Skip to main content

Using Cookiebot for CPA compliance

Christian Degn Andreasen
  • Updated

Select your interface:

manager.png
admin.png

You are currently viewing instructions for the: Manager

If you are already using Cookiebot CMP for GDPR and ePR compliance, follow the guide below to setup your CPA configuration and then see this article on how to setup coexisting configurations on your website to be displayed depending on the visitor's location.

 

Skip introduction and take me to checklist

CPA: An introduction

What is CPA?

The Colorado Privacy Act (CPA) operates based on the consumer right to opt-out of having personal data processed for the purposes of targeted advertising, profiling for decisions that could affect the consumer in a legal or similarly significant way and/or sale. It also requires companies and organizations to obtain the prior consent from end-users if they collect or process sensitive personal data, which we will take a deeper look at below.

This is similar to the EU’s General Data Protection Regulation (GDPR) that has been in effect since 2018.

From July 1, 2023, websites, companies, and organizations who conduct business in Colorado or produce products or services targeted to Colorado residents and control or process personal data of 100,000 or more consumers during a calendar year, or control or process personal data of 25,000 or more consumers and derive over 50 percent of their gross revenue from the sale of that personal data must comply with the CPA’s requirements.

 

What is personal data under CPA?

The CPA defines “personal data” as any information that is linked or reasonably linkable to an identified or identifiable natural person (de-identified data or publicly available information is exempt). The CPA also distinguishes between “personal data” and “sensitive personal data”, the latter includes data from users under the age of 13, health and biometric data, geolocation data and data about racial or ethnic origin, religious beliefs, political convictions, and sexual orientation.

 

Who is required to comply with the CPA?

The CPA applies to companies or for-profit organizations doing business in Colorado or that produces products and services for Colorado residents. If you have a for-profit company located outside of Colorado but you have users from inside Colorado (e.g. by offering online services that Colorado residents use), you are also required to be compliant with the CPA.

 

How to be compliant with Colorado law?

Users must have the option to opt out of personal data being used for so-called targeted advertising.

Targeted advertising is when websites and companies use personal data to tailor marketing campaigns to the users, and is defined in the CPA as advertising that is “selected based on personal data obtained from a consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.”

In other words, under the Colorado Privacy Act (CPA), users inside Colorado must be enabled to opt out of cookies and trackers on websites that collect personal data for the purpose of targeted advertising.

This is usually done through a Consent Management Platform (CMP) that automatically detects cookies and controls them based on the consent state of users, as they navigate a consent banner (also known as a ‘cookie banner’) on the website they visit.

 

 

Want to know more about CPA?

Check out our blog post: Colorado Privacy Act

 

CPA: A Cookiebot checklist

This guide is focusing solely on providing the tools needed to make your website’s use of cookies and online tracking compliant with CPA. Other aspects of the CPA are therefore not covered or addressed in the checklist.

The checklist is not intended as legal advice - if in doubt, seek advice from a trusted legal source or your Data Protection Authority.

 

Step 1: Add your domain

  • Log into the Cookiebot Manager and navigate to the Domains tab.
  • Enter the domain name (excluding https://-part, for example: domain.com)

 

If this is part of a multi-legislation setup with a domain already configured for GDPR/ePR, please leave this field empty!

 

Step 2: Configure your banner type

Colorado Law has the following requirement for the cookie banner:

  • It must show an opt-out option (decline cookies)

Any GDPR compliant banner might also be compliant with CPA. If you only need to set up a cookie banner according to the CPA regulations, you can follow these settings:

  • Navigate to the "Banner" tab
  • Select any banner type that includes a “decline” or “reject all” button
  • In case of sensitive data: If you are using the banner type “multilevel” or “inline multilevel”, make sure you do not have any of the category checkboxes pre-ticked.

 

Geo location settings (optional)

If you wish to only display a banner to visitors in Colorado, you can do so by configuring "Distribution" at the bottom of the page:

Colorado geo selection.png

 

Step 3: Get your scripts

  • Navigate to the "Your scripts" pane
  • Follow the instructions to insert your banner and cookie declaration on your website.
    If you intend to implement Cookiebot CMP by other means than manually adding the script(s) to your template, please refer to our implementation section in the Help Center.

Source:

https://www.cookiebot.com/en/colorado-privacy-act-cpa/

Was this article helpful?
0 out of 0 found this helpful
Return to top

Comments

0 comments

Please sign in to leave a comment.