CPRA Cookie Consent – All you need to know

The California Privacy Rights Act is a prominent piece of legislation set to take over from the long-established California Consumer Privacy Act of 2018. It is very much like its predecessor through the use of a cookie consent opt-out framework, which revolves around the concept that websites are not inherently required to obtain user consent for their use of cookies, as long as data subjects are given the right and ability to opt-out as desired.

The CPRA is largely seen as an enhancement of the existing CCPA, with several new amendments and additions to expand on key provisions. Some of the most notable include the introduction of definitions for consent and sensitive personal information as well as consent for minors. It also institutes some new obligations for businesses to follow and adapts the existing enforcement system.

While it is a fresh piece of legislation, the CPRA generally remains quite comparable to other data privacy regulations around the world. Notable examples would be the EU’s GDPR or Brazil’s LGPD, which define consent similarly to the new legislation’s concept:

‘Consent means any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.’

What the above definition is meant to highlight is the need for informed, specific, freely given and unambiguous consent from the consumer in order for data processing to be legal. This is of course only applicable to the conditions that require consent under the new CPRA law, which we’ll outline further below.

Does the CPRA Require Consent for the use of Cookies?

The simple answer is no, the CPRA does not mandate user consent for the use of cookies on websites – under most circumstances. There are a few exceptions to the rule, such as cases involving the personal information of minors. In those specific situations, affirmative consent will be required from a parent or guardian before any data processing can take place.

In all other instances where user consent is not legally mandated, it will be up to individual website operators to follow the CPRA’s requirements for opt-out frameworks. This means that website visitors must be given a clear and conspicuous way to opt-out of the use of cookies, and data processing more broadly, if they so desire.

There are a few different ways that website operators can go about implementing an opt-out framework, but regardless of which they choose, the CPRA requires the following conditions to be met.

A Clear Means of Opting Out

First and foremost, businesses looking to be compliant with the CPRA must include a clear way for their website visitors to opt out of the use of cookies. An easy-to-find “Do Not Sell or Share my personal information” button or link as well as one titled “Limit the use of my sensitive personal information” should be prominently displayed on the website.

Organizations can combine these two links into one if it offers both functionalities and clearly indicates so.

Opt-Out Must Be Free of Charge

Another important requirement for businesses under the CPRA is that opting out of the use of cookies or data processing more broadly, must be free of charge. This means that website operators cannot place any sort of financial barrier in front of users who wish to exercise their right to opt out.

Opt-Out Must Be Easy to Use

Not only must businesses make it free for users to opt out of the use of cookies, but they must also make it easy for them to do so. The CPRA states that opt-out requests must be “as easy to submit as any other request”, which means that website operators cannot place opt-out requests behind complex registration processes or login walls.

In other words, if a website visitor can submit a request without having to create an account or login, they should be able to opt out in the same way.

Sensitive Personal Information Must Be Protected

The final requirement that businesses need to be aware of when it comes to the CPRA and cookies is the need to protect sensitive personal information. This includes things like a person’s race, ethnicity, religion, and health data.

Website operators who collect this type of information will need to take extra care to ensure that it is properly safeguarded and only used in accordance with the user’s wishes.

Consumers have the right to opt-out of the use of their personal information in automated decision-making processes like consumer profiling, which is defined in the CPRA as: ‘certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movement’.

When the CPRA Requires Opt-in Consent for the Use of Cookies

As we’ve already covered, the CPRA doesn’t explicitly require opt-in consent for the use of cookies. However, as with most data privacy laws, there are a few exceptions to this rule, the most prominent being the case of minors.

The CPRA requires opt-in consent for the use of third-party cookies relating to the sale and /or sharing of personal information of minors under the age of 16. This means that if your website is aimed at children or adolescents, you’ll need to get explicit consent from a parent or guardian before you’re able to sell or share their personal information with third parties. If they are over 13 years of age, this consent can be given by the child themselves.

How Can I Keep My Website Compliant With the CPRA?

In light of the upcoming changes coming to California’s stance on consumer privacy, it’s important for businesses to start taking steps towards compliance with the CPRA. Here are a few things you can do to get started:

1. Review your website’s privacy policy

Review your website’s privacy policy and update it to reflect the changes coming under the CPRA. In particular, make sure that you include a section on cookies and how you use them.

2. Review your current cookies

Review the cookies that you currently use on your website and assess whether or not they will still be permissible under the new law. If not, consider alternatives that will be compliant.

3. Implement a CMP

Implement a system for obtaining explicit consent from users before selling or sharing their personal information with third parties. This can be done through a pop-up or banner on your website. Start you free trial Here

4. Check your website audience

If you operate a website aimed at children or adolescents, put in place a system for obtaining parental or guardian consent before selling or sharing their personal information with third parties.

5. Categorize personal information

Categorize the personal information that you collect on your website visitors and ensure that it is properly safeguarded.

6. Keep track

Keep track of things like consent expiration dates and user preferences so that you can easily comply with opt-out requests.

7. Review your website regularly

Review your website regularly to ensure that it is still compliant with the ever-changing landscape of data privacy laws.

Conclusion

The California Privacy Rights Act is set to come into effect on January 1, 2023 and will have a significant impact on the way businesses collect and use personal information. By taking these steps, you can help to ensure that your website is compliant with the CPRA and other data privacy laws that are sure to follow it in the years to come.