CCPA and Cookie Consent: Is Your Website Compliant?

November 24, 2021 6 minute read
Learn how to make your website compliant with CCPA and GDPR. From cookie consent to privacy policies, ensure a smooth, lawful online experience for all.

The California Consumer Privacy Act (CCPA) went into effect in January 2020, requiring most businesses and organizations with websites to add language to their sites explaining their cookie policy, and to give users the option to reject some or all cookies. Some businesses were well prepared for that rule, because they were already compliant with the EU’s General Data Protection Regulation (GDPR) cookie rules. But for small and medium businesses, the CCPA and cookie consent created some confusion and concern.

In this post, we’ll explain what cookies are and how businesses use them. We’ll also cover GDPR and CCPA cookie consent, and which businesses are required to comply with those requirements, as well as best practices for ensuring compliance.

What is a website cookie?

A website cookie is a small block of data that a website or webpage sends to a device. The device stores the cookie and transmits the data back to the source, which authenticates the device and user. When you visit a website that requires you to log in, and the site “remembers” your username and password, that’s because you’ve previously exchanged a cookie with that site.

Cookies can create a better experience for website visitors, particularly on e-commerce sites, where — without cookies — shopping carts could not retain items as shoppers navigate from page to page. But cookies also raise concerns about privacy.

What types of cookies do websites use?

A variety of cookies may exist on websites, and they generally fall into two categories: first-party and third-party.

First-party cookies are created and/or placed on a website by the website’s administrators. These cookies support essential functions, like the shopping cart example we mentioned. They may also collect information about site visitors, such as page views, session duration, and time on site.

Third-party cookies may appear across several websites. These cookies track user behavior across multiple domains and platforms. If you’ve ever visited a website to view a product, then received an ad for that product when you visited an unrelated site, a third-party cookie has likely tracked your activity online.

What is a cookie policy?

A cookie policy is the language that appears on your website when a visitor arrives that informs them of the types of cookies on your site and how you use the data they collect. 

The policy must also explain the issue of consent, and allow users to customize their cookie preferences.

An overview of the CCPA and GDPR

The GDPR went into effect in May 2018, instituting several requirements designed to protect consumer privacy. While the GDPR originated in the EU, its regulations extend to businesses that have digital customers or website visitors in the EU, regardless of where the business is located.  

Like the GDPR, the CCPA applies not just in California, but also to businesses anywhere that have customers or website visitors in California. Businesses that meet any of the following criteria are required to comply with the CCPA:

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

CCPA and GDPR requirements for cookies

Users should be presented with an action (usually a clickable button) for accepting or rejecting cookies.

CCPA and cookie consent

The CCPA allows companies to load and use cookies on their website but requires them to disclose to visitors how they’re gathering visitor data and how they use it. The consent disclosure must also explain how to opt-out of cookies and provide a method of doing so.

The CCPA does not require companies to develop a separate cookie policy, as long as they include cookie-policy language in their privacy policy.

GDPR and cookie consent

The GDPR does not allow companies to load and use cookies unless they are essential for a website’s functionality. Non-essential cookies can be used only when site visitors opt-in, and even if visitors authorize cookies, they can later retract permission, as well as request that all cookie-related data about them be erased.

Cookie consent should be changeable

This means that users who previously consented to cookies can retract their consent at any time.

Best practices for CCPA-compliant cookie management

The fines for CCPA non-compliance are $2,500 to $7,500 per violation, and that’s for every individual affected. That means a company with 50,000 customers could face a minimum fine of $125 million for failure to state its cookie policy. 

Discover which cookies are on your site

Website administrators may be unaware of all cookies on their site. Developers can take a look at your content management system (CMS), or even Google Chrome, to learn which cookies are operating on your site.

Explain what cookies are

In your cookie policy, briefly explain what cookies are that they collect data.

Explain how you use cookies

This is one of the most important parts of a cookie policy. You don’t need to include this explanation on your homepage, but if you’re using a banner to introduce your cookie policy, you could include a button or hyperlink that users can click to access this information.

Let users choose which cookies to allow

If your site uses multiple cookies, you need to let users decide which cookies they’ll allow.

Ensure the cookie notification is accessible

If you use a cookie consent banner or cookie consent popup, it needs to be accessible for people who have low vision or use screen readers. The CCPA does not require businesses to use either of these methods, but they’re an easy way to make sure your cookie policy grabs visitors’ attention.

Review the accessibility of your cookie notification

A popup or GDPR cookie banner that introduces your privacy/cookie policy needs to be accessible for assistive reading technology.

Review and update your privacy policy at least once a year

The CCPA requires businesses to review and update their privacy once every 12 months.

Talk to an expert

Many businesses don’t have the internal resources to evaluate their compliance with CCPA. That’s when it’s useful to seek the help of a company that is well versed in compliance and has the tools to evaluate a website for CCPA compliance.

Try Monsido by Acquia's Consent Manager

The Monsido Content Manager tool is the complete website governance and compliance solution. In 2021, we launched this solution specifically designed to ensure compliance with GDPR and CCPA cookie consent requirements.

Monsido Consent Manager takes the guesswork out of compliance, and includes features that ensure your banner/cookie popup is customizable and accessible for users who use assistive reading technology.

In addition, you’ll be able to customize popup branding, view acceptance rates, and access a complete consent log to ensure ongoing compliance.

Curious to see how your site stacks up? Request a free website scan today. 

Keep Reading

View More Resources