Does the CPRA Require Consent for the use of Cookies?
No, the CPRA does not require businesses to obtain consent for using cookies. Like the CCPA, the CPRA adopts an opt-out consent mechanism in this regard.
The CPRA is based on the opt-out consent framework which means that the use of cookies is allowed provided website users are given the right to opt-out. The right to opt-out is one of the data subjects' rights that can be exercised by the data subject by making a data subjects' right request to the organization.
Consumers have the right to opt-out of sale or sharing personal information including opting out in the context of cross-context behavioral advertising and the right to limit the use or disclosure of sensitive personal information. Sharing refers to sharing, renting, releasing, disclosing, disseminating, making available, transferring, or communicating (orally, in writing, by electronic or other means) the consumer's personal information to a third party for cross-context behavioral advertising purposes.
To ensure compliance, businesses are required to do the following:
- Provide a clear and conspicuous link titled “Do Not Sell or Share my personal information” that enables consumers to opt-out of the sale or sharing of the consumer's personal information and a separate link, clear and conspicuous, titled “Limit the use of my sensitive personal information” that enables consumers to limit the use or disclosure of their sensitive personal information.
- Businesses can have a single, clearly-labeled link if such a link allows a consumer to opt-out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information.
- To comply with the above obligations, businesses can also rely on preference signals. In such a case, businesses must allow consumers to opt-out through an opt-out preference signal sent with the consumer's consent. Businesses can respect consumers' preferences communicated through a cross-platform global privacy control that meets technical specifications established by the Office of the Attorney General. This is an alternate mechanism for compliance. Where a business relies on preference signals, it must state that the business responds to and abides by opt-out preference signals in its privacy policy.
The cookie consent banner under the CPRA can be represented in 12 months. This means businesses must wait for at least 12 months before requesting the consumer to authorize the sale or sharing of personal information and disclose sensitive personal information.
Although the CPRA does not require opt-in consent from consumers, businesses must not load any non-essential cookies without notifying consumers via cookie banner providing them an option to opt-out and letting them acknowledge the banner/notification.
In addition to the above, consumers have the right to opt-out relating to the use of their personal information in automated decision-making including consumer profiling. The CPRA defines profiling as “any form of automated processing of personal information … to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movement”.
Does the CPRA require opt-in consent for the use of cookies?
Yes, the CPRA requires opt-in consent for the use of cookies if it relates to the sale and sharing of personal information of minors. A minor is someone who is less than 16 years of age and where a business has actual knowledge that the consumer is less than 16 years of age, it must not sell or share the consumer's personal information without taking explicit opt-in consent. This means businesses must obtain opt-in consent from consumers where the consumer is at least 13 years of age and less than 16 years of age. Businesses must obtain consent from parents or guardians of consumers where the consumer is less than 13 years of age.
What is Consent Under the CPRA?
The CPRA clearly explains what constitutes consent and what doesn't constitute consent. As mentioned earlier, consent means any freely given, specific, informed, and unambiguous indication of a consumer's wishes.
Under the CPRA, specific actions cannot be considered as consent, such as:
- A consumer's general actions such as agreeing to broad terms or acceptance of terms of use that indicate the processing of personal information besides irrelevant information;
- Hovering over, muting, pausing, or closing a given piece of content; or
- The use of dark patterns to manipulate or mislead consumers into providing consent.
The CPRA defines a dark pattern as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice. This means where opt-in consent is required, the use of dark patterns such as pre-ticked checkboxes, cookie walls, and passive agreements are all strictly prohibited.
How Is The CPRA Different From The CCPA?
The CPRA is an improvement of the existing CCPA. With several additions made to the CPRA, such as introducing the definition of consent and sensitive personal information, consent for minors, and multiple other obligations for businesses, the CPRA takes the privacy of Californians to another level. Learn more about CPRA vs. CCPA.
Cookie Policy under the CPRA
In light of the above, we recommend including the following details in a CPRA compliant cookie policy:
- Cookie categories along with their purposes,
- Information on essential cookies, their purposes, and that they will always be activated,
- Categories of any sensitive personal information collected via cookies and their purposes,
- Cookie expiration dates,
- Categories of third parties to whom personal data via cookies is sold and disclosed along with the purposes of such sale and disclosure/list of data processors,
- Information on consumers' right to opt-out, and
- Information on minor consumers' right to opt-in and the right to opt-out after they have opted-in.
How Can Securiti Help?
Securiti ensures CPRA compliance with a modern PrivacyOps platform powered by AI Automation. The world-class tools support enterprises in their journey toward compliance with the CPRA through automation, enhanced data visibility, and identity linking. Get in touch to learn more.
Securiti's Cookie Consent Banner Solution enables companies to build cookie consent banners in accordance with the applicable legal requirements when collecting personal data for non-essential purposes on digital properties.
Ask for a DEMO today to understand how Securiti can help you comply with the applicable legal requirements of global data privacy laws and regulations with ease.