Legal and Data Privacy Writer at TermsFeed.
On this page
With the privacy concerns surrounding cookies, it's no surprise that modern laws provide specific requirements to help companies uphold fair and transparent cookie practices.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
What are Cookies?
Cookies are small data files stored in a user's internet browser by the websites they visit. As an integral component of the modern internet, cookies are used by virtually every website to carry out a wide range of functions.
While some cookies are essential to a website's operation, others may be used for tracking, marketing, and analytical purposes.
As the most commonly used method of gathering user data, cookies are employed by virtually every website to carry out a ton of different operations.
However, certain cookie categories (such as third-party cookies) can be used to track users all over the web and build detailed profiles of their preferences for marketing purposes.
- Identify users through a unique ID
- Keep users signed in to a website
- Recall information to help enhance users' browsing experience (e.g., login credentials, shopping cart inventory, etc.)
- Track browsing activities and preferences for advertising purposes (e.g., behavioral profiling and retargeting)
- Improve a website's overall performance
Because this tracking may intrude on users' privacy and such information is susceptible to data breaches and theft, cookies and similar technologies are heavily regulated by data protection laws like the GDPR and the EU Cookies Directive.
To better understand the privacy implications of using cookies, we need to address two major cookie categories.
First-party Cookies vs. Third-party Cookies
In terms of their provenance, cookies can be classified into first-party and third-party cookies. Let's see how they compare.
- First-party cookies are created and stored on users' devices by the websites they interact with directly. Only the website owner can access the data collected by these cookies.
- Third-party cookies are created and placed on a user's device by domains other than the one a user interacts with directly. As such, the data collected by these cookies are available to external services or agencies.
As noted above, first-party cookies are stored on a user's internet device by the website they visit directly. These cookies are not particularly intrusive by nature. They merely allow the website owner to collect basic information about users and their devices, typically for analytical purposes. No one other than the website owner or operator can access this information.
Ultimately, websites use first-party cookies to enhance the overall browsing experience of users.
Now that we're clear about what cookies are and how they work, let's examine the CCPA and its take on cookies.
To get additional context, it's essential to explain the CCPA/CPRA's meaning of a "sale."
Now that we understand the privacy implications of using cookies, let's check out the requirements and best practices for CCPA (CPRA) cookies compliance.
Note that the CPRA amendment defines consent as follows:
"any freely given, specific, informed and unambiguous indication of the consumer's wishes by which the consumer or the consumer's legal guardian signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose."
We recommend using a clickwrap method here to ensure that your users have read and authorized your cookie practices.
When we look more closely at how the CCPA (CPRA) defines "unique personal identifier," we can see cookies and similar technologies explicitly cited as unique identifiers in Section 1798.140 (aj):
Since cookies can be used (in conjunction with other identifiers) to recognize a consumer or a household, they fall under this definition.
Moreover, the CPRA clearly classifies cookies as a "Unique Personal Identifier" in Section 1798.140. (aj):
As you can see, cookies are considered personal information for the CCPA/CPRA's purposes.
Cookies are an essential instrument for modern businesses. They perform various critical functions to help websites and apps serve users better. However, some cookies are intrusive and may present threats to user privacy.
The CCPA (CPRA) brings cookies under its definition of personal information, thereby requiring businesses to evaluate their cookie implementation to ensure fair and transparent practices.
Since using third-party cookies does qualify as "selling" personal information, companies must take additional steps to ensure compliance in this regard, as ignorance is not an excuse.
To recap, if the CCPA (CPRA)applies to your business, you need to take the following steps to ensure cookie compliance:
- Provide a "Do Not Sell My Personal Information" page and include links in prominent areas of your website or app
- Provide a way for consumers to submit opt-out requests and honor GPC opt-out signals