Is a cookie banner required under CPRA?
The California Privacy Rights Act (CPRA) doesn’t explicitly require a cookie banner, but it does require businesses to provide a mechanism for consumers to opt out of the sale or sharing of their personal data, which can include data collected through cookies.
A standard (opt-in) cookie banner will not be sufficient to comply with CPRA. The Draft Regulations specify that an acceptable method to submit opt-out requests must address the sale and sharing of personal information.
To comply with CPRA, your website can provide:
- A clear “Do Not Sell/Share My Personal Information” (DNSMPI) link, which may include a mechanism to control cookie preferences.
- As an alternative option, businesses must honour opt-out signals, like the Global Privacy Control.
Consent management platforms like CookieYes offer users the ability to display an opt-out banner with a DNSMPI link where your site’s visitors can opt out of selling or sharing their data.