'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on January 27, 2021 AUTHOR PRIVACY RESEARCH TEAM
Organizations heavily rely on cookies for various ways of online advertising. Cookies collect user’s personal information, share, disclose or sell it to other parties including ad-tech companies for the purposes of marketing. Since cookies are likely to identify website users, build their profiles, and collect and sell their information to other parties, there has been a growing concern for user’s data privacy.
Most global privacy regulations use notices to inform users about cookies. These can be classified as either opt-in or opt-out consent regime.
A CCPA compliant cookie notice must include the following:
Under the CCPA, organizations that collect personal information from users must inform users at or before the point of collection, about the categories of personal information collected and the purpose for which the personal information will be used. This can be done by providing conspicuous links at or before the point of collection of personal information.
The California Privacy Rights Act (CPRA), which will replace the CCPA soon, enhances this obligation by requiring organizations to also include in their notices information on whether personal information is sold or shared and the length of time the organization intends to retain each category of personal information, or if not possible, the criteria used to determine such period.
Under the CCPA, organizations must allow users to opt-out of the sale of their personal information by displaying a clear message and prominent link titled “Do Not Sell My Personal Information” enabling users to opt-out of the sale of their information. This link should be easy to read and understandable for users. The link will provide users a description of the user’s right to opt-out, an interactive form and instructions by which users can submit their request to opt-out of the sale of their personal information.
The CPRA further enhances this requirement by requiring organizations to allow users to not only opt-out of sale of their information but also from sharing of their personal information including opting-out in the context of cross-site behavioral advertising. The CPRA also requires organizations to enable users to limit the use or disclosure of their sensitive personal information.
Where an organization has actual knowledge that the consumer or a website user is less than 16 years of age, it must rely on the explicit opt-in consent for the sale of their personal information. Organizations must obtain consent from users if they are at least 13 years of age and less than 16 years of age and from parents or guardians of users where they are less than 13 years of age.
It is clear that organizations cannot drop any cookies that have not been disclosed to users via notice. If an organization intends to use any additional cookies, it must inform the user.
In addition to the requirements mentioned above, organizations must maintain updated cookie consent records. Such records must include the date of the request of opt-in/opt-out, the nature of such request, the manner in which the request was made, the date of the organization’s response to the request, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part. Such consent records must be maintained for at least 24 months.
With the legal requirements pertaining to cookies and consent becoming stricter with time, organizations need to be mindful and adopt their consent policies accordingly. In particular, organizations must devise ways to ensure that cookies are not dropped without the consent or knowledge of the website user.
Securiti’s Cookie Consent Management Solution enables organizations to build cookie consent notices in accordance with the applicable legal requirements with cookie auto-blocking, periodic scanning, and preference center features.