CCPA Cookies

As cookie usage becomes more widespread today, its associated privacy risks become more evident. In order to help businesses observe open and ethical cookie practices, privacy regulations worldwide, including the comprehensive California Privacy Rights Act (CCPA/CRPA), have provided specific guidance.

In this article, we'll discuss cookies and their privacy implications, the CCPA/CRPA's position on cookies, and the steps businesses must take to stay on the right side of the law when it comes to cookie compliance.

Cookies: An Overview

Cookies are tiny data files stored on users' computer or mobile device browsers when they visit a website. These files typically contain basic information about user browsing patterns and activities, but they can also store a wide range of personal information.

What is the California Privacy Rights Act (CCPA/CRPA)?

The CCPA/CRPA is an amendment to the CCPA. Approved on November 3, 2020, the CCPA/CRPA substantially modifies and improves upon the CCPA's provisions, bringing it a few steps closer to the GDPR.

The CCPA/CRPA also addresses key areas of digital privacy unexplored by the CCPA, including dark patterns, behavioral advertising, and profiling. As a result, the CCPA/CRPA is informally referred to as "CCPA 2.0."

The amendments became fully operative on January 1, 2023.

The CCPA/CRPA expands several privacy rights already established in the CCPA and grants California residents additional rights over their personal information.

These rights are as follows:

  • The right to correct outdated or inaccurate personal information
  • The right to access information about and opt out of automated decision-making technology
  • The right to limit the use and disclosure of sensitive personal information (e.g., identification numbers, financial details, racial or ethnic origins, biometric data, sexual orientation, etc.)

What's more, the CCPA/CRPA establishes the California Privacy Protection Agency (CPPA) to oversee data protection standards and enforce California's consumer privacy laws.

Finally, the CCPA/CRPA updates the CCPA's definition of a business, thereby amending its scope of coverage. Let's take a look.

What is a "Business"?

According to the CCPA/CRPA, a "business" refers to any profit-driven organization that:

  1. Operates in California

  2. Decides the purposes and means of processing consumers' personal information, and

  3. Meets one or more of the following criteria:

    • Has an annual gross revenue exceeding $25 million in the preceding calendar year
    • Buys, sells, or shares the personal information of at least 100,000 consumers or households each year, or
    • Derives at least 50% of annual revenue from selling or sharing consumers' personal information

Now that we have a basic understanding of cookies and the CCPA/CRPA, let's answer a few common questions about the CCPA/CRPA's treatment of cookies.

Frequently Asked Questions about Cookies and the CCPA/CRPA

To clear up confusion about the privacy implications of using cookies under the CCPA/CRPA's jurisdiction, consider the following questions.

Are Cookies Personal Information Under the CCPA/CRPA?

The CCPA/CRPA amendments consider cookies and similar technologies as personal information.

What Does the CCPA/CRPA Say about Third-party Cookies and "Sale"?

The CCPA/CRPA brings an end to a long-standing debate about whether using third-party cookies constitutes a "sale" of personal information.

A sale occurs when you disclose a consumer's personal information to a third party for money or other valuable consideration.

Given the CCPA's ambiguous term, "valuable consideration," it's no surprise that businesses have struggled to determine if their use of third-party cookies can be flagged as a "sale."

The CCPA/CRPA resolves this issue by simply introducing the term "sharing."

Sharing occurs when you disclose a consumer's personal information to a third party, whether or not for money or other valuable consideration.

Note that the standard CCPA exceptions apply to the definition of "sharing" under Section 1798.40 (ah) (2):

California Legislative Information: CCPA/CRPA Section 1798 40 ah 2 - Exceptions to the definition of sharing

Now, while the CCPA grants consumers the right to opt out of the "sale" of their personal information, the CCPA/CRPA extends this right to include the "sharing" of personal information and sensitive personal information.

In other words, as long as you disclose a consumer's personal or sensitive information to a third party, you must provide a way for the consumer to opt out.

Notably, the CCPA/CRPA's definition of "sharing" covers any disclosure of personal information for cross-context behavioral advertising. This means you are either selling or sharing data once you use third-party cookies (unless one of the above exceptions apply).

In any case, you must observe the CCPA/CRPA's additional obligations for businesses that sell or share personal information (which we'll cover in the next section).

Now, let's go over what the CCPA/CRPA requires if you use cookies, including if you sell or share personal information through third-party cookies.

Requirements and Best Practices for CCPA/CRPA Cookies Compliance

Businesses that use cookies on their websites or apps are subject to a number of requirements under the CCPA/CRPA amendments. The regulation also outlines additional obligations for companies that sell or share personal information, including through third-party cookies.

Here are some significant steps to take if you fall under either or both of these categories.

Provide Cookie Information in Your Privacy or Cookies Policy

The CCPA/CRPA is a strong advocate of transparency. Accordingly, the law requires you (as a website owner) to provide consumers with a detailed account of your cookie practices.

Like with the CCPA, you can either address cookie information in a section of your Privacy Policy or on a separate webpage in your Cookies Policy. It's simply a matter of preference.

Importantly, you must perform periodic cookie audits to identify relevant web domains and categorize cookies appropriately.

Your compliant Cookies Policy must address the following:

  • The categories of cookies you use on your website and their purposes
  • The types of personal or sensitive information these cookies collect, and their purposes
  • Cookie expiration dates
  • How consumers can exercise their right to opt out of cookies
  • The third parties with whom you sell or share personal information and the reasons for such
  • Information about children's right to opt in

For example, Nike presents information about cookies and similar technologies within a section in its Privacy Policy:

Nike Privacy Policy: Cookies and Pixel Tags clause

Notably, Nike doesn't cover all of the essential details listed above. However, the CCPA/CRPA's criteria can be met by merely updating this clause to reflect the necessary information.

Observe CCPA/CRPA Guidelines for Limiting the Sale, Sharing, and Use of Personal and Sensitive Information

As previously mentioned, the CCPA/CRPA broadens the scope of the CCPA's opt-out provision by adding the word "sharing."

Effectively, if you either sell or share personal information (including through third-party cookies), you must set up a page explaining how consumers can exercise their right to opt out.

In addition, you must provide a link to this page titled, "Do Not Sell or Share My Personal Information," and place this link in conspicuous locations around your website (such as your footer section and Privacy Policy).

Update Your "Notice at Collection"

The CCPA/CRPA expands the required information businesses must address in their CCPA "Notice at Collection." If your business collects consumers' personal information, including through cookies, you must present this notice at or before the data collection point.

Like with the CCPA, the CCPA/CRPA allows you to insert this notice as a section within your Privacy Policy.

Briefly, your "Notice at Collection" must provide the following details:

  • The categories of personal information or sensitive personal information you collect from consumers
  • Your purposes for collecting it
  • How long you intend to retain personal information
  • A link to your "Do Not Sell or Share My Personal Information" page (if applicable)
  • A link to your Privacy Policy

Set Up a Cookie Consent Banner

A cookie consent banner is commonly used as an alternative medium to help consumers submit opt-out requests specifically regarding cookies.

To use this medium appropriately, businesses must provide "a single, clearly-labeled link" on their website or app. Moreover, this link must allow consumers to simultaneously opt out of selling or sharing their personal information and limit the use or disclosure of their sensitive personal information.

Here's how the CCPA/CRPA discloses this requirement in Section 1798.135 (a) (3):

California Legislative Information: CCPA/CRPA Section 1798 135 a 3 - Opt-out methods

Since the CCPA/CRPA adopts the opt-out consent system, you can store cookies on consumers' devices without explicit consent through your cookie preference center.

However, your cookie consent banner must reveal this practice to consumers and provide an "I decline" button or a link to your settings/preference center for consumers to submit opt-out requests. You must also include a link to your Privacy/Cookies Policy for a more detailed explanation of your practices.

Remember to obtain opt-in consent before using third-party cookies for minors (below 16 years). They must click an "I accept" button or tick an empty checkbox before you can place cookies on their devices.

In light of this, you may consider implementing the opt-in consent system for all consumers, as it also helps protect you from accidentally selling or sharing personal information through third-party cookies.


Cookies are a core component of modern web technology. While most cookies are harmless, others are quite invasive of user privacy and have stirred up a lot of controversies.

For this reason, privacy laws like the CCPA have been enacted to regulate how companies collect and manage consumers' personal information, including information collected through cookies. And the CCPA's amendment of the CCPA/CRPA adds more privacy protection for consumers.

In order to strengthen digital privacy in California, the CCPA/CRPA introduces several new terminologies, such as consent, profiling, cross-context behavioral advertising, sensitive personal information, and sharing.

The CCPA/CRPA also clarifies several vague provisions in the CCPA, including the complicated relationship between third-party cookies and the sale of personal information.

To recap, if you use cookies and are subject to the CCPA/CCPA/CRPA, here's a quick rundown of your cookie compliance responsibilities:

  • Provide cookie information in your Privacy Policy and/or Cookies Policy
  • Observe the CCPA/CRPA's method of limiting the sale, sharing, and use of personal and sensitive information
  • Update your CCPA "Notice at Collection" to accommodate the CCPA/CRPA's additional provisions
  • Set up a CCPA/CCPA/CRPA-compliant Cookie Consent Banner