US’ California Consumer Privacy Act (CCPA)

Does CCPA require cookie consent?

• The CCPA does not require that a business obtain user consent for collecting and processing their personal information. 
• However, if they collect and sell the personal information of users to third parties, it must give users the right to opt-out of the sale of personal information.
• Consent is necessary for certain circumstances like information transfer or collecting and using the personal information of minors (below 16 years of age).

Therefore, cookie consent is not a mandatory requirement for CCPA compliance. 

What are the requirements for CCPA compliance for cookies?

• The only requirement is to provide an opt-out for cookies that sell the personal information of users and to inform users about the use of cookies.
  • The CCPA encourages opt-out model for regulating data processing unlike GDPR that emphasizes both opt-in and opt-out approach. For CCPA cookie compliance, the websites must provide an opt-out option for denying consent to use cookies that collect and sell users’ personal information.Opt-in or asking consent isn’t mandatory unless you cater to consumers under the age of 16 years old.
  • The CCPA also requires websites to notify users when or before using cookies by providing details about the type of cookies and their purposes in the privacy notice. If a user chooses not to share their personal information with the website, then the website must respect that decision and not store cookies on their device for one year.

Implement of opt-out option:

The opt-out is usually implemented via a “Do Not Sell My Personal Information” link, which should be easily accessible on the website (the homepage footer is the most recommended place) and also on the cookie banner. 

Opt-out consent for cookies as per CCPA