California Consumer Privacy Act (CCPA)

Bubble,

How do we make sure we are CCPA compliant? How would we go about creating a consent form like this (See video below) so the user can turn on and off cookies in Bubble? @eve maybe you can point us in the right direction on who to ask about this? Thanks!

Also, any other details on how to make sure we are CCPA compliant with Bubble would be great. It begins July 1st, 2020.

For example: Just like with the GDPR, CCPA requires that phrases like “by continuing to use this website you agree with our use of cookies” disappear from websites. In their place, we should see a clear description of each type of cookies used, how many cookies are used for each type, and the option to opt-out of anything that isn’t mandatory for the website to function.

CCPA-compliant cookie policy

CCPA requires companies to have policies which disclose information about their use of cookies and data collection practices.

In order for businesses to have a truly CCPA-compliant cookie policy, it should include information regarding:

CCPA cookie consent

Unlike the GDPR, CCPA cookie consent is based on an opt-out mechanism, instead of an opt-in one. Thus, websites can load cookies, but are obliged to provide users with an easy way of opting out of them at any moment. The California Consumer Privacy Act requires businesses to inform consumers before or at the point of collection of their personal data, but does not require prior, explicit cookie consent. That’s why we’ve built Clym with the flexibility to either opt-in or opt-out depending on the geographic area where they are located.

Similarly to the GDPR, the CCPA prohibits the collection of consumers’ personal information for any other purposes or any other categories that the ones presented to the customer.

CCPA cookie requirements

As with the GDPR, strictly necessary cookies, the ones required to make websites function, do not require consent. It is advisable to disclose their use to the website visitors, but it is not required to allow them to deactivate these cookies, if without them, the website would not function properly.

Other types of cookies, such as functionality, performance, or analytics cookies should be optional.

Just like with the GDPR, CCPA requires that phrases like “by continuing to use this website you agree with our use of cookies” disappear from websites. In their place, we should see a clear description of each type of cookies used, how many cookies are used for each type, and the option to opt-out of anything that isn’t mandatory for the website to function.

While the text of the CCPA, like that of the GDPR is not that specific, these are conclusions that can be drawn from major provisions such as transparency, data subjects’ right to access and to be informed, data minimisation, and all this should reflect in the cookie policy of each company.

‍

What are GDPR and CCPA Cookie Consent Requirements?

Under GDPR, websites need to collect consent to utilize all cookies other than those absolutely necessary to the running of the site. GDPR has strict requirements for what counts as consent, requiring a “clear affirmative act” that users are opting-in to having their data collected. It’s no longer good enough to use a pre-checked box or a banner that tells the user that by continuing to use the website they agree to cookies. Additionally, when companies request consent, they must do so in a way that is “clear, concise, and not unnecessarily disruptive", meaning that your site can’t bury a consent mechanism in the middle of a lot of legal jargon.

Finally, under GDPR, websites must provide a way for users to withdraw their decision to grant data collection consent, aka the “right to be forgotten”.Under CCPA, data collected by cookies can count as personal information. While CCPA doesn’t require businesses to gain opt-in consent for cookies, it does require them to disclose what data is being collected by cookies and what is done with the data. Additionally, businesses need to take steps to comply with the right to opt-out of the sale of personal information collected by cookies.

‍

What information should a compliant cookie policy contain?

To be compliant with privacy and cookies laws, your Cookies Policy or cookies clause should:

1. state that you use cookies on your website and explain briefly what cookies are,
2. disclose what types of cookies you (or any third parties) are using,
3. inform users why you use cookies, and 4) let users know how they can opt out of having cookies placed on their devices.

Clym offers its clients compliant cookie policy templates as part of the subscription which are kept up to date with GDPR and CCPA .

‍

Is a cookie policy a legal requirement?

Yes, cookie policies are required to maintain compliance with both GDPR and CCPA.

‍

What is a cookie policy?

A cookie policy is a statement that you provide to your website users regarding what cookies are active on your website, what user data they track, for what purpose, and where in the world this data is sent. A cookie policy should also contain information regarding how your users may opt out of the cookies or change their settings relating to the cookies on your website.

Very relevant question - thanks for posting it, since other users can benefit from this as well.

The overarching, quick answer is to check out our cookie opt in feature: here’s some documentation of it

That feature lets you create a finer-grained cookie experience for users. However, I’ll emphasize the part of the reference that says “…logging into Bubble requires cookies to function properly, so [opting the user out of cookies] on a logged in user is not recommended”.

The Bubble cookie mainly handles authentication-related purposes, to tie a given browser session to a user. It also does things like create temporary users for logged-out users that automatically become real Users in your db when they create an account, and provide the “stay logged in” functionality.

I believe that the cookie feature gives you the capability to create a CCPA-compliant experience for your product; the UX/UI you show in your video would be built by you leveraging this feature.

Hope that helps!

Thank you! I was able to implement the cookie banner and allow the visitors to not have any unnecessary cookies by removing any cookies that I didn’t want. Also, the Bubble support team was able to make the adjustments to their video player so it now works properly too!

Thanks Bubble team for helping me make privacy choices important for my users!

I feel more comfortable in my CCPA compliance now. Thank you!

@j805 www.NoCodeMinute.com

Hi @J805,

Can you give more details as to how you were able to accomplish the above (original message)? I have gone through the steps to add a cookie banner and allow customers to accept or not accept cookies but it’s still fully working. How can I also add other cookie options (Google analytics) like you have done with Vimeo?

Thanks

Hey @mangooly

Bubble helped me with the Vimeo and YouTube videos. They added code to be able to turn it off when there are no cookies to be compliant. I ended up removing all other cookies on my site that were unnecessary. I used to use Tawk.to but I don’t think they gave an option to not have cookies so I made my own chat from scratch. It took a while to get everything right. I do my own sort of analytics without tracking cookies as well.

Seems there is a way to turn it off for Google Analytics too: https://developers.google.com/analytics/devguides/collection/analyticsjs/user-opt-out

I hope that can at least get you started.

Hope that helps!

@j805 www.NoCodeMinute.com

For All Your No-Code Education Needs:

• One-on-One Tutoring
• eLearning Hub
• Video Tutorials
• No-Code Classes

Thanks for the response @J805. Can you explain how you did this with the Bubble cookies. I looked at your website and I see there is only one option to tick Bubble cookies and it doesn’t allow you to uncheck. I also noticed you only have one when there are in fact at least 4 Bubble cookies. Is this correct?

Thanks

Hey there!

On my site there are two cookies. I tested it by clearing out my cookies and going to my site. I also scanned my site with a third party website to be sure.

One is ‘cfduid’ which is an essential cookie that you can’t turn off. This is created by bubble from cloudflare. The law allows for this one. I can’t turn it off.

The other one is one that I added to my site called ‘vuid’ from Vimeo. This one is optional and is, by default, turned off. I set that up in the settings of my app. Once you accept all cookies then it turns on. You can’t watch a video unless you accept cookies and I give a warning about it when you click on the videos without accepting cookies first.

So you can toggle the Vimeo cookies one.

Take a look at the screenshots for clarification:

image1125×2436 956 KB

image1125×2436 1.04 MB

Hope that helps a bit!

Thanks @J805. That helps a lot. If the law is ok with this one thats ok. Do you know where Bubble provides this information?

Sorry to continue such a boring subject , just trying to understand because I still get the same results as you do once the user clicks on ‘Accept Cookies’. I get these other 4 in the list. Are they cookies? What are they? They don’t provide any information when scanned by a third party website.

I understand they should be on the list too for the user to accept or decline individually like your initial example, right?

On a related topic. Can I ask how you connected logged out users with logged in users? When my users log out they are presented with the same cookie screen again.

Thanks

image1496×1014 105 KB

Hey there!

No problem. When I put my site in https://www.cookieserve.com it shows only one cookie for my site. It’s the necessary one. I may need to double check that somehow.

Cookie Reference Material

CCPA cookie requirements

As with the GDPR, strictly necessary cookies, the ones required to make websites function, do not require consent. It is advisable to disclose their use to the website visitors, but it is not required to allow them to deactivate these cookies, if without them, the website would not function properly.
Reference: https://www.clym.io/knowledge-base/how-the-ccpa-affects-the-cookie-policy

This is not from Bubble, I am still looking for the email. If I find it I will post it.

I recommend using https://termly.io since this is where it will tell you more details about each cookie after you run the cookie report. I have been super happy using them for my terms and conditions.

On a related topic. Can I ask how you connected logged out users with logged in users? When my users log out they are presented with the same cookie screen again.

I don’t really connect logged out and logged in users. When the user logs out, I think this should show the cookie consent screen. I think that is expected behavior. I can’t remember if mine does that or not. I think it would make sense to show it again since the user is logged out.

Anyways, hope that helps!

Yes, that is correct, only one cookie initially, but when you accept conditions (You are going to have to use Chrome console to see this) 3 cookies are added (ie. _live_u2main, etc…). Here is a screen shot to help you,

image2636×1420 372 KB

Thanks for the recommendation. I will look at these links.

Expected behaviour is for user to accept cookies ‘only once’ when user enters website. It should not show the consent popup two times. You are asking the user two times: Hey user, welcome to our page, do you accept my terms? Bye bye user, oh and by the way, I know you are leaving my website, but do you accept my terms again? It doesn’t make sense, at least for my users. The users are also accepting terms when they signup, so I think three times plus all the times they logout from your website is crazy if not ludicrous.

Thanks again. I think this area still isn’t clear for Bubblers: What cookies are being used in Bubble. How to build a cookie consent popup that is compliant for todays apps (GDPR and CCPA), not yesterdays apps. That includes user journeys that include logged out and logged in users. Possibility to consent or reject cookies individually. Can you weigh in on this @allenyang or anyone else from Bubble? I cannot move forward on this topic and for me these are basics for our apps to be compliant. Cookies are annoying enough for our users and bombarding users with cookies every time they login and logout even though they have accepted is just not good enough.

Thanks

Ohhhhh. So glad you pointed that out. I didn’t realize that. Thanks. I guess I have a little bit more work to add the other few cookies to my notification and Cookie Policy.

I only have the cookie consent on my main page. Once they log in, they check the check box, and accept all cookies for the site to function properly. Maybe sending the users to a different page once they log out and not show the consent there? I’m not sure how your app is set up.

So much to learn. Thanks! Off to do more work for compliance.

I think it comes down to exactly what kind of user flow you want to build, but as far as I’m aware, the combination of the “Cookie Consent” plugin plus the cookie opt in setting I mentioned earlier in this thread should allow you to address GDPR/CCPA regulations.

To address some of the other specifics:

• It is expected that there are multiple cookies generated under the umbrella of your site’s cookie - for example, this will also be influenced by the plugins you use. I’ve not seen a case where Terms or Privacy Policies make a specific distinction about the exact # of cookies created, only about the source / use of the cookies. (Note: I Am Not A Lawyer)
• When a logged in user who has accepted cookies previously logs out, that is effectively a “new user” visiting the site. This feels like a more privacy-conservative way of handling privacy / cookies. There’s probably a workaround to suppress the cookie consent banner specifically in the case of a user logging out, but the default behavior today seems sensible to me
• The default cookies that a Bubble app generates should be the ones necessary for Bubble to work. If, for example, you use Google Analytics and you really wanted your user to control whether the GA cookie is set, I think this might be possible by creating a flow with a preference the user can set which, if acknowledged, ‘activates’ GA code on a page. This is not the flow we assume Bubble app creators want if they’re using GA, so our GA plugin doesn’t facilitate this flow (if we required an app creator to build a consent flow for every plugin they use, that could very quickly get out of hand…).

So maybe @mangooly could essentially log the user out and, in the same workflow, set cookie consent to “yes” which would apply it to the new user it just created after logging out?

Yes that might work technically, but I would be careful in understanding the implications of this move with respect to your site’s Terms / Privacy Policy / etc.

True, maybe save a set state of what the user’s cookie preference is before they log out and then trigger the workflow to set the cookie consent based on the set state?

Hi @allenyang again Do you know what the other 4 cookies are? I have tested this with an empty app (no other plugins). Bubble uses them, but there is no clarification of what they are being used for and why they are not initially mentioned but then used when consent is accepted in opt-in option.

Thanks

Had to check with Engineering (thanks Peter!) - the 4 cookies you see are:

• One from Bubble to mark the user’s session ID
• One from Bubble with the session signature to prevent tampering
• One from Bubble that tells the browser who the current user is
• One from Cloudflare (link)

Great, thanks again @allenyang.

I’m having difficulty understanding this - what action (if any) do we need to take for our apps? Or is this a case that Bubble will handle?

Hi @rukevweb,

You first need to check if you need to be CCPA compliant. Check the links @J805 mentioned in his first post or,

If yes, then you need to take the necessary development steps to make sure your website is compliant (ie, add popup, ask users if they wish to accept or reject terms, give details about what you will do with their data, cookie policy, etc…).

Regards