CookieYes is extending its wings to offer CCPA cookie compliance solution as well.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a state-wide data privacy legislation in California. The California State Legislature passed the CCPA bill, and the then Governor of California signed it into law on June 28, 2018. The bill came into effect on January 1, 2020.
In November 2020, Californian voters passed the California Privacy Rights Act (CPRA) that amends and expands the CCPA. Known as CCPA 2.0, it will go into effect on January 2, 2023, and replace the Act.
The CPRA appoints the California Privacy Protection Agency (CPPA) that will be responsible for monitoring and enforcing CCPA.
The CCPA applies to any for-profit entity that does business in California and collects and processes the personal information of California residents. Such organizations must also satisfy one of the following criteria:
- Over $25 million gross revenue
- Buys, receives, or sell personal information of 50,000 (100,000 under the CPRA) or more California consumers, households, or devices
- Earns half of annual revenue by selling the personal information of consumers
As per CCPA, personal information is any information that identifies or relates to, directly or indirectly, a consumer or household. That includes (but is not limited to) personal identifiers, biometric data, commercial information, internet activity, geolocation data, and employment-related information.
The Californian counterpart of the EU GDPR (General Data Protection) has similar intentions behind its implementation: to protect and respect its people’s personal information and privacy. It gives them more control over it.
Like GDPR, the CCPA also grants the consumers several rights:
- The right to know what personal information has been collected and processed and why
- The right to delete any personal information collected, with exceptions such as data necessary to complete a transaction, detect security incidents, fulfill legal and functionality obligations, identify and repair errors, and research for public interest
- The right to opt-out of a business selling any personal information to third parties via a clear and easily accessible “Do Not Sell My Personal Information” option
- The right to non-discrimination against for having exercised their rights, i.e. a business cannot deny or charge a different price or quality of goods or services
CPRA has expanded some rights, which we will discuss in another post since the existing law does not demand organizations to implement those changes.
Failure to complying with the CCPA is punishable. Non-compliance will lead to fines if the businesses do not fix the allegation within 30 days. The CCPA fines can go up to $7500 per intentional violation and up to $2500 per unintentional violation. Consumers can seek legal action against businesses if they handle personal information unlawfully.
In the event of a data breach, businesses must notify the affected California residents. If the number of affected Californians is over 500, they must also submit a copy of the breach notification to California’s Attorney General. They have 30 days to fix the alleged violation.
Consumers can claim compensation for the breach, or they can seek legal action against the business entity if the court deems it right.
Here is a useful CCPA compliance checklist for your business.
Checkout CCPA vs GDPR here.
CCPA and cookies
To explore the applicability of using cookies under CCPA, we will answer some frequently asked questions on the topic. They will help us understand it better.
Are cookies personal information under CCPA?
Personal information under CCPA includes ‘unique personal identifiers’ which are used to identify a device linked to a person. In that context, cookies are ‘personal information’ since they collect device information.
Do you need a cookie banner for CCPA?
Unlike GDPR, the CCPA gives more emphasis on the ‘opt-out’ mechanism than opt-in. It does not explicitly ask websites to use a cookie banner for the same.
However, using a cookie banner remains the best practice for it.
CCPA requires websites to add a “Do Not Sell My Personal Information” (DNSMPI) link. Your banner may include a DNSMPI button that leads to the opt-out options.
What are the requirements for CCPA cookie banners?
Cookie banner requirements for the CCPA are more or less similar to that of the GDPR.
- Information about cookies: the banner must provide information about the type and purpose of the cookies, and if you share data with third parties
- Opt-out any time: the consumers must be able to opt-out of cookies any time. The banner must be easily accessible for it.
- Information about cookies – type, purpose, duration, and third-party sources
- Categories of personal information collected via cookies
- How to opt-out of having them stored on their device
CookieYes now offers CCPA cookie compliance!
Your favorite GDPR cookie consent solution is all set to add one more important feature. This time, CookieYes brings you CCPA compliance support.
You will soon be able to also comply with the CCPA requirement for cookie compliance.
On the cookie consent banner, if you select CCPA, it will add a “Do Not Sell My Personal Information” link. Clicking this option will let the consumers opt-out of third-party cookies that collect personal information through the website.