CookiePro Knowledgebase

dot pattern banner

Knowledgebase CCPA CCPA and Cookies


CCPA and Cookies

Last Updated: January 13, 2021

Cookies and similar tracking technologies are important for CCPA Compliance. The CCPA gives businesses more scope to use a less restrictive form of cookie consent, compared to the GDPR. Although there are areas where compliance can become complicated.

What Are Cookies?

Cookies are pieces of data, normally stored in text files, that websites place on a visitor’s computer or mobile device to store specific information about the visitor. Cookies were designed to be a reliable mechanism for websites to remember stateful information or to record the user’s browsing activity.

Some cookies are necessary for the operation of the site. While others may be used for analytical, tracking, and marketing purposes.

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a privacy regulation that went into effect on January 1, 2020. The regulation empowers residents of California with enforceable rights over their personal information. The rules give California consumers the right to know what information is collected on them and how the data is used.

Additionally, the CCPA requires websites to inform users about which organizations they share their personal data with.


CCPA Cookie Consent Requirements

CCPA compliant cookie consent will include:

  • Cookie Use Information. Including details about why the site uses cookies, and if they share that information with other third-parties.
  • Accept or Decline Cookies Button. While the CCPA doesn’t require opt-in consent, businesses should still choose to include a link that allows the user to accept cookies. Additionally, it’s considered best practice to inform the user about the data it collects. The cookie banner could include a link to the cookie settings or preference center where the users can choose to opt-in or out.
  • Do Not Sell My Personal Information Button. A critical difference from GDPR, the CCPA requires businesses to provide customers with the ability to opt-out of the sale of personal information. This should be a link or button to an opt-out form on your homepage. The button should explicitly say “Do Not Sell My Personal Information” and will link to a webpage called “Do Not Sell.” The privacy policy should be linked to the Do Not Sell webpage. Although the “Do Not Sell” button is not a cookie banner, it can be used alongside a cookie banner. This will help websites comply with the CCPA and still process important data.
  • Withdraw Consent. The consumer must have the ability to withdraw consent from the sale of their personal information at any time. It’s important that this option is easily accessible on the website.


CCPA Cookie Example

Opt-out Consent Example

Under the CCPA, opt-out consent is admissible. This means the preference center can automatically opt the user in, but still allows the user the opportunity to opt-out of cookies. Additionally, the implied consent model is permitted under the CCPA. It’s also acceptable for a website to say that the continued use of the site equals consent.

In the cookie banner below, Marketo provides the user with information about how it uses cookies. And when the user clicks “Cookie Settings,” the button for “Performance Cookies” is already checked. This reflects a CCPA compliant opt-out cookie consent.

Opt-Out Cookie Consent CCPA

CCPA Opt-Out Cookie Consent Preference Center

Do Not Sell Example

Our CookiePro website is an example of how to implement a Do Not Sell My Personal Information link that is CCPA compliant. The button is located in the bottom left corner of the page, which makes it accessible at all times. The button also contains a link to the privacy policy with information about user rights. Also, it includes the option to opt-out of the sale of data by turning off personalized advertisements.



Does CCPA Require Cookie Consent?

The CCPA doesn’t require businesses to gain opt-in consent from users. However, it does require businesses to disclose what data is being collected by cookies and how it is being used.

But there are still exceptions. The CCPA does require opt-in consent to the sale of personal data for visitors 13 to 16 years of age. A website may be better off using an opt-in consent model unless they can be sure no one under the age of 16 visits their website.


Who Has to Apply to the CCPA?

The CCPA applies to businesses that collect data about Californians that meet one of the following three conditions:

  • The business earns +$25 million in revenue
  • It processes data of 50K consumers, households, or devices
  • It derives at least 50% of its annual revenue from selling the personal information about California residents


Free CCPA Opt-Out Builder

Create a Do Not Sell notice to comply with CCPA Opt-Out requirements. CookiePro enables you to create and customize a sleek and actionable “Do Not Sell My Personal Information” link or button for your website. Also, it integrates with Google Ads Manager and the IAB CCPA Framework.


Onetrust All Rights Reserved