consent. However, staying up-to-date with privacy regulations and using tools like Secure Privacy to ensure compliance with the CCPA and other data privacy laws is crucial.
