Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

CPRA Cookie Consent – All You Need To Know [2025 Guide]

Download: CPRA Decision-Making Guide
Published January 1, 2024
Contributors

Anas Baig

Product Marketing Manager at Securiti

Maria Khan

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/E

Listen to the content

This post is also available in: Brazilian Portuguese

The California Privacy Rights Act (CPRA) of 2020 which goes into effect on January 1, 2023, is expected to replace the California Consumer Privacy Act (CCPA) of 2018. The CPRA, like the CCPA, is based on the opt-out cookie consent framework which means no data subject's consent is required for the use of cookies provided that data subjects are given the right to opt-out.

The CPRA defines consent similar to the GDPR:

Consent means any freely given, specific, informed, and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.

This definition indicates that the CPRA highlights the need for specific, informed, freely given, and unambiguous consent and it requires businesses to incorporate improved consent standards on their websites and mobile applications. However, consent is required only under certain circumstances. This article explores the right to opt-out under the CPRA and the circumstances where consent is required.

Get California Privacy Rights Act (CPRA) Readiness Assessment

Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.

For more information about the California Privacy Rights Act (CPRA) and how to kickstart your CPRA compliance program, see our CPRA Compliance Checklist here and download our white paper on 7 Essential Tips to Prepare for the CPRA.

Does the CPRA Require Consent for the use of Cookies?

No, the CPRA does not require businesses to obtain consent for using cookies. Like the CCPA, the CPRA adopts an opt-out consent mechanism in this regard.

The CPRA is based on the opt-out consent framework which means that the use of cookies is allowed provided website users are given the right to opt-out. The right to opt-out is one of the data subjects' rights that can be exercised by the data subject by making a data subjects' right request to the organization.

Consumers have the right to opt-out of sale or sharing personal information including opting out in the context of cross-context behavioral advertising and the right to limit the use or disclosure of sensitive personal information. Sharing refers to sharing, renting, releasing, disclosing, disseminating, making available, transferring, or communicating (orally, in writing, by electronic or other means) the consumer's personal information to a third party for cross-context behavioral advertising purposes.

To ensure compliance, businesses are required to do the following:

  • Provide a clear and conspicuous link titled “Do Not Sell or Share my personal information” that enables consumers to opt-out of the sale or sharing of the consumer's personal information and a separate link, clear and conspicuous, titled “Limit the use of my sensitive personal information” that enables consumers to limit the use or disclosure of their sensitive personal information.
  • Businesses can have a single, clearly-labeled link if such a link allows a consumer to opt-out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information.
  • To comply with the above obligations, businesses can also rely on preference signals. In such a case, businesses must allow consumers to opt-out through an opt-out preference signal sent with the consumer's consent. Businesses can respect consumers' preferences communicated through a cross-platform global privacy control that meets technical specifications established by the Office of the Attorney General. This is an alternate mechanism for compliance. Where a business relies on preference signals, it must state that the business responds to and abides by opt-out preference signals in its privacy policy.

The cookie consent banner under the CPRA can be represented in 12 months. This means businesses must wait for at least 12 months before requesting the consumer to authorize the sale or sharing of personal information and disclose sensitive personal information.

Although the CPRA does not require opt-in consent from consumers, businesses must not load any non-essential cookies without notifying consumers via cookie banner providing them an option to opt-out and letting them acknowledge the banner/notification.

In addition to the above, consumers have the right to opt-out relating to the use of their personal information in automated decision-making including consumer profiling. The CPRA defines profiling as “any form of automated processing of personal information … to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movement”.

Does the CPRA require opt-in consent for the use of cookies?

Yes, the CPRA requires opt-in consent for the use of cookies if it relates to the sale and sharing of personal information of minors. A minor is someone who is less than 16 years of age and where a business has actual knowledge that the consumer is less than 16 years of age, it must not sell or share the consumer's personal information without taking explicit opt-in consent. This means businesses must obtain opt-in consent from consumers where the consumer is at least 13 years of age and less than 16 years of age. Businesses must obtain consent from parents or guardians of consumers where the consumer is less than 13 years of age.

The CPRA clearly explains what constitutes consent and what doesn't constitute consent. As mentioned earlier, consent means any freely given, specific, informed, and unambiguous indication of a consumer's wishes.

Under the CPRA, specific actions cannot be considered as consent, such as:

  • A consumer's general actions such as agreeing to broad terms or acceptance of terms of use that indicate the processing of personal information besides irrelevant information;
  • Hovering over, muting, pausing, or closing a given piece of content; or
  • The use of dark patterns to manipulate or mislead consumers into providing consent.

The CPRA defines a dark pattern as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice. This means where opt-in consent is required, the use of dark patterns such as pre-ticked checkboxes, cookie walls, and passive agreements are all strictly prohibited.

How Is The CPRA Different From The CCPA?

The CPRA is an improvement of the existing CCPA. With several additions made to the CPRA, such as introducing the definition of consent and sensitive personal information, consent for minors, and multiple other obligations for businesses, the CPRA takes the privacy of Californians to another level. Learn more about CPRA vs. CCPA.

Cookie Policy under the CPRA

In light of the above, we recommend including the following details in a CPRA compliant cookie policy:

  • Cookie categories along with their purposes,
  • Information on essential cookies, their purposes, and that they will always be activated,
  • Categories of any sensitive personal information collected via cookies and their purposes,
  • Cookie expiration dates,
  • Categories of third parties to whom personal data via cookies is sold and disclosed along with the purposes of such sale and disclosure/list of data processors,
  • Information on consumers' right to opt-out, and
  • Information on minor consumers' right to opt-in and the right to opt-out after they have opted-in.

How Can Securiti Help?

Securiti ensures CPRA compliance with a modern PrivacyOps platform powered by AI Automation. The world-class tools support enterprises in their journey toward compliance with the CPRA through automation, enhanced data visibility, and identity linking. Get in touch to learn more.

Securiti's Cookie Consent Banner Solution enables companies to build cookie consent banners in accordance with the applicable legal requirements when collecting personal data for non-essential purposes on digital properties.

Ask for a DEMO today to understand how Securiti can help you comply with the applicable legal requirements of global data privacy laws and regulations with ease.

 

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
View More
Australia’s Privacy Act & Consent: Essential Guide for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Australia’s Privacy Act and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New