— A link to organization’s privacy policy
Under the CCPA, organizations must display a link to the organization’s privacy policy, or in the case of offline notices, a link to an online notice at the point of collection of personal information. The privacy policy should be posted online through a prominent link through a conspicuous link using the word “privacy” on the organization’s website homepage or the download or landing page of a mobile application. It should be easy to read and understandable for users.
The privacy policy should contain all the relevant details including the information about a user’s right to know about personal information collected, disclosed, or sold, right to request deletion of personal information, right to opt-out of the sale of personal information, right to non-discrimination, information about authorised agent, contact for more information, the date on which the privacy policy was last updated and the description of the required processes if an organization sells personal information belonging to minors.
— Opt-in consent for the sale of personal information belonging to minors
Where an organization has actual knowledge that the consumer or a website user is less than 16 years of age, it must rely on the explicit opt-in consent for the sale of their personal information. Organizations must obtain consent from users if they are at least 13 years of age and less than 16 years of age and from parents or guardians of users where they are less than 13 years of age.
It is clear that organizations cannot drop any cookies that have not been disclosed to users via notice. If an organization intends to use any additional cookies, it must inform the user.
In addition to the requirements mentioned above, organizations must maintain updated cookie consent records. Such records must include the date of the request of opt-in/opt-out, the nature of such request, the manner in which the request was made, the date of the organization’s response to the request, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part. Such consent records must be maintained for at least 24 months.
How Securiti can help?
With the legal requirements pertaining to cookies and consent becoming stricter with time, organizations need to be mindful and adopt their consent policies accordingly. In particular, organizations must devise ways to ensure that cookies are not dropped without the consent or knowledge of the website user.
Securiti’s Cookie Consent Management Solution enables organizations to build cookie consent notices in accordance with the applicable legal requirements with cookie auto-blocking, periodic scanning, and preference center features.
