Skip to main content

Differentiating Between CCPA & GDPR Users



  • Official comment
    Richard van der Velde

    Hi Tobias (and Nathan),

    The command: Cookiebot.serial returns the CBID. You can also access whether or not the user has opted for "Do Not Sell My Information", by executing: Cookiebot.doNotTrack this returns "true" if this is the case.
    To figure out which categories are opted in or out of you can use:
    • Cookiebot.consent.preferences
    • Cookiebot.consent.statisics

    If one of these returns "true", then tracking in this category is permitted. Conversely "false" means that tracking in this category isn't permitted.

    In regards to the actual selling of data: Cookiebot has no way of knowing whether or not data is being collected for the purpose of being sold. It simply restricts the possibility of data collection, which could then be potentially sold.

  • Nathan Dierks

    I would like an answer to this as well. It would be useful to find out how cookiebot is determining which cookies are selling data to third parties since this is something that the account owner should be specifying somewhere, not leaving up to cookiebot. 

  • Tobias

    Hi Richard,

    Unfortunately Cookiebot.serial is always set to the main domain group CBID, it doesn’t change to reflect the geo specific group when using a multiple domain group setup. If it did reflect the geo specific group it’d be a hackish but almost workable solution. The only problem would be that it would represent the jurisdiction that the user is currently in rather than the jurisdiction that they originally set their preferences in. For instance, if a European user blocked all cookie categories and then went on a holiday to California, I’d like to know that their original cookie was set in the EU so that they could continue to be treated as GDPR users. If you are going to offer the ability to run multiple domain groups on one site this would seem to be some very basic and required functionality to me. 

    As far as Cookiebot.doNotTrack goes, my testing would suggest that it has nothing to do with whether the user opted for "Do Not Sell My Information”. It appears to be mapped to the browser setting “Do Not Track” which is an entirely different beast.

    Regarding your last sentence, I’m not asking for CookieBot to decide if a cookie represents a “sale” and then act on that, it would be way too complex and error prone. All I’m asking for is a way to know which jurisdiction is applicable to the current user so that we can make the judgement call on whether a sale is involved or not and block or allow on a case by case basis.

    As it stands, CookieBot seems like a decent solution for the GDPR, but quite unworkable for both GDPR and CCPA on the same website. Simply saving the original CBID in the cookie would totally change that and allow fine grain control to optimise while still meeting the requirements of both GDPR and CCPA.


Please sign in to leave a comment.