The California Consumer Privacy Act (CCPA) went into effect in January 2020, requiring most businesses and organizations with websites to add language to their sites explaining their cookie policy, and to give users the option to reject some or all cookies. Some businesses were well prepared for that rule, because they were already compliant with the EU’s General Data Protection Regulation (GDPR) cookie rules. But for small and medium businesses, the CCPA and cookie consent created some confusion and concern.
In this post, we’ll explain what cookies are and how businesses use them. We’ll also cover GDPR and CCPA cookie consent, and which businesses are required to comply with those requirements, as well as best practices for ensuring compliance.
What is a website cookie?
A cookie is a small block of data that a website or webpage sends to a device. The device stores the cookie and transmits the data back to the source, which authenticates the device and user. When you visit a website that requires you to log in, and the site “remembers” your username and password, that’s because you’ve previously exchanged a cookie with that site.
Cookies can create a better experience for website visitors, particularly on e-commerce sites, where — without cookies — shopping carts could not retain items as shoppers navigate from page to page. But cookies also raise concerns about privacy.
What types of cookies do websites use?
A variety of cookies may exist on websites, and they generally fall into two categories: first-party and third-party.
First-party cookies are created and/or placed on a website by the website’s administrators. These cookies support essential functions (like the shopping cart example we mentioned). They may also collect information about site visitors, such as page views, session duration, and time on site.
Third-party cookies may appear across several websites. These cookies track user behavior across multiple domains and platforms. If you’ve ever visited a website to view a product, then seen an ad for that product when you visited an unrelated site, a third-party cookie has likely tracked your activity online.