CPRA Cookie Consent: What You Need to Know



The California Privacy Rights Act (CPRA) is an extension of an existing law, the California Consumer Privacy Act (CCPA). It gives California residents even more rights and control over their personal information.  

 

The CPRA also gives businesses additional responsibility for handling end user information. This is important, because as a business owner, you’ll need to understand and comply with these laws to maintain credibility and avoid fines.  

 

Some sites say that CCPA and CPRA do not have explicit cookie consent laws. That’s not true. While they may not use the terms “cookie” and “consent,” it’s all wrapped up in the same package. Cookie consent means that you gain consent from your users before sharing their information with other vendors.  

 

It also means that you, as a business, adhere to the laws and practices regarding the handling of that information. These data points should be readily available to users upon request, able to be deleted or modified, and stored in a way that auditors or lawmakers can easily access in the event of an audit.  

 

Cookie Laws and Practices  

 

The CPRA states that users have the right to “opt out.” What does this mean?  

 

It’s a little more complicated than saying “No, thanks!” In fact, opt out means that end users are allowed to:  

 

  • Restrict the movement of personal information (limitation)  

  • Only use strictly necessary cookies when browsing your site (without hindrance to site functionality)  

  • Never allow their information to be shared with other parties (decline all cookies)  

 

This is something that every business should have written in their cookie banner. CPRA explicitly states that each user must be able to opt out as easily as they can opt in. Having “accept all” or “okay” on your cookie banner is not enough to satisfy lawmakers. It goes even further than that.  

 

In order to stay compliant, your decline and accept buttons must be of equal size and accessibility. It’s a bonus if the cookie banner is customized to your brand. Your customers should be able to easily recognize that this is yours and they are making an agreement with you and your business. In the age of scams and hacks, it’s especially important to put your personal touch, voice, and tone into your cookie banner. No, you can’t copy and paste it from the Internet. Your policy should be something you believe, and that you can adhere to.  

 

Interestingly, the General Data Protection Regulation (GDPR) has an opt-in clause. That means all cookies (except strictly necessary) are blocked unless an end user says they consent to having information shared. While it sounds similar to opt-out, do not be fooled – they are not the same.  

 

 

Opt-in VS Opt-out  

 

The GDPR defines “opt-in” as information that is a choice and freely given from the end user with automatic restrictions in place.  

 

On the other hand, CPRA assumes consent (to a degree) and asks users to opt out. This does not apply to minors. We are only talking about people over 18 here today.  

 

How can end users possibly know the difference? Opt-in or opt-out, it always feels like consumers get the short end of the stick when it comes to legalese. In short, both of these terms are a puzzle for business and lawmakers. Whether or not you comply is up to you – and your cookie consent banner.  

 

Now, businesses that do not operate in California have to follow these rules if they have end users or receive web/app traffic from California. Every data privacy law has a workflow. For CCPA, your banner should give a “Do not sell my data” option every time someone comes from California. It’s just one of many amendments businesses need to comply with 

 

 

Geolocation and Cookie Consent  

 

Now that we’ve gone over the nuances in laws like CPRA and GDPR, you can see how difficult it would be to manually tailor a cookie banner based on your best guess. Actually, that would be impossible.  

 

A cookie banner that uses geolocation can solve this issue. Geolocation means that your cookie banner will automatically identify where your end user is accessing the site and make the necessary adjustments in order to comply with the law. How neat! You may have the same cookie banner for California and for EU residents, but the wording and the calls to action may be slightly different.  

 

A cookie banner like this will come in handy, especially as data privacy laws expand around the world. Countries like Canada, Brazil and Saudi Arabia have their own laws; states like Utah, Colorado, Virginia, Indiana, Connecticut and more are all writing their own laws. How can you keep up? Good news. You don’t have to. We want to make things easy.    

   

Adzapier Does the Work for You   

 

At Adzapier, we have the tools you need to succeed. Our cookie consent banner comes with geolocation – which is super important. We also offer Data Subject Access Request (DSAR) management, session recording and more. But you don’t have to get into all of that right now.  

 

What’s important is that your business stays protected, and you don’t have to deal with a headache down the road. We’ve all seen big business get millions of dollars in fines. Will that happen to your small business? Probably not right now – but if you’re looking to grow and expand in the future, having this protection could save you.


Facebook got fined years after their original mistakes happened. Lawmakers waited until the company made enough money to cough up the cash. Are you prepared to take that chance on your business? Get in compliance now, and you’ll have a worry-free route to success. Well, when it comes to data privacy. We can’t guarantee the rest.  

 

Talk to one of our data privacy experts, and they’ll get you set up within just a few minutes. Later on, they’ll answer any questions you may have and help you keep going. We’re not into frills. We’re into skills.  

 

 

Schedule a Demo  

 

Comments

Post a Comment

Popular posts from this blog

Saudi Arabia’s Personal Data Protection Law: An Overview

Image
The Saudi Arabia ’s Personal Data Protection Law (PDPL) is the first data privacy law that was enacted by the Saudi Arabian government. The law was designed to protect the privacy of personal data of individuals that is collected, processed, and stored by businesses operating in Saudi Arabia.    But that’s not it ! The PDPL also applies to any person or business that collects or processes personal data in Saudi Arabia, regardless of whether they are based in the country or not. The law applies to all types of personal data, including data that is collected online and offline.       If this sounds a lot like the General Data Protection Regulation (GDPR), you’re absolutely right . The GDPR has set the standards for many data privacy laws around the world, including Brazil’s LGPD, California’s CCPA, and Virginia’s VCDPA. And now, it’s PDPL too . There are a few differences, though.      Personal data is defined under the PDPL as any informa...
Read more

Fintech: Consent Management in Open Banking

Image
For third-party financial service companies regulated by legal entities to access customers' bank transaction history securely, open banking requires their permission. Consumers can now use digital payments more easily thanks to the available banking model, which enables banks and other third parties to turn information into personalized financial advice or recommendations, such as recommending a savings account to maximize interest rates or making offers based on a customer's specific credit score.       According to research, 51% of Americans are optimistic about the future of open banking . However, they still need to figure out how third parties gather their data and what information they genuinely want to give. According to 2019 research, 73% of consumers were concerned about how brands utilized their data , making consent management and compliance in open banking a hot topic.       Financial institutions (FIs) and other Fintech startups must keep up w...
Read more

Is a Cookie Consent Banner Required for My Website in the United States?

Image
Ah, cookie consent banners. They’re a hot topic around the world right now. As fines continue to stack up from the E.U.’s General Data Protection Website Regulation (GDPR), to the California Consumer Protection Act (CCPA), many business owners are wondering: “Is a cookie consent banner a requirement in the United States?”     It certainly seems like. But then, taking a look at the law, it doesn’t seem like there’s anything that explicitly states a business must have a cookie banner in the United States.      Ah-ha! But that’s simply not true.      There is officially no federal law stating that your business must have a cookie banner. But state laws like the CCPA and the Virginia Consumer Data Protection Act (VCDPA) say that businesses must provide notice, collect consent, maintain records, and allow end users to manage their preferences easily. And while they may not say “cookie banner” explicitly, that’s exactly what a cookie banner ...
Read more