GDPR and CCPA
GDPR regulations apply to any EU company. GDPR requires that all personal data that is collected and/or processed is made transparent, including the disclosure of the purpose for data collection.
1. Main legislation:
GDPR applies in the circumstances where cookies work as online identifiers (e.g. a user authentication cookie would involve the processing of personal data, as it is used to enable the user to log in to their account at an online service).
Consent for all types of cookies (but not for strictly necessary cookies*)
Consent can be asked only once, but it is recommended to refresh after a certain period of time.
Consent can be withdrawn at any time and in an easy way.
Consent needs to be a positive action (e.g. pre-ticked boxes or ‘on’ slides cannot be used). This also includes consent banners that might be difficult to read on mobile devices.
Duration of cookies needs to be determined (period of time and/or number of visits to the website) - it can also be determined by national legislation
Note: The above requirements also apply for Statistics Cookies (performance cookies). These cookies collect information about user behavior on a website, such as which pages they visited and which links they clicked on.
*Strictly Necessary Cookies: Cookies that are needed in order for a website to carry out online communication.
User-input cookies (session-id) such as first-party cookies to keep track of user input when they fill out online forms, place items in digital shopping carts, etc.
Authentication cookies are used to identify the users once they are logged in.
User-centric security cookies are used to detect authentication misuse.
Multimedia content cookies include player cookies that are used to store technical data that is needed in order for the user to play video or audio content.
Load-balancing cookies Load balancers use a specific load balancing cookie to track the instance of each request to each listener.
User interface customization cookies include, for example, language or font preferences (these can be first or third-party cookies).
Responsibilities under the GDPR
Define (and explain) which cookies are used (applicable also for 3rd party cookies), their purpose, and their duration.
Document and store consent
Obtain consent for all types of cookies and document it
Control how long the cookies are stored for
Information about the possibility of revoking consent
Allow users to access the website even if they reject all cookies
Allow users to access website even if they reject all non-necessary cookies
If cookies imply the collection of personal data, then the customer needs to be in compliance with the GDPR as a data controller
We will be classified as data processors
CCPA ( California Consumer Privacy Act)
The California Consumer Privacy Act is basically a set of regulations that apply to any organization that collects personal data on any California resident.
CCPA regulations apply to any organization that meets two criteria:
Data collected by cookies is considered to be personal information. CCPA does not require businesses to gain opt-in consent for cookies, but it does require that companies disclose what data is being collected by cookies and what is done with the data. Additionally, businesses need to take steps to comply with the option for their website users to opt-out of the sale of personal information collected by cookies.
"Personal information is sold and this might include information obtained by cookies."
For additional information see:
APA: Australia's Privacy Act includes thirteen codes of conduct with regards to the disclosure of personal information. Websites, companies, and organizations that operate in Australia must follow these codes of conduct in order to be compliant.
SHIELD: The Privacy Shield Program Overview is a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
PIPEDA: The Personal Information Protection and Electronic Documents Act of Canada applies to transfers of personal information to a third party operating outside of Canada.