Does California Require Cookie Consent?

The U.S. has a mosaic approach to data privacy with laws and regulations based on a per state or per industry basis. California is at the vanguard of U.S. data and privacy protections. In 2018, the Governor of California approved the California Consumer Privacy Act (CCPA).

Since then, the CCPA lauded as a landmark in consumer privacy rights has defined the landscape in U.S. consumer privacy protection. An update to the CCPA, the California Privacy Rights Act (CPRA) sometimes called the CCPA 2.0 further changed how a business manages its cookie consent.

Here is a look at how the CPRA may impact your business.

When does the CPRA come into place?

The CCPA was widely criticized for being less stringent than its EU counterpart the GDPR. The result has been a tightening up of the vagaries of the law with an enhancement known as CCPA 2.0 or CPRA (California Privacy Rights Act).

The CPRA potential affects for-profit companies that collect, analyze, and store the data of persons resident in California. The CPRA comes into effect from January 1, 2023, with enforcement from July 1, 2023.

However, it is important to note that the bill will apply to any personal information collected by companies from January 1, 2022. 

How is the CPRA different from the CCPA?

The CPRA is an extension of the CCPA rather than a completely new law, the former building on the latter as a foundation stone. New areas covered by the CPRA mirror some of the stricter aspects of the GDPR including the right to rectification of data and the addition of new categories of sensitive data.

The more stringent elements of the CPRA impact how data is collected and managed, this then is reflected in how a website captures and uses consent and cookies.

The new category of Sensitive Personal Information (SPI) sets a more stringent baseline for compliance that maps closely to the GDPR. Regarding SPI, there is a consumer right to restrict how a business uses these data for profiling.

SPI includes a variety of data such as identity documents, financial account numbers, race, ethnicity, religion, personal communications, genetic data, etc. As such, this part of the regulation can have far-reaching consent impacts on a business.

Transparency is held sacrosanct by the CPRA, and businesses need to ensure that consumers are presented with clear details on what their data is being used for. To this end, there is a focus on the regulation that manages the privacy associated with behavioral advertising: as such, "opt-out signals" are an integral part of the definition infrastructure of the CPRA.

Cookies, consent, and opt-out signals in the CPRA

Consent within the CPRA reflects the definition of consent as defined in Article 4 of the GDPR that uses the loaded phrase "clear affirmative action". The CPRA defines consent as:

"any freely given, specific, informed and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose."

The CPRA definition is in line with the GDPR and carries more weight than any privacy definition of consent seen previously in the USA. This redefinition defines how a business website interacts with customers and how cookies are presented and used.

Cookies are those little snippets of data that help make a website easier to use but also provide enormous amounts of tracking power to a company. Under both the CCPA and CPRA, cookies are personal data.

Both the CCPA and CPRA give examples of the elements of a "Unique identifier" or "Unique personal identifier" that includes web cookies. As such, cookies are an integral part of the enforcement of the CPRA.

The CPRA, cookies and opt-out consent impact the following areas:

Cookie walls

Both the GDPR and CPRA frown upon the use of 'cookie walls' i.e., forcing a user to choose all cookies before they can use a website. A user must be given the option to opt-out of cookies altogether without being penalized, e.g., disallowed access to web content, for doing so.

Limit the use of data and SPI

The website's processing and handling of SPI and personal data both need to be covered by opt-out options in Section 9 of the CPRA. The CPRA places emphasis on the ability for an individual to opt-out of data being used for "cross-context behavioral advertising".

A company will be expected to show links to website visitors that demonstrate the option to "Limit the Use of My Sensitive Personal Information" and "Do Not Sell or Share my Personal Information". This means that an organization must allow consumers to opt-out of the sale and/or sharing of their data, including for use in cross-site behavioral advertising.

A business is allowed to offer a double-opt-out banner that both limits the use and disclosure of SPI and opts out of the sale and sharing of personal information.

Alternatives to opt-out on-site banners

If a website designer prefers to use alternatives to web links to offer opt-out options, there is an option in the CPRA that provides for an organization to offer consumers a way to opt-out via "platform, technology, or mechanism."

The CPRA text specifies three choices in choosing an opt-out:

1. A global opt-out from sale and sharing of personal information, including a direct/on to limit the use of sensitive personal information;

2. a choice to "Limit The Use Of My Sensitive Personal Information"; and,

3. a choice titled "Do Not Sell/Do Not Share/Do Not Share My Personal Information for Cross-Context Behavioral Advertising."

In addition, the consent should be taken in a "consumer friendly, clearly described, and easy to use" way.

Dark patterns of cookie abuse

The CPRA specifically calls out as non-compliant, the use of "dark patterns" i.e., a user interface designed to trick users into doing certain actions. Using so-called dark patterns for opt-out requests is disallowed under CPRA. Dark patterns come in many forms, but a typical poor practice would be to obfuscate consent actions within longer text.

In the EU, privacy activist Max Schrems and his organization NOYB are focusing on dark patterns in cookie banners. So far, NOYB has issued 422 GDPR complaints and intends to extend this to at least 10,000 websites. The top three cookie violations discovered by NOYB were:

1. More difficult to withdraw consent than to give consent

2. No reject option on the first layer

3. Deceptive buttons - color or contrast

These actions are currently focused on the EU, but organizations should brace themselves for an extension of such actions that cover the CPRA's territory.

Enforcement and futures

The CPRA has formed an agency, the California Privacy Protection Agency, specifically to enforce the requirements of the regulation. This agency will work to "ensure that businesses and consumers are well-informed about their rights and obligations." This agency will also set out the specifics on rules over the coming period, up to and including, the enforcement of CPRA.

This is likely to include areas such as the types of opt-out mechanisms used in the consent to "sell" and/or "share" personal and SPI data for cross-context behavioral advertising purposes. As technology evolves and as cookies come under the privacy spotlight as is the current situation in the EU, the mechanisms of consent are likely to be impacted. It is important to maintain a watchful eye over the situation via-a-vis cookies and regulatory compliance.