A Cookie Banner Isn't Enough for CCPA Compliance
There are a lot of misconceptions surrounding cookie banners and data privacy laws like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). The proliferation of cookie pop-ups and consent banners has led many to believe they are required, even when they are not (they are required in Europe, but more on that below). More dangerously, some believe that adding a cookie banner to their website is all that is required for privacy compliance, which is definitely not the case.
To help clear up these misunderstandings, here are answers to some of the most frequently asked questions about cookie banners and privacy compliance.
What Is a Cookie Banner?
A cookie banner is a pop-up (usually along the bottom of a web page) that informs visitors about the types of cookies being used and gives them a choice to accept or reject each category of cookies.
This is distinguished from a simple cookie notice, which just notifies visitors that the site uses cookies and directs them to the main privacy policy for more information (with no option to reject cookies).
Does the CCPA Apply to Cookies?
Yes. The CCPA applies to “personal information,” which is any information that relates to or is reasonably capable of being linked to a particular person. This includes online identifiers like cookies.
Does the CCPA Require a Cookie Banner?
The CCPA does not specifically require a cookie banner, and does not require prior consent for most data processing. It does require businesses to make certain privacy disclosures at the point of collection, but in most cases this can be accomplished by providing a link to a privacy policy.
This may come as a relief to many businesses, as cookie banners can lead to a dropoff in analytics and marketing effectiveness.
What About Other State Privacy Laws?
None of the U.S. state privacy laws going into effect in 2023 require a cookie banner.
Is a Cookie Banner Good Enough to Handle Opt-Out Requests?
Consumers have a right to opt out of the sale of their personal data and its use for behavioral/targeted advertising. Though targeted advertising is primarily carried out via cookies, adding a cookie banner to your website is not enough to be compliant. In its recently proposed regulations, the California Privacy Protection Agency had this to say on the subject:
A notification or tool regarding cookies, such as a cookie banner or cookie controls, is not by itself an acceptable method for submitting requests to opt-out of sale/sharing because cookies concern the collection of personal information and not the sale or sharing of personal information.
Businesses that engage in targeted advertising cannot rely on their cookie banner for opt-out requests. They will still have to provide an opt-out link on their site, and a process that specifically stops the sharing of consumers’ personal data for use in targeted advertising.
Does the GDPR Require a Cookie Banner?
Short answer: Yes.
Technically, cookie banners are required in Europe under a different law called the ePrivacy Directive, but the end result is that businesses that are required to comply with the GDPR must have a cookie banner. Any cookies that are not strictly necessary for the functioning of the website require the visitor’s affirmative consent before being placed. Additionally, visitors must have the opportunity to accept/reject cookies by category, not just an all-or-nothing option.
European Union member states are currently negotiating an updated version of the law—the ePrivacy Regulation—which may change the requirements.
Multi-Jurisdictional Compliance
Cookie banners are just one small part of the growing complexity of privacy compliance. Businesses that operate online must now navigate a patchwork of different laws and requirements, an environment that is bound to cause confusion and lead to missteps.
TrueVault Polaris simplifies these complexities. In one single platform, businesses can manage their compliance with privacy laws across multiple jurisdictions. Designed by attorneys, Polaris is a software solution that helps businesses get compliant and stay compliant, all on their own. Contact our team to learn more and schedule a demo.