CCPA and Cookies. What do I need to know?

CCPA is the California Consumer Privacy Act, which was passed by California legislators in June 2018. It’s the most comprehensive law in the USA which is targeted at companies that collect and/or sell personal information and gives private individuals and companies, that are based in California, more control over their own data.

CCPA introduces three major new data protection, including:

  • The right to access information. It means that California consumers will be able to know which categories of information are used or sold, from whom and why certain information was collected, etc.
  • Right to deletion. Any consumer will be able to ask to delete personal information that was collected about him/her.
  • Right to opt-out. Similar to the GDPR, they will be able to direct a company to not sell their personal information to third parties.

The new legislative initiative will go into effect on January 1, 2020. At the same time, some CCPA issues are still in the process of clarifying and amending by local legislators. As a result, several amends were already passed and California attorney general enforcement is not expected until at least July 1, 2020.

CCPA and Cookies

GDPR and CCPA are very similar laws and CCPA will affect how cookies are viewed. We prepared this article to guide you and let you know what changes you need to make in your policy to be compliant and how the CCPA affects the cookie policy.

The CCPA defines the phrase “personal information” to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

As we mentioned earlier, the California Consumer Privacy Act introduces three major new data protections and stricter provisions for companies. According to the CCPA, cookies can be seen and described as personal data. If you are familiar and compliant with GDPR, this should be an easy thing to adapt to CCPA as it requires very similar changes to the cookie policy.

All companies and organizations that need to be compliant with CCPA will have to disclose the use of cookies. Strictly necessary cookies, the ones that are required to make the website function, do not require consent. You can reveal their use to website visitors from the USA, but it’s not necessary to allow them to deactivate these cookies if the website wouldn’t work correctly without them.

Functionality, performance or analytics cookies should be optional. Like the GDPR, CCPA requires phrases like “by continuing to use this website you agree with our use of cookies” disappear from the website. Instead, we should see a clear description of each type of cookies used, how many cookies are used for each type, and the possibility to opt-out of anything that the website doesn’t have to operate.

In situations where a website deploys third-party tracking cookies (e.g., behavioral advertising network cookies), it is not clear how the business that owns and controls the tracking cookie will be able to provide California consumers with its “at or before the point” of information collection privacy disclosure.

These are conclusions that can be drawn from significant clauses such as transparency, the right of access and to be informed, data minimization, all of which should be reflected in each company’s cookie policy.

Secure Privacy allows you to create a custom cookie banner. You need a cookie banner if you collect data from US-based visitors. In general, CCPA requires cookies banners, which means you have a duty to show them only to your US visitors.

Tagged under: