As cookie use grows increasingly common, the accompanying privacy problems become more apparent. Privacy rules across the globe, like the comprehensive California Privacy Rights Act (CCPA/CRPA), have offered explicit recommendations to assist firms in implementing transparent and ethical cookie practices.

In this post, we’ll go over cookies and their privacy implications, the CCPA/CRPA’s stance on cookies, and the actions organizations need to take to be on the right side of the law when it comes to cookie compliance.

Cookies: An Overview

When visitors visit a website, their computer or mobile device browsers save little data files called cookies. These files normally include basic information on a user’s surfing habits and activities, but they may also have a variety of personal information.

What is the California Privacy Rights Act (CCPA/CRPA)?

The CCPA/CRPA is an addendum to the CCPA. Approved on November 3, 2020, the CCPA/CRPA significantly amends and strengthens the CCPA’s provisions, bringing it closer to the GDPR.

The CCPA/CRPA also covers significant aspects of digital privacy not covered by the CCPA, such as dark patterns, behavioral advertising, and profiling. As a consequence, the CCPA/CRPA is often known as “CCPA 2.0.”

The revisions become completely effective on January 1, 2023.

The CCPA/CRPA strengthens certain privacy protections previously established by the CCPA and gives California people more control over their personal information.

The rights are as follows:

Right to rectify outdated or erroneous personal information.
The right to acquire information and opt out of automated decision-making technologies.
The right to restrict the use and disclosure of sensitive personal information.
Furthermore, the CCPA/CRPA created the California Privacy Protection Agency (CPPA), which is responsible for overseeing data protection standards and enforcing California consumer privacy regulations.

Finally, the CCPA/CRPA revises the CCPA’s definition of a business, altering the extent of coverage. Let’s have a look.

What exactly constitutes a “business”?

The CCPA/CRPA defines a “business” as any profit-driven entity that:

operates in California.

Determines the aims and methods of processing customers’ personal information,

Meets one or more of the requirements listed below:

Has an annual gross revenue surpassing $25 million in the previous calendar year.
If you buy, sell, or exchange personal information with at least 100,000 customers or households every year, or if selling or sharing personal information generates at least 50% of your yearly income.
Now that we’ve covered the basics of cookies and the CCPA/CRPA, let’s go over some frequently asked questions concerning the CCPA/CRPA’s cookie policy.

Frequently Asked Questions about Cookies and the CCPA/CRPA

Consider the following questions to help clarify the privacy consequences of employing cookies within the CCPA/CRPA’s jurisdiction.

Are cookies considered personal information under the CCPA/CRPA?
The CCPA/CRPA amendments classify cookies and related technology as personal information.

What Do the CCPA and CRPA Say About Third-Party Cookies and “Sale”?
The CCPA/CRPA resolves a long-standing controversy over whether utilizing third-party cookies constitutes a “sale” of personal information.

A sale happens when you expose a consumer’s personal information to a third party in exchange for money or other meaningful compensation.

Given the CCPA’s imprecise wording “valuable consideration,” it’s no wonder that firms have struggled to assess whether their use of third-party cookies constitutes a “sale.”

The CCPA/CRPA addresses this problem simply by using the phrase “sharing.”

Sharing happens when you provide a consumer’s personal information to a third party, whether for monetary or other meaningful reason.

The typical CCPA exclusions apply to the meaning of “sharing” under Section 1798.40 (ah) (2).

California Legislative Information: CCPA/CRPA Section 1798 40 ah 2 – Exceptions to the Definition of Sharing

While the CCPA allows customers to opt out of the “sale” of their personal information, the CCPA/CRPA broadens this right to encompass the “sharing” of personal information, including sensitive personal information.

In other words, if you reveal a customer’s personal or sensitive information to a third party, you must provide the consumer an option to opt out.

Notably, the CCPA/CRPA’s definition of “sharing” includes the disclosure of personal information for cross-context behavioral advertising. When you utilize third-party cookies, you are either selling or exchanging data (except one of the exclusions listed above).

In any event, you must adhere to the CCPA/CRPA’s extra requirements for enterprises that sell or exchange personal information (which we will discuss in the next section).

Now, let’s look at what the CCPA/CRPA demands if you utilize cookies, including selling or sharing personal information via third-party cookies.

Requirements and Best Practices for CCPA/CRPA Cookies Compliance
Businesses that employ cookies on their websites or applications must comply with the CCPA/CRPA modifications. The rule also imposes extra requirements on organizations that sell or exchange personal information, including via third-party cookies.

Here are some important things to take if you fall into one or both of these groups.

Include cookie information in your Privacy or Cookies Policy.
The CCPA/CRPA are staunch supporters of transparency. As a result, the law compels you (the website owner) to provide customers with a thorough overview of your cookie activities.

Similar to the CCPA, you may address cookie information in a part of your Privacy Policy or on a different site in your Cookies Policy. It’s just a question of choice.

Importantly, you must conduct periodic cookie audits to identify relevant web sites and properly classify cookies.

Your complying Cookies Policy must include the following:

The kind of cookies you employ on your website, and their objectives
The categories of personal or sensitive information collected by these cookies, and the reasons
Cookies’ expiry dates
How consumers may use their right to opt out of cookies
The third parties to whom you sell or provide personal information, and the reasons for doing so
Information on children’s right to opt in
For example, Nike provides information regarding cookies and related technologies inside a part of their Privacy Policy:

Nike’s Privacy Policy: Cookie and Pixel Tags Clause

Notably, Nike does not address all of the important aspects outlined above. However, the CCPA/CRPA’s requirements may be fulfilled simply by changing this sentence to include the required information.

Follow the CCPA/CRPA guidelines for limiting the sale, sharing, and use of personal and sensitive information.
As previously stated, the CCPA/CRPA expands the scope of the CCPA’s opt-out clause by include the term “sharing.”

Effectively, if you sell or disclose personal information (including via third-party cookies), you must include a website describing how customers may exercise their right to opt out.

In addition, you must provide a link to this page labeled “Do Not Sell or Share My Personal Information,” and display it prominently on your website.

Update your “Notice at Collection”.
The CCPA/CRPA enhances the information that firms must include in their CCPA “Notice at Collection.” If your company collects personal information from customers, including via cookies, you must provide this notice at or before the data collection point.

Similar to the CCPA, the CCPA/CRPA permits you to include this notification as a portion of your Privacy Policy.

Briefly, your “Notice at Collection” must include the following information:

The types of sensitive personal information you acquire from customers
Your reason for acquiring it
How long do you plan to preserve personal information?
Link to your “Do Not Sell or Share My Personal Information” page (if relevant)
A link to your privacy policy.
Set up a Cookie Consent Banner: A cookie consent banner is a popular way for customers to opt-out of cookies.

Businesses must give “a single, clearly-labeled link” on their website or app in order to effectively leverage this medium. Furthermore, this link must enable customers to opt out of selling or sharing their personal information while also restricting the use or disclosure of sensitive personal information.

Here’s how the CCPA/CRPA exposes this need in Section 1798.135 (a) (3)

California Legislative Information: CCPA/CRPA Section 1798 135a-3 – Opt-out procedures

Because the CCPA/CRPA uses an opt-out consent approach, you may store cookies on customers’ devices without their express approval via your cookie preference center.

However, your cookie consent banner must inform consumers about this practice and provide a “I decline” button or a link to your settings/preference center where they may make opt-out requests. You must also provide a link to your Privacy/Cookie Policy, which provides a more complete explanation of your policies.

Remember to seek opt-in permission before employing third-party cookies for kids (under the age of 16). They must click a “I accept” button or check an empty box before you can set cookies on their devices.

In light of this, you should consider creating an opt-in consent mechanism for all customers, which also helps prevent you from mistakenly selling or disclosing personal information via third-party cookies.

Cookies are an essential part of current web technology. While most cookies are safe, others are highly intrusive of user privacy and have sparked a lot of debate.

As a result, privacy rules such as the CCPA have been created to govern how businesses acquire and handle customers’ personal information, including data gathered by cookies. Furthermore, the CCPA’s modification to the CCPA/CRPA strengthens consumer privacy protections.

To improve digital privacy in California, the CCPA/CRPA defines many new terms, including consent, profiling, cross-context behavioral advertising, sensitive personal information, and sharing.

The CCPA/CRPA also clarifies several ambiguous elements in the CCPA, such as the intricate interplay between third-party cookies and the selling of personal information.

To summarize, if you utilize cookies and are subject to the CCPA/CCPA/CRPA, here is a concise overview of your cookie compliance obligations:

Please include cookie information in your Privacy Policy and/or Cookies Policy.
Follow the CCPA/CRPA’s guidelines for restricting the sale, distribution, and use of personal and sensitive information.
Update your CCPA “Notice at Collection” to include the CCPA/CRPA’s extra requirements.
Create a CCPA/CCPA/CRPA-compliant Cookie Consent Banner.