How Do the CCPA and GDPR Affect Cookie Policy?

By on

Click to learn more about author Anas Baig.

Data regulations such as the CCPA and GDPR are encouraging organizations to be responsible custodians of consumer data. In order to do so, organizations need to keep track of all avenues through which a consumer’s data can be collected and store it in compliance with the CCPA and GDPR. One of these avenues that is easily overlooked is the dropped cookies on an organization’s website.

When a user logs on to a website for the first time, the server assigns them a user-specific identity that is distinctive. This identity is stored on the mobile or computer on which the browser is running. In case the user enters the website again, the browser sends a cookie to the server, allowing the website to remember the user. In other words, cookies function as a kind of memory of the internet running through protocols that provide data flow.

These cookies can be used to track a consumer’s behavior and therefore process their data and surfing habits. Privacy regulations require organizations to have a consent form set up on their websites that clearly states what cookies are being collected and how they will be used. Then the consumer decides if they want to give consent for these cookies or not.

Contrary to what some users may think, cookies are not inherently malicious. If you run a scan with antivirus software and you find a tracking cookie, the tracking cookie does not represent malware that includes viruses, worms, Trojan viruses, spyware, adware, and ransomware. Considering different cookie regulations around the world, the CCPA and GDPR are the most extensive data privacy regulations and have different cookie consent policies set in order to make organizations comply with these regulations.

GDPR Cookie Consent Requirements

The GDPR focuses on organizations taking freely given consent from their consumers before they store or process any of their personal data, including dropped cookies on their website. Websites and apps that are used by visitors from the EU must implement a consent banner that complies with GDPR, and it has to have several pieces in place.

Consent Requirements

Under the GDPR, consumers need to be fully informed about the types of cookies that are being stored and why they are being stored before the consumer can give them consent. Specifically, consent needs to be:

  1. Freely given: The consent needs to be given on a voluntary basis.
  2. Specific: The consent needs to be specific to a particular item.
  3. Informed: Consumer must be fully aware of what they are consenting for.
  4. Unambiguous: It requires the consumer to give either a statement or a clear affirmative act.

Cookie Policy

The GDPR requires organizations to have the following points included in their cookie policy:

  • What information is collected
  • What you do with consumer information
  • How you protect consumer information
  • If you disclose any information to third parties
  • How you store consumer information
  • How users may access, migrate, request rectification, restriction or deletion of information

CCPA Cookie Consent Requirements

The CCPA also requires organizations to inform users of the use of cookies and their purposes and provide them the option to opt out of the sale of their personal data. The CCPA has set a guideline of what needs to be included in their cookie policy as well as what a cookie banner must have in order to stay compliant.

Consent Requirement

Under the CCPA, organizations are required to have a “do not sell my information” button clearly visible on their website. This can be incorporated into the cookie consent banner on the website that clearly states the cookie policy as well as gives the consumer the option to either accept these cookies or opt out of it.

Cookie Policy

The CCPA requires organizations to have the following points included in their cookie policy:

  • What types of cookies are set in place
  • How long do these cookies persist on the user’s browser
  • What data and categories are tracked and collected
  • For what purpose is the data collected
  • Where the data is sent and with whom it is shared with
  • How to reject cookies, and how to subsequently change the status regarding the cookies

Adding a cookie banner along with the cookie policy is a way to stay compliant with privacy regulations as well as build trust among customers.


In order to remain compliant, organizations need to create a cookie banner and cookie policy that complies with the guidelines set by global privacy regulations. Cookie banner templates can easily be found online, but that is not the solution. Organizations need to integrate cookie privacy as a part of their overall privacy strategy. This needs to be an ongoing practice and not a one-time thing. In order to do this organizations will need to take the help of robotic automation if they hope to comply with cookie consent regulations, as well as other regulations under global privacy laws.

Leave a Reply