We recently provided an update regarding the California Privacy Protection Agency’s modified regulations (the “Regulations”) for the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the “CCPA”). In that update, we briefly discussed new requirements regarding website popups, including cookie banners.

The Regulations require Businesses to design and implement methods for consumers submitting CCPA requests and “obtaining consumer consent” that incorporate the following principles:

  • Language that is easy to understand;
  • Symmetry in choice, meaning the business shall not make it more difficult to exercise a more privacy-protective option than a less privacy-protective option;
  • Avoids language that is confusing to the consumer;
  • Avoids using choice architecture that impairs or interferes with the consumer’s ability to make a choice; and
  • Designed in a way that it is easy to execute.

Regarding “symmetry in choice,” the Regulations specifically require:

The path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the consumer’s ability to make a choice. Illustrative examples follow.

A website banner that provides only the two choices when seeking the consumer’s consent to use their personal information, “Accept All” and “More Information,” or “Accept All” and “Preferences,” is not equal or symmetrical because the method allows the consumer to “Accept All” in one step, but requires the consumer to take additional steps to exercise their rights over their personal information. Framing the consumer’s options in this manner impairs the consumer’s ability to make a choice. An equal or symmetrical choice could be “Accept All” and “Decline All.”

While the above language does not call out cookie banners or cookie pop-ups, the symmetry in choice requirement applies to any method used to “obtaining consumer consent.” Providing a cookie banner and having the consumer select Accept or Decline is obtaining the consumer’s consent to place cookies and use other technologies on their device. Additionally, the illustrative example provided by the California Privacy Protection Agency seems to be drafted with cookie banners in mind since many cookie banners ask users to “Accept All” or “Preferences” if they wish to either accept or opt-out of specific cookies. This will no longer be sufficient as it would require more steps from the consumer to decline certain cookies.

Possible options would be to change the two choices to “Accept All” and “Decline All Non-Essential Cookies” (with an effective opt-out/decline mechanism), or make the choice “Select Cookie Preferences” and take the user to the “Cookie Policy” page where they have the symmetrical option to accept or decline certain cookies.

To note, the CCPA does NOT require Businesses to have cookie banners on its website. This simply applies to Businesses that choose to have a cookie banner. Many Businesses are choosing to include a cookie banner due to other data protection laws and regulations around the world, including the European Union’s General Data Protection Regulation.

We will continue to monitor the Regulations as the public commentary period recently ended on November 21, 2022. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.