IDC Names Securiti a Worldwide Leader in Data Privacy


CPRA Cookie Consent – All You Need To Know [2023 Guide]

By Securiti Research Team
Published March 20, 2023 / Updated June 13, 2023

Listen to the content

The California Privacy Rights Act (CPRA) of 2020 which goes into effect on January 1, 2023, is expected to replace the California Consumer Privacy Act (CCPA) of 2018. The CPRA, like the CCPA, is based on the opt-out cookie consent framework which means no data subject's consent is required for the use of cookies provided that data subjects are given the right to opt-out.

The CPRA defines consent similar to the GDPR:

Consent means any freely given, specific, informed, and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.

This definition indicates that the CPRA highlights the need for specific, informed, freely given, and unambiguous consent and it requires businesses to incorporate improved consent standards on their websites and mobile applications. However, consent is required only under certain circumstances. This article explores the right to opt-out under the CPRA and the circumstances where consent is required.

Get California Privacy Rights Act (CPRA) Readiness Assessment

Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.

For more information about the California Privacy Rights Act (CPRA) and how to kickstart your CPRA compliance program, see our CPRA Compliance Checklist here and download our white paper on 7 Essential Tips to Prepare for the CPRA.

Does the CPRA Require Consent for the use of Cookies?

No, the CPRA does not require businesses to obtain consent for using cookies. Like the CCPA, the CPRA adopts an opt-out consent mechanism in this regard.

The CPRA is based on the opt-out consent framework which means that the use of cookies is allowed provided website users are given the right to opt-out. The right to opt-out is one of the data subjects' rights that can be exercised by the data subject by making a data subjects' right request to the organization.

Consumers have the right to opt-out of sale or sharing personal information including opting out in the context of cross-context behavioral advertising and the right to limit the use or disclosure of sensitive personal information. Sharing refers to sharing, renting, releasing, disclosing, disseminating, making available, transferring, or communicating (orally, in writing, by electronic or other means) the consumer's personal information to a third party for cross-context behavioral advertising purposes.

To ensure compliance, businesses are required to do the following:

  • Provide a clear and conspicuous link titled “Do Not Sell or Share my personal information” that enables consumers to opt-out of the sale or sharing of the consumer's personal information and a separate link, clear and conspicuous, titled “Limit the use of my sensitive personal information” that enables consumers to limit the use or disclosure of their sensitive personal information.
  • Businesses can have a single, clearly-labeled link if such a link allows a consumer to opt-out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information.
  • To comply with the above obligations, businesses can also rely on preference signals. In such a case, businesses must allow consumers to opt-out through an opt-out preference signal sent with the consumer's consent. Businesses can respect consumers' preferences communicated through a cross-platform global privacy control that meets technical specifications established by the Office of the Attorney General. This is an alternate mechanism for compliance. Where a business relies on preference signals, it must state that the business responds to and abides by opt-out preference signals in its privacy policy.

The cookie consent banner under the CPRA can be represented in 12 months. This means businesses must wait for at least 12 months before requesting the consumer to authorize the sale or sharing of personal information and disclose sensitive personal information.

Although the CPRA does not require opt-in consent from consumers, businesses must not load any non-essential cookies without notifying consumers via cookie banner providing them an option to opt-out and letting them acknowledge the banner/notification.

In addition to the above, consumers have the right to opt-out relating to the use of their personal information in automated decision-making including consumer profiling. The CPRA defines profiling as “any form of automated processing of personal information … to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movement”.

Does the CPRA require opt-in consent for the use of cookies?

Yes, the CPRA requires opt-in consent for the use of cookies if it relates to the sale and sharing of personal information of minors. A minor is someone who is less than 16 years of age and where a business has actual knowledge that the consumer is less than 16 years of age, it must not sell or share the consumer's personal information without taking explicit opt-in consent. This means businesses must obtain opt-in consent from consumers where the consumer is at least 13 years of age and less than 16 years of age. Businesses must obtain consent from parents or guardians of consumers where the consumer is less than 13 years of age.

The CPRA clearly explains what constitutes consent and what doesn't constitute consent. As mentioned earlier, consent means any freely given, specific, informed, and unambiguous indication of a consumer's wishes.

Under the CPRA, specific actions cannot be considered as consent, such as:

  • A consumer's general actions such as agreeing to broad terms or acceptance of terms of use that indicate the processing of personal information besides irrelevant information;
  • Hovering over, muting, pausing, or closing a given piece of content; or
  • The use of dark patterns to manipulate or mislead consumers into providing consent.

The CPRA defines a dark pattern as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice. This means where opt-in consent is required, the use of dark patterns such as pre-ticked checkboxes, cookie walls, and passive agreements are all strictly prohibited.

How Is The CPRA Different From The CCPA?

The CPRA is an improvement of the existing CCPA. With several additions made to the CPRA, such as introducing the definition of consent and sensitive personal information, consent for minors, and multiple other obligations for businesses, the CPRA takes the privacy of Californians to another level. Learn more about CPRA vs. CCPA.

Cookie Policy under the CPRA

In light of the above, we recommend including the following details in a CPRA compliant cookie policy:

  • Cookie categories along with their purposes,
  • Information on essential cookies, their purposes, and that they will always be activated,
  • Categories of any sensitive personal information collected via cookies and their purposes,
  • Cookie expiration dates,
  • Categories of third parties to whom personal data via cookies is sold and disclosed along with the purposes of such sale and disclosure/list of data processors,
  • Information on consumers' right to opt-out, and
  • Information on minor consumers' right to opt-in and the right to opt-out after they have opted-in.

How Can Securiti Help?

Securiti ensures CPRA compliance with a modern PrivacyOps platform powered by AI Automation. The world-class tools support enterprises in their journey toward compliance with the CPRA through automation, enhanced data visibility, and identity linking. Get in touch to learn more.

Securiti's Cookie Consent Banner Solution enables companies to build cookie consent banners in accordance with the applicable legal requirements when collecting personal data for non-essential purposes on digital properties.

Ask for a DEMO today to understand how Securiti can help you comply with the applicable legal requirements of global data privacy laws and regulations with ease.


Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend