Forum Documentation Showcase Pricing Learn more

California Consumer Privacy Act (CCPA)

Bubble,

How do we make sure we are CCPA compliant? How would we go about creating a consent form like this (See video below) so the user can turn on and off cookies in Bubble? @eve maybe you can point us in the right direction on who to ask about this? Thanks!

Also, any other details on how to make sure we are CCPA compliant with Bubble would be great. It begins July 1st, 2020.

For example: Just like with the GDPR, CCPA requires that phrases like “by continuing to use this website you agree with our use of cookies” disappear from websites. In their place, we should see a clear description of each type of cookies used, how many cookies are used for each type, and the option to opt-out of anything that isn’t mandatory for the website to function.

CCPA-compliant cookie policy

CCPA requires companies to have policies which disclose information about their use of cookies and data collection practices.

In order for businesses to have a truly CCPA-compliant cookie policy, it should include information regarding:

CCPA cookie consent

Unlike the GDPR, CCPA cookie consent is based on an opt-out mechanism, instead of an opt-in one. Thus, websites can load cookies, but are obliged to provide users with an easy way of opting out of them at any moment. The California Consumer Privacy Act requires businesses to inform consumers before or at the point of collection of their personal data, but does not require prior, explicit cookie consent. That’s why we’ve built Clym with the flexibility to either opt-in or opt-out depending on the geographic area where they are located.

Similarly to the GDPR, the CCPA prohibits the collection of consumers’ personal information for any other purposes or any other categories that the ones presented to the customer.

CCPA cookie requirements

As with the GDPR, strictly necessary cookies, the ones required to make websites function, do not require consent. It is advisable to disclose their use to the website visitors, but it is not required to allow them to deactivate these cookies, if without them, the website would not function properly.

Other types of cookies, such as functionality, performance, or analytics cookies should be optional.

Just like with the GDPR, CCPA requires that phrases like “by continuing to use this website you agree with our use of cookies” disappear from websites. In their place, we should see a clear description of each type of cookies used, how many cookies are used for each type, and the option to opt-out of anything that isn’t mandatory for the website to function.

While the text of the CCPA, like that of the GDPR is not that specific, these are conclusions that can be drawn from major provisions such as transparency, data subjects’ right to access and to be informed, data minimisation, and all this should reflect in the cookie policy of each company.

What are GDPR and CCPA Cookie Consent Requirements?

Under GDPR, websites need to collect consent to utilize all cookies other than those absolutely necessary to the running of the site. GDPR has strict requirements for what counts as consent, requiring a “clear affirmative act” that users are opting-in to having their data collected. It’s no longer good enough to use a pre-checked box or a banner that tells the user that by continuing to use the website they agree to cookies. Additionally, when companies request consent, they must do so in a way that is “clear, concise, and not unnecessarily disruptive", meaning that your site can’t bury a consent mechanism in the middle of a lot of legal jargon.

Finally, under GDPR, websites must provide a way for users to withdraw their decision to grant data collection consent, aka the “right to be forgotten”.Under CCPA, data collected by cookies can count as personal information. While CCPA doesn’t require businesses to gain opt-in consent for cookies, it does require them to disclose what data is being collected by cookies and what is done with the data. Additionally, businesses need to take steps to comply with the right to opt-out of the sale of personal information collected by cookies.

What information should a compliant cookie policy contain?

To be compliant with privacy and cookies laws, your Cookies Policy or cookies clause should:

  1. state that you use cookies on your website and explain briefly what cookies are,
  2. disclose what types of cookies you (or any third parties) are using,
  3. inform users why you use cookies, and 4) let users know how they can opt out of having cookies placed on their devices.

Clym offers its clients compliant cookie policy templates as part of the subscription which are kept up to date with GDPR and CCPA .

Is a cookie policy a legal requirement?

Yes, cookie policies are required to maintain compliance with both GDPR and CCPA.

What is a cookie policy?

A cookie policy is a statement that you provide to your website users regarding what cookies are active on your website, what user data they track, for what purpose, and where in the world this data is sent. A cookie policy should also contain information regarding how your users may opt out of the cookies or change their settings relating to the cookies on your website.

2 Likes

Very relevant question - thanks for posting it, since other users can benefit from this as well.

The overarching, quick answer is to check out our cookie opt in feature: here’s some documentation of it

That feature lets you create a finer-grained cookie experience for users. However, I’ll emphasize the part of the reference that says “…logging into Bubble requires cookies to function properly, so [opting the user out of cookies] on a logged in user is not recommended”.

The Bubble cookie mainly handles authentication-related purposes, to tie a given browser session to a user. It also does things like create temporary users for logged-out users that automatically become real Users in your db when they create an account, and provide the “stay logged in” functionality.

I believe that the cookie feature gives you the capability to create a CCPA-compliant experience for your product; the UX/UI you show in your video would be built by you leveraging this feature.

Hope that helps!

1 Like