Updated July 13, 2020.
Regardless, you are legally required by the European GDPR and the Californian CCPA to have one available to your users on your website.
Cookies are a potential privacy risk, because they are able to track, store and share user behavior.
The EU law on personal data, the General Data Protection Regulation (GDPR), gives website visitors the right to receive specific, up-to date information on what data is registered about them at all times, for what purpose, and where in the world it is sent (along with the possibility to prevent it from happening).
The California Consumer Privacy Law (CCPA) empowers California residents with rights to know what of their personal information companies and websites collect and sell, plus the rights to have it deleted and to opt out of having their data sold to third parties.
The CCPA states that businesses must inform their visitors at or before the point of collection of what categories of personal information they collect and process, including to which third parties they sell/share/disclose this data.
The CCPA empowers California residents with the following:
Last but not least, websites must feature a Do Not Sell My Personal Information link, through which users can opt out of third party data sales.
Try Cookiebot free for 30 days... or forever if you have a small website.
The answer is yes, you do.
The first thing to do is to discover what cookies are in use on your website. This is fundamental for creating a specific and accurate policy, as required, because every website is different.
In other words, you need to know exactly what cookies and other forms of tracking technology is present and operating on your website.
Cookiebot scans and reveals all cookies, both first and third party, on your website. It does so by simulating real-life user interaction with your website. It basically crawls your website and all of its subpages and shows you what hides under the surface. It does this automatically once a month.
A CCPA compliant cookie declaration by Cookiebot.
Cookiebot is a consent management solution that enables full GDPR/ePR and CCPA compliance for your website.
We empower you to take care of all that is cookie-related on your website, so that you can have peace of mind, knowing that your website complies with the regulations.
The short and simple answer 'yes'.
First and foremost, the GDPR is a universal law for the European Union.
This means that the GDPR not only regards all websites that are operating within the EU but also, all websites that are dealing with users from the EU.
So, since its enforcement in May 2018, all sites but strictly local ones outside of the EU are affected.
In a PwC survey of American multinational organizations, 92 percent said GDPR compliance was a top priority, and 71 percent had already started preparations (in January 2017). These included privacy policies, IT security and discovery of all the data they currently had.
In the US, the laws on the protection of data are more fragmented, because they are a patchwork of sector specific laws, regarding for example healthcare companies or financial institutions, or restricted to specific states, like California.
However, the GDPR being the most thorough and far-reaching data protection regulation ever passed, it is likely to go global or in the least to serve as a model for future regulations the protection of data.
Therefore, it is in any case relevant to take measures to comply.
The regulations might here and now seem like an annoying obstacle for companies, but in the long run they are helping to restore the trust and equity between companies and consumers in a data driven world.
A short and simple yes here too.
The California Consumer Privacy Act (CCPA) has extraterritorial jurisdiction. It means that it applies to any business that collects or processes the personal information of California residents, regardless of where in the world that business is located.
However, to be regarded as a business under the CCPA rules, a company has to meet one of the three following attributes:
This means that if a company is based in, say, Singapore or Italy, but buys or sells the personal information of at least 50.000 California residents, that company is liable for CCPA compliance.
Keep in mind, however, that your policy should be revised and updated regularly, to make sure that it informs about the actual cookies in use on your site.
Your website uses first-party cookies that are strictly necessary for its basic function, but it’s very likely that it also uses third-party cookies for analytical or marketing purposes, e.g. through analytics tools, marketing software or social media plugins. To be sure what cookies your website uses, use a consent management platform to perform deep-scans of your domain.
The California Consumer Privacy Act (CCPA) requires your website to inform California residents at or before the point of data collection about the categories of personal information it collects, to which third parties this is sold or disclosed, what types of cookies and trackers are in operation and a description of consumer rights and how to exercise them.