CCPA and Cookies: What You Need To Know

The Cambridge Analytica scandal, which brought to the limelight the improper sharing of the personal data of 87 million Facebook users, has become a conversation starter in the cybersecurity world. With the kind of risk that lies behind giving a business unprecedented control over consumer data, more people have become skeptical about the businesses they entrust with their data. What’s worse is that comprehensive data privacy laws that cut across industries and give consumers back control over their personal data haven’t been commonplace.

With privacy laws, such as the CCPA, this narrative has changed drastically. Not only could complying with these laws make your business attractive to security-conscious customers, but they could also make it easier to partner with other businesses within the areas the laws apply. If you are a website owner, there is a diversity of steps you need to take for compliance. Understanding how the CCPA affects your cookie policy, and business at large is essential.

Here are some insights to assist you understand how what the regulation has in store for your business.

What is the CCPA?

The CCPA (California Consumer Privacy Act) is one of the most comprehensive and stringent data privacy laws in the US. It is meant to govern how for-profits handle the data of California consumers. 

With California being one of the largest markets in the US, a lot of businesses are bound to be affected by the law.

It gives consumers an unprecedented power to restrict the use of, view, and delete any data that for-profit companies may have about them. While the law is meant to be enforced by the California Attorney General, it is possible for individual residents to file ad hoc lawsuits against businesses that break it.

CCPA doesn’t, however, replace any previous California data protection laws, such as the Shine the Light Law, The Privacy Rights of California Minors, and the California Online Privacy Protection Act.

Who does CCPA apply to, and who is exempted?

The regulation isn’t location-based, and it might apply to businesses that aren’t based in California. As long as a business collects, receives, uses, or transmits California consumers’ personal data, they should comply with the regulation. More specifically, it will apply to for-profits that handle the data of Californians, and are in line with any of the following criteria:

  • Companies that earn $25,000,000 in annual gross revenue
  • Companies that share sell or buy the personal data of 50,000 consumers and above annually
  • Companies that derive 50% of their revenue and above through selling the personal information of consumers.

However, the CCPA comes with a few exemptions. Compliance should not make it tough for business to:

  • Defend or exercise legal claims
  • Comply with local, state, or federal law
  • Comply with criminal, civil, or regulatory inquiry, investigation, subpoena, or summons by the local, state or federal authorities
  • Collect, sell, use, retain, or disclose consumer data within the aggregate consumer information, or which is de-identified
  • Collaborate with law enforcement agencies with regard to activity or conduct that the service provider, business, or third-party can reasonably and in good faith believe will lead to the violation of local, state or federal law
  • Sell or collect the data of consumers if every aspect of the commercial conduct happens outside the confines of California

Companies are obliged to respect the right of consumers

Ideally, the CCPA offers consumers a couple of rights that give them control over their data. 

First is the right to access information, which ensures that consumers can request access to any of their personal data that a company is selling or handling. This includes data about why the information was collected and whom it is being sold to.

Second is the right to deletion, which offers consumers the ability to request the deletion of their personal data. 

Third is the right to portability, which gives data owners the right to know which information of theirs an entity has collected in the preceding 12 months; categories of those with whom the data has been shared; categories of sources of the data, and the business or commercial purposes for collecting or selling it. It requires businesses to provide this information free of charge within 45 days of each request, up to twice per year.

The fourth is the right to opt-out, which makes sure consumers can avoid having their data collected or sold to third-parties.

To enforce these rights, the CCPA requires businesses to provide links on their websites, as well as toll-free numbers for easy data access requests. Once you post these details on your website, it becomes easy for customers to contact you with regard to their data. 

Also, CCPA warns companies against discriminating against any consumer who exercises their rights. Discrimination can be in the line of denying them services or offering a different level of service to the customers.

It should be known that some rights have exceptions. A business may deny a verified request if the business can demonstrate that the information is necessary to: 

  • Complete the transaction for which the PI was collected; provide a good or service requested by the consumer (or one reasonably anticipated within the context of the business’ ongoing business relationship with the consumer), or otherwise perform a contract with the consume
  • Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity
  • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law
  • Comply with a legal obligation
  •  Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information

Non-compliance penalties

With the California Attorney General being in charge of the enforcement of the regulation, you may be obligated to pay a fine of up to $7,500 per intentional violation for non-compliance. Non-intentional violations could lead to fines of up to $2,500, which is still significant.

However, you might take a bigger financial hit from consumers exercising their private right action, which allows them to sue any business for non-compliance.

Failure to implement and maintain substantial security procedures to safeguard their personal data could be a reason for non-compliance. For such situations, you will need to pay between $100 and $750 per consumer per violation incident. You could also have to offset the ad hoc damages instead, depending on the amount that is greater of the two options.

The CCPA vs. the GDPR

While both the CCPA and the EU’s GDPR are stringent data privacy laws, they have some areas that overlap, and others that differ. Complying with the GDPR ensures that you can do business legally in the EU, and it gives you a head start at CCPA compliance. However, GDPR compliance isn’t equal to CCPA compliance. 

Some of the controls that were designed for the GDPR do not translate directly to the CCPA. Both regulations differ in terms of data subject rights, exceptions, scopes, definition, and privacy notices.

First, while both laws uphold rights like access, data portability, and deletion, the way your business is required to send out requests differs. The CCPA upholds the explicit coverage of household information and devices, which means that a device or internet activity can be considered as personal data if it can be associated with a specific household or individual. This is not the case for GDPR. Also, unlike the GDPR, the CCPA has a few exemptions for publicly available information.

You will further need to modify commercial agreements that are GDPR-compliant to CCPA standards. In a nutshell, the CCPA deviates from the GDPR and previous US laws This calls for more attention to detail when complying with it.

Your cookie policy under the CCPA

Since the data collected by website cookies can be seen as personal data, the CCPA has strict guidelines as to how businesses handle the data. If your business is compliant with the GDPR, complying with the cookie policy of the CCPA will be fairly easy. However, there are some instances that the two regulations differ.

1. Managing your cookie policy

Under the CCPA, your business is supposed to be quite transparent about your cookie policy. Ideally, you need to have a clear disclosure of how you intend to use the cookies you collect. 

Unlike the GDPR‘s cookie consent policy that is based on an opt-in mechanism, the CCPA’s policy is based on an opt-out mechanism. This requires you to inform customers at or before you collect their data about it all. You should, however, offer website visitors the option to opt-out of certain cookies.

The exemption of opt-out rule is for essential cookies, those that are necessary for the optimal functioning of your website. You should still disclose how these essential cookies are being used. Disclosure information includes:

  • Explaining briefly what cookies are and stating that you do use them on your website
  • Outlining the type of cookies that you, or a third-party, are using for your website
  • Informing users why using cookies is necessary
  • Informing users that they could easily opt-out of cookies being stored on their devices

2. Cookie consent management

For an easier time with cookie management, you should consider implementing cookie consent management. It offers visitors the ability to change, revoke, or give consent for specific types of cookies, as well as opt-out of them. 

Under the CCPA, consent management is essential. It is also clear about opt-out consent for adults and opt-in preferences for young adults and kids.

However, it doesn’t clearly define how you should implement these differing consents for the different types of site visitors. Other than helping you with this, your consent tool should also make it easy to share consents with third parties. The ideal tool should manage to recognize website visitors through the multiple devices owned by the user and track consent preferences as well as any changes made.

3. Cookie banner policy

Under the CCPA, you aren’t required to follow a specific requirement for cookie banners yet. However, the ideal banner should at least have a button to offer visitors an easy way to access their cookie consent preferences. It should also have a button that says, “Do not sell my personal information” somewhere on the homepage. In summation, the requirements you need to adhere to include:

  • Give customers insight into the name, details, purpose and expiry date of the collected cookies
  • Offer opt-out consent management for any unnecessary cookies you collect
  • Track and log visitor’s cookie or consent preferences
  • Use cookie banners to make accessing cookie preferences easier
  • Have a clear and updated cookie policy
  • Collect, store, manage, and secure any personal data that you collect through the cookies.

In a world where consumers are quite mindful of their data privacy, complying with regulations such as the CCPA is essential. Besides, compliance will not only make doing business easier with customers, but it will also help improve the security posture of your business. 

As for your website, ensuring that your cookie policy respects the rights of your visitors under the CCPA is mandatory. If you have any business interests in California, commit to compliance to grow your business without legal hurdles.

Disclaimer: This article does not represent legal advice. The purpose of this article is to provide general information only. Hence, for any legal advice, please contact a lawyer specialized in the area.