What is Consent Collection
We have all heard of cookies and these small pieces of data that are used to identify and track a user's web browsing. Once this data is collected, it can be analyzed by advertisers or marketers to personalize the customer's experience. Up until the last 20 years, organizations had free reign and could collect any and all consumer data without any checks and balances. It wasn't until privacy regulations such as the CCPA and GDPR came into play that organizations were being held accountable for the data they collected. Under most global privacy regulations such as the GDPR, an organization must obtain freely-given consent from consumers before the use of their personal information. The CCPA, on the other hand, does not require organizations to collect consent from consumers before the collection and use of their personal information.
CCPA Cookie Consent Requirements
While opt-in consent is not required, the CCPA still requires businesses to inform users of the use of cookies and their purposes and provide them the option to opt-out of the sale of their personal data. The CCPA has set a guideline of what needs to be included in their cookie policy as well as what a cookie notice must have in order to stay compliant.
Cookie Notice
A CCPA compliant cookie notice must include the following:
Information about the use of cookies and their purposes:
Under the CCPA, organizations that collect personal information from users must inform users at or before the point of collection, about the categories of personal information collected and the purpose for which the personal information will be used.
Notice of the right to opt-out of the sale of personal information:
Under the CCPA, organizations must allow users to opt-out of the sale of their personal information by displaying a clear message and prominent link titled “Do Not Sell My Personal Information” enabling users to opt-out of the sale of their information.
A link to the organization’s privacy policy:
Under the CCPA, organizations must display a link to the organization’s privacy policy, or in the case of offline notices, a link to an online notice at the point of collection of personal information.
Opt-in consent for the sale of personal information belonging to minors:
Where an organization has actual knowledge that the consumer or a website user is less than 16 years of age, it must rely on explicit opt-in consent for the sale of their personal information. Organizations must collect affirmative consent from users aged 13 to 16 and obtain parental or guardian consent for users under 13.
Cookie Policy
The CCPA requires organizations to have the following points included in their cookie policy within their Privacy Policy:
- Definition and generic function of cookies,
- Categories of any sensitive personal information collected via cookies and their purposes,
- Cookie categories with the following information for each cookie category:
- Processing purposes
- Expiration date
- The length of time the business intends to retain each cookie category, if not possible, the criteria used to determine such period,
- The categories of sources which the cookies were collected from,
- The parties engaged in the processing and transfer of cookies
- Categories of third parties to whom cookies are sold and disclosed along with the purpose of such sale and disclosure (list of data processors),
- Information on consumer’s right to opt-out,
- Information on minor consumers’ right to opt-in and right to opt-out once they have opted-in.
Adding a cookie notice along with the cookie policy is a way to stay compliant with privacy regulations as well as building trust amongst the customers.
CCPA Cookie Compliance Cheatsheet
With the need for data protection in mind, our experts at Securiti have compiled 8 privacy tips for marketers to successfully collect personal data for marketing purposes in a privacy complaint and conscious manner. These tips will enable website publishers, ad-tech companies, independent advertisers and marketers to advertise their products without compromising an individual’s privacy and avoid any potential legal consequences.
Collect, monitor, and track consumers’ consent
Identify all consumer touchpoints to effectively capture and track consumer consent and revocation of consent for respective data processing activities. It is important to have visibility of consent activity across your organization and business units to adequately monitor and honor consumer preferences for marketing purposes.
Locate your consumers’ personal data
In order to streamline the process of consent management, organizations must first gain knowledge of where the consumers’ data is stored. Without knowing where consumer data is stored, it would be difficult to honor consumer consent preferences across various first and third-party systems.
Only track users once they have been adequately notified
In today’s privacy-conscious world, most jurisdictions have either opt-in or opt-out consent regimes, where the former requires organizations to obtain explicit prior consent from consumers before the collection of personal data and the latter requires organizations to only allow consumers to opt-out of the collection of personal data. In either case, an organization must not drop any non-essential cookies or other tracking technologies that it intends to process without displaying adequate notice to the consumer.
Orchestrate and honor consent revocations across the marketing tech stack
Consents are often stored in siloed databases. It’s important to build scalable workflows to ensure consent is synced across various systems, so a consumer’s latest, up-to-date consent is honored.
Provide a way for consumers to grant or withdraw consent at any time
For consent to remain valid, organizations must allow consumers to change their preferences, such as opting-out of the sale and sharing of personal data, and withdraw consent at any time and without any detriment. For this purpose, consent preference centers must be easily accessible and available to consumers at all times. In addition, organizations should give equal prominence to the options of “accept” and “reject” cookies via cookie consent banners allowing consumers to withdraw consent to the use of cookies as easily as giving consent.
Use data only for specific processing purposes
Organizations must obtain explicit consumer consent even in an opt-out consent regime where the purpose of data processing is different from what was previously disclosed to the consumer. Without allowing consumers to provide specific consent for specific processing purposes, organizations would not be able to ensure granularity.
Do not rely on ambiguous and unclear ways to capture consumers’ consent
Organizations must not rely on the use of any deceptive consent collection method, such as pre-ticked boxes, cookie walls, and unclear consent banners. Such misleading consent mechanisms allow organizations to transfer consumers’ data without obtaining their valid consent, which is not only in violation of applicable legal requirements but also against ethical privacy practices.
Maintain comprehensive consumer consent records
Organizations must maintain comprehensive consent records containing identities of consumers, categories of consented personal data including processing purposes, consent status, consent date, location code, third parties, the information provided to consumers at the time of obtaining their consent, and information of the session in which consent was expressed. Maintaining such updated and comprehensive consent records enable organizations to demonstrate compliance with the applicable consent requirements.
How Securiti can help?
Securiti Universal Consent Management Solution captures consent and automates revocation fulfillment in a manner that enables marketers to adequately advertise their products as well as protect the privacy of a consumer.
Securiti’s Cookie Consent Management Solution enables organizations to build cookie consent notices in accordance with the applicable legal requirements with cookie auto-blocking, periodic scanning, and preference center features.