CCPA Compliance

CCPA Compliance in 10 steps

It is important to remember that when you sell consumer data, you also understand how the law affects your business. So how do (email) marketers prepare for CCPA? Some practical steps to take into account:

• Step 1: See what personal information is currently being collected by your company.
• Step 2: Assess this information to understand how it is used, whether it is sold or shared with third parties, and why, because the CCPA gives consumers the opportunity to access data sources.
• Step 3: Review your company’s data policies and procedures for collecting personal information.
• Step 4: Update your internal and online privacy policies to meet disclosure requirements.
• Step 5: Remove all information you no longer need about consumers.
• Step 6: Prepare new policies and procedures so that you are ready to respond to consumer data requests.
• Step 7: Prepare technical solutions for processing consumer data requests and opt-outs.
• Step 8: Create training materials for everyone responsible for dealing with questions about consumer personal information.
• Step 9: Review the contracts with third parties & service providers to whom you currently provide consumer data.
• Step 10: Conduct external audits of service providers who have access to your customers’ personal information to ensure compliance.

CCPA compliance and cookie consent

The CCPA gives us strict rules for organisations that are processing personal data of individuals. The data that is being collected by cookies can be seen as personal data. Therefore it falls under the CCPA legislation. Organisations that are already compliant with the GDPR it might be an easy step to also comply with the CCPA. Within the European regulations similar changes to the cookie policy are required.

• Clear disclosure of the cookie policy – A website must show the user a clear overview of the cookies used and in understandable language. Under the CCPA just a legal statement, somewhere on the website does not suffice. (use the CookieFirst cookie policy generator)
• Personal information – A visitor might not share directly identifiable personal information on a website. However, under the CCPA the data collected by cookies will be considered personal information.
• Cookies on the website – The company behind the website is accountable for all data being collected. Accountability is for management, security and storage of the personal data. If a website uses third party scripts (and cookies), the company should be able to manage the collected data.
• Opt-out cookie consent – The website must give the visitor a clear choice to opt-out for the use of cookies which are not essential, third party cookies included.
• Management of consent – A website visitor must be offered the option to give consent or change consent for the use of certain cookies. Each consent should be stored for reference at a later point in time.

If you would like to know more about the types of cookies, then read our article: What are cookies ?

Changes to the Cookie policy | CCPA Compliance

Companies and their websites are required to be transparent about their use of cookies. Clear disclosure of of the use of cookies must be present. The disclosure also includes the data that is being collected through the use of cookies. Under the CCPA prior consent for the use of cookies is not required. But, clear disclosure is required. Additionally, websites need to offer the visitor the ability to op-out of certain cookie usage. Companies will have to modify their cookie policies and keep them up to date.

Under the CCPA, the treatment of cookies differs per type of cookie. For a website to properly function, essential cookies are required. Therefore, it is not required to offer the possibility to opt-out for essential or necessary cookies. So visitors don’t have to be allowed to disable essential cookies, but it is advisable to provide disclosure of their use.

Then there are functional cookies. These can have multiple functions, web tracking could be one of them. Part of them could have influence on the performance of the website. And others can be optional. Website are required to have the ability to opt-out for some of these functional cookies. A clear description of all types of cookies being used should be easily visible for the visitor. For any cookie that is not necessary for the website to function there should be an opt-out possibility. These types of cookies can be third party cookies or first party cookies. The CCPA letter is not specific. However, clear disclosure is implied. Disclosure includes the ways in which cookies collect data, use data and the possibility to opt-out for unnecessary cookies.

It is clear that advertising cookies fall within the non-essential categories of cookies. It can be about third party cookies or first party cookies. The CCPA requires the ability to opt-out for this type of cookies. A cookies name and purpose should be clearly disclosed.

Cookie consent management | CCPA Compliance

Websites have to implement cookie consent management. This is recommended for all websites. Cookie consent management gives the visitor the ability to give, change or revoke consent for certain types of cookies, the ability to opt-out. The way how websites are doing business at the moment is not really impacted by opt-out consent management. For email marketing most organisations already have consent management in place. Consent management will need to be extended to website visitors.

Under the CCPA organisations need to manage consent across a lot of functions. A companies website needs to log cookie preferences of its visitors. About opt-out consent for adults the CCPA is clear. The CCPA is also clear about opt-in consent for young adults and children. On how to implement these two types of consent for different types of visitors the CCPA is not entirely clear. We will update this article when we know more. Website will need a consent management tool with the capability to share consents with third parties.

The cookie consent management tool must have another capability. The tool must be able to recognize the visitor through multiple devices which the visitor uses and keep tracking consent and changes to consent. So this will be advanced cookie tracking cross devices like computers, tablets and smartphones.

Cookie Banner | CCPA Compliance

The CCPA has no specific requirements yet on cookie banners and their use. However, we recommend to use a cookie banner with a button in order to give visitors access to their cookie consent preferences. There is also a clear requirement to have a ‘Do not sell my personal information’ button on the home page. A cookie banner can have both of these functionalities.

Concluding, Under the CCPA there are certain requirements for the use of cookies and cookie consent management:

• The obligation to have a clear and up-to-date cookie policy
• Give insight in cookie details, name, purpose and expire date
• Collect, store, secure and manage personal data collected by cookies
• Offer Opt-out consent management unnecessary cookies
• Track and log consent / cookie preferences of your visitors
• Use a cookie banner or button to give access to cookie preferences

Register with CookieFirst for a full cookie scan, a compliant cookie banner and an automated cookie policy.