CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
February 13, 2023
When it comes to data privacy, what is at once the greatest source of risk, the most common method of user data collection, and one of the most crucial elements for compliance?
When investigating a business, regulators will often look for cookie compliance first, as cookies are one of the most common ways to collect, process, and transmit user data. They’re small text files stored on the user’s browser to track and collect their data. This includes the user’s name, geo-location, IP address, website preferences, and more.
Fortunately, becoming cookie compliant is straightforward—but not necessarily easy.
Failing to become cookie compliant is a violation of the data subjects’ rights. After all, you’re collecting and using their data without their consent.
The fines for this type of violation are huge. The exact amount varies from law to law, but as an example, under the GDPR fines can reach $20 million or 4% of annual turnover (whichever is greater).
Privacy laws have varying requirements for cookie compliance. The EU General Daata Protection Regulation (GDPR) is one of the strictest, but the newly enacted California Privacy Rights Act (CPRA) isn’t too far behind. Let’s review the three types of consent before looking at the specifics of cookie compliance under different laws.
When using this type of consent, you can load cookies while giving people the option to opt out of cookie collection. If they choose to opt out, you can only load essential cookies.
With this option, users can’t opt out of using cookies. You inform them of their use and nothing more. This version is not compliant with any of the recent privacy laws.
First, there was the EU Cookie Law. While its provisions respected privacy rights in principle, it wasn’t a very strict law, and websites still had great freedom with cookie usage. The arrival of the GDPR—the strictest data privacy law to date—changed that.
GDPR cookie compliance is all about opt-in consent, which should be:
Users must also be able to withdraw consent.
How do you prove you obtained consent from a person? By keeping records of the user’s consent preferences and proof that you acted on their consent. There are many consent management platforms that can help you do this, so don’t worry; you won’t need to do it all manually!
CCPA/CPRA cookie compliance requires opt-out consent.
However, there are a few exceptions that require opt-in consent, such as for the sale or sharing of personal information belonging to minors under 16 or for using data collected via cookies for a secondary purpose beyond what you initially disclose to the user. Plus, if you think there’s a risk someone from the EU will stumble on your site, opt-in consent is the safer option.
More and more laws are coming into effect, like Brazil’s LGDP or the Connecticut Data Privacy Act. Most are similar to the GDPR in their approach towards cookies and require opt-in consent.
In some places, opt-out or implicit consent is still used, especially in the U.S. But to be on the safe side, businesses may want to consider securing opt-in consent just in case their local law changes, or if they expand and become subject to a stricter law.
To check for cookie compliance, you must do a thorough review of your website, your policies, and the consent records you have (if any). Here are some things to consider.
Audit your website and compile a list of all the cookies.
Include both first-party and third-party cookies and make note of their type, purpose, and duration. If you’re not sure how to identify cookies on your website, here are 5 ways to identify cookies and scripts.
Review your privacy and cookie policies.
Obtain clear and informed consent.
This means both looking at your cookie banner and how it works, but also checking the consent records. Make sure you aren’t employing any dark patterns in your cookie banner and that you can prove you’ve collected and acted upon your users’ consent preferences.
Compliance isn’t a one-time thing. It’s a continuous effort, and periodic self-audits are part of the process. In particular, make sure that you coordinate with your marketing, web, and development team to stay in the loop should they add any new technologies to your website that introduce additional cookies.
Stay up-to-date with privacy laws.
More and more laws are coming into effect. Just because you’re compliant with everything that applies to you today doesn’t mean you’ll be compliant with new regulations as well. Keep an eye on new laws and on how they may affect your business. Working with a legal consultant could also help.
Cookie compliance is not a complicated process. But that doesn’t mean it’s easy. It comes with various challenges, some of which are easier to overcome, and some harder.
Keeping records of consent.
The GDPR requires proof of consent. And the only way to do that is to record each user’s choice. You need to know when a user gave their consent and for what cookies.
Allowing users to revoke consent.
Someone agreed to cookies. Great! But what if they change their mind? The GDPR clearly states that data subjects have the right to withdraw consent. If you kept the records mentioned previously, you’re one step closer to overcoming this challenge as well. But you need to make sure your consent management tool allows you to respond quickly each time someone changes their mind about cookies.
Correctly categorizing cookies.
Informed consent means you need to tell your users about all the cookie categories you use. But categorizing them correctly may prove to be more challenging than expected. A good consent management platform will help you overcome this challenge quite easily, though.
Balancing compliance and user experience.
Have you ever entered a website only to be deeply annoyed by a cookie banner that keeps getting in your way? Unfortunately, this is needed for opt-in consent—the banner needs to stay in place until the user clicks on it. Does that really mean you need to make it impossible to browse the site though? It doesn’t. As long as you don’t assume consent, they should be able to browse the site with essential cookies only. But finding the right balance can be challenging.
While sometimes challenging, the compliance journey is straightforward.
Start with a cookie audit and make a list of all the cookies you use.
First-party and third-party cookies both count for compliance purposes.
Choose your cookie banner solution.
Make sure it meets all the cookie notice requirements, such as offering opt-in or opt-out consent, making it just as easy to accept cookies as it is to reject them, keeping records of consent, and more.
Choose a consent management platform.
Be transparent and comprehensive. List all the cookies you use, their type, scope, and duration.
Review your policy and conduct a new cookie audit.
If you want a consent management platform to tackle all your cookie compliance needs, Osano CMP might be just what you’re looking for. It’s easy to set up, comes with a customizable banner, and helps you with the much-needed proof of consent. To see it in action, sign up for a free account or request a demo.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”