Published:

CIPA and CPRA cookie consent banner requirements 

Cookie Consent Banner

CIPA, CPRA

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

CIPA and CPRA cookie banner requirements

A cookie consent banner is a very frequent feature of business websites as it allows website owners to comply with applicable privacy laws by enabling individuals to opt in or out of being tracked by various technologies such as cookies and pixels.  While it can be an annoying feature, its purpose is to respect the privacy rights of website visitors, several privacy laws require it and it is necessary to avoid fines and even lawsuits. If you are as deep in the privacy weeds as we are, you may have noticed that California has two privacy laws that require a cookie consent banner – the California Privacy Rights Act (CPRA) and the California Invasion of Privacy Act (CIPA) and the cookie consent banner requirements of these laws conflict with each other. The CPRA can impose fines from $2,500 to $7,500 per violation and CIPA allows consumers to sue businesses directly for violations (at $5,000 per violation), leaving businesses that need to comply with both of these laws between a rock and a hard place. Furthermore, it is important to note that at this time, neither the California Attorney General nor the California Privacy Protection Agency have issued any guidance to businesses on how to resolve the conflicts between the requirements of these privacy laws. In this article, we will discuss this compliance conundrum, including: 

  1. CIPA cookie consent banner requirements; 
  2. CPRA cookie consent banner requirements; 
  3. The conflicts between the requirements of these two privacy laws; and 
  4. How the Termageddon consent banner resolves these conflicts. 

CIPA cookie consent banner requirements 

The California Invasion of Privacy Act (CIPA) is a privacy law that went into effect in 1994 to protect residents of California from eavesdropping on conversations that took place on landline phones. While “communications” was initially meant to cover phone calls, it has recently been reinterpreted by Courts to cover any communications of an individual with a website. Since CIPA prohibits the eavesdropping of communications without consent, consumers have started suing businesses arguing that the use of cookies, web beacons, pixels, scripts or code that track a user while they are using a website constitutes a violation of CIPA. It is important to note that CIPA applies to anyone that is tracking residents of California through their website, regardless of business size or location. 

While the best way to avoid CIPA violations is to not track users, if your website uses any tracking software such as heat mapping, analytics, IP intelligence, or advertising, you must obtain the consent of the individual in order for them to be tracked. This will usually be done through a cookie consent banner that must have the following features: 

  1. The banner must ensure that all third party tracking scripts and technologies are blocked until the website visitor has provided their consent; 
  2. The cookie consent banner must have an “accept” and a “decline” button to obtain proper consent; 
  3. If the website visitor clicks “decline”, then they must not be tracked; 
  4. The banner must be designed in a way where the “accept” and “decline” options are given equal prominence; 
  5. The banner should allow the individual to withdraw their consent if they have previously consented to being tracked; and 
  6. The banner must provide individuals with enough information about the tracking technologies so that the individual can make an informed decision as to whether or not they would like to be tracked. 

Sound familiar? The requirements of CIPA closely mirror the cookie consent banner requirements and layout that is required by the General Data Protection Regulation (GDPR), meaning that businesses must present individuals with an opt-in cookie consent banner, where users are not tracked unless they specifically opt in to the tracking. 

CPRA cookie consent banner requirements 

On the other hand, the California Privacy Rights Act (CPRA) went into effect in 2023, adding to the privacy protections provided to residents of the State by the California Consumer Privacy Act of 2018.  The CPRA applies to businesses that collect the personal information of residents of California and that do business in California and that meet one of the following factors: 

  1. Have annual gross revenue of more than $25,000,000; 
  2. Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers or households; or 
  3. Annually buy, sell or share the personal information of 100,000 or more California consumers or households. 

While this privacy law will usually apply to larger businesses only, smaller businesses may also be subject to this law by contract if they process personal information for a business that is subject to this privacy law. 

By default, the CPRA rules state that you can track individuals from California without their consent as long as you allow them to opt out of such tracking. Under the CPRA, individuals have the following opt-out rights: 

  1. Opt out of the sharing of their personal information for purposes of targeted advertising; 
  2. Opt out of the sale of their personal information; 
  3. Limit the use of their sensitive personal information. 

These rights can be exercised through the cookie consent banner directly or through a link to a page that allows them to exercise these rights. 

The conflicts between CIPA and CPRA 

As you can see from the above, there is a major conflict between these privacy laws – CIPA requires you to obtain the consent of the individual to track them where CPRA only provides the right to opt out of such tracking (meaning CPRA allows tracking by default, with the option to opt out). Most cookie consent banners will provide businesses with the following two options and will not allow for the combination of both options at the same time: 

  1. Website users are opted out of all tracking be default and can opt in to be tracked (meeting the requirements of CIPA); or 
  2. Website users are automatically tracked and can opt out of such tracking (meeting the requirements of the CPRA). 

Since most cookie consent banner providers will not combine both of these options, businesses are left to choose which privacy law they will comply with, which will leave them out of compliance and thus in violation of the other privacy law. 

How the Termageddon cookie consent banner combines CIPA and CPRA 

While we have been providing the CPRA cookie consent banner layout for a while, as soon as we heard of businesses being sued for violations of CIPA, we started working on different layout options that would accommodate the conflicting requirements of both of these privacy laws. With the Termageddon <> Usercentrics cookie consent banner solution, customers that need to comply with CIPA and CPRA at the same time have a new layout option that is available for them to implement. This option combines the requirements of both of these privacy laws by: 

  1. Blocking all third party scripts and technologies until the user provides their consent; 
  2. Containing equally prominent “accept” and “decline” options; 
  3. Not tracking the user if they click “decline”; 
  4. Allowing individuals to withdraw their consent and change their consent options; 
  5. Providing individuals with information about the tracking technologies so that they can make an informed choice; and 
  6. Providing individuals with links to the following pages that they can click to exercise their privacy rights (these links are obtained through the Privacy Policy questionnaire):
    1. Opt out of the sharing of personal information; 
    2. Opt out of the sale of personal information; 
    3. Limit the use of sensitive personal information.

In addition, when using the Termageddon Privacy Policy generator, businesses do not have to guess at which cookie consent banner layout they need as the generator will help determine which privacy laws apply to the business and will present the business with the appropriate cookie consent banner layout based on their compliance needs.  

To date, Termageddon is the sole Privacy Policy and cookie consent banner generator presenting an option for businesses that will help resolve the conflicting requirements of CIPA and the CPRA. If you need to comply with both of these privacy laws, make sure to check out Termageddon

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates