Delete cookies!? CPRA and cookie consent management.

A common and misunderstood aspect of CPRA is website cookies. CPRA requires you to ensure that you manage the data collected using website cookies. This data is to be considered personal information. As such your company must be able to identify this data with the visitor and respond to privacy requests from the consumer. Nearly all such requests need access to the data, and your 3rd party cookie vendor should include that ability. Engage your vendor for CPRA compliance.

Cookies and consumers

Companies and websites use cookies. Cookies are placed on the website to recognize your browser and remember information specific to the your browsing habits. Cookies are specific to the website. When you visit that website again the cookie will track your browsing habits and the company is aware of your history of visits on their website(s). A company could use their own created cookie also called first-party cookie, or alternately a company could use a third-party cookie service.

Technically there are only two types of cookies. First is a session cookie. Session cookies live a short life and die when you close the browser. When a website uses a session cookie each visit is treated as a new visit. Second is a persistent cookie. Persistent cookies are stored on your computer and their life is set by the website. Websites use persistent cookies for different purposes:

1. Essential cookies – these types of cookies are used for basic features to work on the website. Examples of basic features include signin, signup, loading images, enabling selection of preferences, and so.
2. Functional cookies – these types of cookies are used so the website can do the analysis of website usage. Examples of functional use include performance improvements, better user experience, optimizing image load or video performance, and so.
3. Advertising cookies – these types of cookies are mainly used for advertising purposes. This enables the website to display ads that are relevant to the specific visitor. Examples of advertising functions include data sharing with advertisers, social sharing, return visit tracking, and so.

In this article:

• Personal information & cookie profiling under CPRA/CCPA
• State of cookies before CPRA/CCPA
• State of cookies after CPRA/CCPA

Personal information tracked with cookies

Cookies are simply identifiers with an expiration date. A cookie does not contain any personal information when created. It does not have any personally identifiable data. It does not scan your computer, browser data, or browser history. Most websites collect personal information only when you provide them on a form. Any information a cookie store is usually encrypted. The website server is aware of the information coded in the cookie. The server is aware of any information you provide. As a result of how the internet works, the server is also aware of your potential location, time of visit, IP address, your service provider, length of your visit, web pages you visited, clicks, frequency of clicks, and your search terms, and so. All this information may not be considered personally identifiable information. This is personal information under CPRA/ CCPA (California Consumer Privacy Act / California Privacy Rights Act).

Web server can use third party tools to profile you. Marketers could collate data from multiple websites and create your unique profile. This is often called web profiling. This helps marketers target specific ads. For example, when you search for running shoes on a website and moments later you visit an ecommerce site, it is likely that you will be served an advertisement for running shoes. Another example would be when you visit a website called xyz.com, and you start browser other sites, you may be served ads for xyz.com.

Profiling with cookies and consumer privacy

Profiling using cookies is an essential tool for marketers. It is powerful and helps them spend advertising dollars effectively. Marketers can specifically target users based on the products they are likey to purchase. However, profiling can be malicious, could be used by trolls. Cookies can help in many other ways.

As a consumer you cannot prevent profiling. You could take precautions to protect your privacy. For example, you may use free browser extensions or 3rd party applications such as Ghostery to identify companies using cookies. And, you may also install CCleaner that helps in session and cookie cleaning. A simpler approach is to configure your browser to prevent cookies from untrusted sites. Chrome browser provides several advanced privacy settings. We recommend that you explore these settings.

Chrome has several options that you could explore in site settings. This option allows you to set permissions for specific site without changing default settings. You may use this to browse trusted sites and untrusted sites in a different way.

You may explore cookie settings options in your Chrome or other browsers. This may help you prevent profiling. Additionally most browsers also provide a list of cookies by website and the estimated amount of data stored in relation to that cookie.

State of cookies prior to CPRA/CCPA

A study by advertising firms in 2018 examined 5 billion page impressions. This study states that users on web browsers block over 60% of cookies. And, users on mobile devices reject over 70% of cookies. They use tools and built-in browser settings to actively block cookies. Consumer awareness of the privacy risks of cookie tracking is at an all-time high. A substantial improvement over the past 2 decades.

The General Data Protection Regulation (GDPR) came into effect in 2018. This meant that websites have to change their privacy policies, cookie management policies, and more. GDPR and EU ePrivacy directive requires that your website visitors must provide consent before the website deploys tracking cookies. Additionally, this consent must be saved. As a result, many websites deployed cookie consent management on their sites. Today, a website visitor seeks a familiar cookie consent banner. GDPR regulation of cookies implies:

• Transparency of cookie policy – A visitor to the website must be given a clear view of the use of cookies in a clean and understandable language. Implies, websites cannot hide behind a legal privacy policy statement, which the visitors or users often overlook.
• Personally identifiable information – A visitor may or may not provide directly identifiable information. However, an individual may be singled out by a combination of data collected for the regulation to apply
• Accountability for cookies on the site – A website is accountable to all the data collected. The company is accountable for the safety, processing, and storage of collected data. This is more difficult to manage. Websites often apply 3rd party cookies and data processing by 3rd parties should be more carefully managed.
• Opt-in cookie consent – A visitor must be provided a clear choice to opt-in or reject tracking using cookies. This choice must be obtained before any cookies can start collecting data.
• Manage consent – A visitor must have the ability to change (reject or accept) their consent. Additionally, a website must ask the visitor to update consent every 12 months. And, each such consent must be recorded for future reference.

GDPR set the stage on how cookies should be managed on websites. Several large companies that operate in EU have taken steps to apply these cookie management settings globally. This GDPR did not apply to millions of California websites. EU barely has resources to regulate within its own jurisdiction. Awareness had built up for change in California. Result – CCPA (California Consumer Privacy Act).

Right to privacy in Califonia

California state Constitution give each citizen a right to pursue and obtain privacy – Article 1, Section 1. Several other state and federal laws protect the privacy of individuals. You may review a list of privacy laws that apply in California here.

Why the CPRA/CCPA – California Consumer Privacy Act / California Privacy Rights Act?

Officially AB-375 the California Consumer Privacy Act (and the updated CPRA) are intended to hold companies accountable for the use of consumer data. Beyond privacy, consumers have the right to control their data and its use. CPRA/ CCPA is intended to provide the consumer the right to control what happens to their personal information. Consumers are now expected to have certain enforceable rights about their personal information:

• Right to know what information is collected
• Right to know if their data is sold or shared
• Right to know 3rd parties that have access to their data
• Right to say no to the sale of their data
• Right to be forgotten
• Right to have access to data
• No discrimination upon exercise of rights
• and more…

State of cookies after CPRA/CCPA

California Consumer Privacy Act (CCPA/ CPRA) introduces stricter provisions for companies processing the personal information of individuals. For example, any data collected by cookies can be seen as personal information and therefore fall under the CPRA/CCPA (California Consumer Privacy Act). For those already compliant with the GDPR this may be an easy change to adapt. The European regulation requires similar changes for the cookie policy.

• Clear disclosure of cookie policy – A visitor to the website must be given a clear view of the use of cookies in a clean and understandable language. Under CCPA (California Consumer Privacy Act), websites cannot hide behind a legal statement, which visitors often overlook.
• Personal information – A visitor may not provide directly identifiable information. However, any information collected using cookies shall be considered personal information under CCPA (California Consumer Privacy Act).
• Cookies on the site – A website is accountable to all the data collected. The company is accountable for the safety, management, and storage of collected data. Websites that use 3rd party cookies must be able to manage the data collected.
• Know your 3rd party vendors: Cookies on website are mostly from 3rd party vendors. It is critical to ensure that your vendor agreement clearly has data protection and CCPA compliance clauses.
• Opt-out of sale of personal information – A visitor must be provided a clear choice to opt-out of sale of personal information. The opt-out choice should be clear and easy to find. This opt-out of sale refer to all data.
• Manage opt-out and opt-in of sale of personal information – A visitor must have the ability to change (reject or accept) their consent. And, each such consent must be recorded for reference.

Cookie policy changes

As part of CPRA/ CCPA (California Consumer Privacy Act), websites and companies need to be transparent in their use of cookies. They must have a clear disclosure of the use of cookies. Such disclosure may include data collected as part of the cookies. CCPA does not require prior consent for the use of cookies. However, there is a requirement of clear disclosure. Additionally, there is a requirement to provide the visitor the ability to opt out of cookie usage. Websites and companies need to modify their cookie policy to reflect these changes.

Under CCPA (California Consumer Privacy Act) different types of cookies have separate treatment. Essential cookies are required for the proper operation of the website. Websites are not required to provide the ability to opt out of essential cookies. It is advisable to disclose their use, but not required to allow visitors or users to disable essential cookies.

Functional cookies are used for multiple functions and potentially for web tracking. Some of these cookies may be required for the performance of the website. While other functional cookies may be optional. Under CCPA (California Consumer Privacy Act), websites are required to provide the visitor an ability to opt out of some functional cookies. Websites should place a clear description of each type of cookies used, how many cookies are used for each type, and the option to opt out of anything that isn’t mandatory for the website to function. These cookies may be first-party or 3rd party cookies. While the letter of the CCPA act is not specific, the provisions of the act imply clear disclosure. The disclosure must include how cookies collect and use data, and the ability to opt out of non-essential cookies.

Clearly, advertising cookies are under the preview of non-essential cookies. These may be first-party or 3rd party cookies. Under CCPA, data collected must be protected and you must be able to provide access to this data to consumers upon request.

Consent management (A good practice and not necessary under CCPA)

Website must start to implement clear consent management. We recommend consent management for all websites. Such consent management should have the ability to opt-out. Opt-out consent management does not adversely impact the way websites do business today. Typically most companies that use email marketing have already incorporated consent management. Websites need to extend this to their website visitors.

Companies now need to manage consent across all functions. Website needs to track visitor cookie preferences. CCPA is clear about opt-out consent for adults. It is also clear about opt-in consent for children and young adults. However, it is still unclear on how to implement both types of consent for different types of visitors. We expect to provide an update when this clarity emerges. Finally, websites need an integrated consent management system that also includes the ability to share consent with 3rd party partners.

A cookie consent management system must also have another additional capability. They should be able to recognize the visitor across multiple devices that the visitor uses and be able to track consent across devices. This implies deploying advanced cookie tracking capabilities across multiple devices including mobile, tablets, and computers.

Cookie banner

CCPA does not have a requirement on cookie banners and their usage. However, it does have a clear requirement of ‘Do not sell my personal information’ link on the home page. There is a need to provide clear consent management. We recommend that website do not use a cookie banner. We also recommend that website place a clear link on their home pages to manage cookie preferences. This differs from how GDPR compliance uses cookie banner. For technical reasons or reasons of consistency, you may use a cookie banner for both. 

In conclusion, CCPA has several requirements about cookies and consent management:

• Clear and easy to understand cookie policy
• Detail of each cookie used and its purpose
• Collect, manage, store, and secure personal information collected using cookies
• Manage 3rd party vendors for CPRA/CCPA compliance and data protection
• Track consent across multiple devices (see household requirement under CPRA/CCPA)
• No requirement for a cookie consent banner
• Recommend placing a link on home page for consent management (a good practice, not a CPRA/CCPA requirement)

Some useful links

• The definitive guide to Office 365 DLP (data protection for CCPA)
• Free the world of data breaches
• Prevent data breaches under CCPA