Using Cookiebot CMP for CCPA/CPRA compliance – Cookiebot Support

If you are already using Cookiebot CMP for GDPR and ePR compliance, follow the guide below to set up your CCPA configuration and then see this article on how to setup coexisting configurations on your website to be displayed depending on the visitor's location.

California Privacy Rights Act (CPRA) – what, when and consequences for your website?

The California Privacy Rights Act (CPRA) is a new state-wide data privacy bill passed into law on November 3, 2020.

It underscores California’s position as the US frontier in data privacy legislation, as it significantly expands upon the existing California Consumer Privacy Act (CCPA) that took effect on January 1, 2020.

In short, the California Privacy Rights Act (CPRA) works as an addendum to the CCPA – strengthening rights of California residents, tightening business regulations on the use of personal information (PI), and establishing a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA), among key changes to the Golden State’s data privacy regime.

The California Privacy Rights Act (CPRA) goes fully into effect on January 1, 2023. Enforcement is scheduled to begin on July 1, 2023 – with a so-called lookback period to January 1, 2022, meaning data collected from that date on is liable for compliance.

Want to know more about CPRA?

Check out our blog post: California Privacy Rights Act (CPRA)

CPRA requirements for CMPs

The CPRA is meant to generally regulate the data collection, storage, processing, and sharing practices of for-profit businesses doing business in California.
When it comes to a business' website, the following measures must be in place:

A means to opt out of the sharing and sale of personal information
Visitors must be provided with a mechanism that allows them to opt out of the sharing and sale of personal information to third parties.
The wording must specifically be: "Do not sell or share my personal information"
Honoring the GPC signal
The GPC signal allows an individual to control their preferences on a single browser so that participating websites can automate privacy browsing preferences across the web from a single place. It is a mechanism for consumers who want a comprehensive option that broadly signals the consumer’s opt-out request, as opposed to going website by website to make individual requests, which would be time-consuming, burdensome, and confusing for some consumers.
Cookiebot CMP actively monitors for the GPC signal and triggers an automated opt-out when the signal is enabled in a visitor's browser.
Double opt-in
Providing visitors with the option to opt-in again manually after an initial opt-out, either by initially opting out, or by the CMP honoring the GPC signal.

CPRA: a Cookiebot checklist

Setting up your Cookiebot CMP subscription for CCPA/CPRA compliance is easy.
Follow the steps below and you are all set.

Step 1: Add your domain

Log into the Cookiebot Manager and navigate to the Domains tab.
Enter the domain name (excluding the "https://" part, for example: domain.com)

If this is part of a multi-legislation setup with a domain already configured for GDPR/ePR, please leave this field empty!

Step 2: Configure your banner type

Navigate to the Dialog pane
Select the "Do Not Sell (Opt-in)" banner type in the dropdown menu labeled "Type"

This provides the "Right to opt-out" in the initial consent submission. Furthermore it makes provisions for the "Right to opt-out of automated decision making" and allows a visitor to opt in after an initial (automated) opt-out.^*

^*This is referred to as "Double opt-in".

The display banner setting

The checkbox labeled "Display banner" determines whether a banner is displayed to ask for consent.

Mark the checkbox if you would like the banner to display and offer the "Do not sell or share my personal information" option to all new visitors (a CCPA requirement under some circumstances including when targeting visitors under the age of 16).

Displaying the banner gives the user a choice on whether tracking may take place.
If left unticked, the banner will not be displayed and visitors will not be asked for their consent. Tracking will automatically be enabled on your website.

You must provide a means of withdrawing consent for visitors so they can exercise their "Right to Restrict Sensitive Personal Information".
To enable this, you can enable the Cookiebot CMP Privacy trigger, provide a link to withdraw consent, or point to your privacy policy (with the Cookiebot cookie declaration embedded) to offer a consent withdrawal option, and to provide the required information through our cookie declaration.

We recommend that you provide (a) withdrawal option(s) as part of your standard template to allow your visitors to withdraw their consent from any page on your website.

Geo location settings ^(optional)

If you wish to only display a banner to visitors in California, you can do so by configuring "Distribution" at the bottom of the page:

Step 3: Get your scripts

Navigate to the "Your scripts" tab
Follow the instructions to insert your banner and cookie declaration on your website.
If you intend to implement Cookiebot CMP by other means than manually adding the script(s) to your template, please refer to our implementation section in the Help Center.