The California Consumer Privacy Act introduces stricter provisions for companies processing personal data of individuals. For example, cookies can be seen as personal data and therefore fall under the CCPA. For those already compliant with the GDPR this will be an easy change to adapt to, as the European regulation requires similar changes for the cookie policy.

Transparency is key.

All organisations that need to be compliant with the CCPA will have to disclose their use of cookies. As with the GDPR, strictly necessary cookies, the ones required to make websites function, do not require consent. It is advisable to disclose their use to the website visitors, but it is not required to allow them to deactivate these cookies, if without them, the website would not function properly.

Other types of cookies, such as functionality, performance, or analytics cookies should be optional. The user should consent to their use through a clear, affirmative action. Just like with the GDPR, CCPA requires that phrases like “by continuing to use this website you agree with our use of cookies” disappear from website. In their place, we should see a clear description of each type of cookies used, how many cookies are used for each type, and the option to opt-out of anything that isn’t mandatory for the website to function. While the text of the CCPA, like that of the GDPR is not that specific, these are conclusions that can be drawn from major provisions such as transparency, data subjects’ right to access and to be informed, data minimisation, and all this should reflect in the cookie policy of each company.