ccpa compliance

CCPA Compliance With CookieYes – Coming Soon!

Last updated on April 1, 2021|Published on February 9, 2021

CookieYes is extending its wings to offer CCPA cookie compliance solution as well.

What is CCPA?

The California Consumer Privacy Act (CCPA) is a state-wide data privacy legislation in California. The California State Legislature passed the CCPA bill, and the then Governor of California signed it into law on June 28, 2018. The bill came into effect on January 1, 2020. 

In November 2020, Californian voters passed the California Privacy Rights Act (CPRA) that amends and expands the CCPA. Known as CCPA 2.0, it will go into effect on January 2, 2023, and replace the Act.

The CPRA appoints the California Privacy Protection Agency (CPPA) that will be responsible for monitoring and enforcing CCPA.

The CCPA applies to any for-profit entity that does business in California and collects and processes the personal information of California residents.  Such organizations must also satisfy one of the following criteria:

  • Over $25 million gross revenue
  • Buys, receives, or sell personal information of 50,000 (100,000 under the CPRA) or more California consumers, households, or devices
  • Earns half of annual revenue by selling the personal information of consumers

As per CCPA, personal information is any information that identifies or relates to, directly or indirectly,  a consumer or household. That includes (but is not limited to) personal identifiers, biometric data, commercial information, internet activity, geolocation data, and employment-related information.

The Californian counterpart of the EU GDPR (General Data Protection) has similar intentions behind its implementation: to protect and respect its people’s personal information and privacy. It gives them more control over it.

Like GDPR, the CCPA also grants the consumers several rights:

  • The right to know what personal information has been collected and processed and why
  • The right to delete any personal information collected, with exceptions such as data necessary to complete a transaction, detect security incidents, fulfill legal and functionality obligations, identify and repair errors, and research for public interest
  • The right to opt-out of a business selling any personal information to third parties via a clear and easily accessible “Do Not Sell My Personal Information” option
  • The right to non-discrimination against for having exercised their rights, i.e. a business cannot deny or charge a different price or quality of goods or services

CPRA has expanded some rights, which we will discuss in another post since the existing law does not demand organizations to implement those changes.

Failure to complying with the CCPA is punishable. Non-compliance will lead to fines if the businesses do not fix the allegation within 30 days. The CCPA fines can go up to $7500 per intentional violation and up to $2500 per unintentional violation. Consumers can seek legal action against businesses if they handle personal information unlawfully.

In the event of a data breach, businesses must notify the affected California residents. If the number of affected Californians is over 500, they must also submit a copy of the breach notification to California’s Attorney General. They have 30 days to fix the alleged violation.

Consumers can claim compensation for the breach, or they can seek legal action against the business entity if the court deems it right.

Here is a useful CCPA compliance checklist for your business.

Checkout CCPA vs GDPR here.

CCPA and cookies 

To explore the applicability of using cookies under CCPA, we will answer some frequently asked questions on the topic. They will help us understand it better.

Personal information under CCPA includes ‘unique personal identifiers’ which are used to identify a device linked to a person. In that context, cookies are ‘personal information’ since they collect device information.

Do you need a cookie banner for CCPA?

Unlike GDPR, the CCPA gives more emphasis on the ‘opt-out’ mechanism than opt-in. It does not explicitly ask websites to use a cookie banner for the same.

However, using a cookie banner remains the best practice for it.

CCPA requires websites to add a “Do Not Sell My Personal Information” (DNSMPI) link. Your banner may include a DNSMPI button that leads to the opt-out options. 

What are the requirements for CCPA cookie banners?

Cookie banner requirements for the CCPA are more or less similar to that of the GDPR.

  • Information about cookies: the banner must provide information about the type and purpose of the cookies, and if you share data with third parties
  • Opt-in and opt-out options: as mentioned earlier, the opt-in mechanism is not mandatory under the CCPA. However, it is beneficial to provide such a feature where the consumers can granularly select the cookie preferences based on its type. Opt-out will help them to deny consent to use cookies.
  • DNSMPI button/link:  this link should route the consumers to a page/setting that has a link to the privacy policy and where they can opt-out of personalized ads.
  • Opt-out any time: the consumers must be able to opt-out of cookies any time. The banner must be easily accessible for it.

Is a business required to provide a cookie policy?

CCPA requires businesses to disclose information about their use of the personal information of consumers. Since cookies are considered personal information under CCPA, the website must provide information about cookies on the website. You can share the details via a sub-section in the privacy policy or a separate cookie policy page.

The cookie policy must include:

  • Information about cookies – type, purpose, duration, and third-party sources
  • Categories of personal information collected via cookies
  • How to opt-out of having them stored on their device 

CookieYes now offers CCPA cookie compliance!

Your favorite GDPR cookie consent solution is all set to add one more important feature. This time, CookieYes brings you CCPA compliance support. 

You will soon be able to also comply with the CCPA requirement for cookie compliance.

On the cookie consent banner, if you select CCPA, it will add a “Do Not Sell My Personal Information” link. Clicking this option will let the consumers opt-out of third-party cookies that collect personal information through the website. 

Happy complying!

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.