Is a Cookie Banner Required Under CPRA?

The California Privacy Rights Act (CPRA) introduces new requirements for businesses concerning consumer privacy, particularly regarding the sale or sharing of personal information. Unlike some privacy laws that mandate explicit cookie banners, the CPRA does not explicitly require a cookie banner for compliance. However, it demands businesses provide a mechanism enabling consumers to opt out of the sale or sharing of their personal data, which may include data collected via cookies.

The Draft Regulations clarify that a simple opt-in cookie banner is insufficient for CPRA compliance. Instead, an acceptable opt-out mechanism must:

• Address both sale and sharing of personal information.
• Allow users to submit opt-out requests effectively.

The “Do Not Sell/Share My Personal Information” (DNSMPI) link is specified as a clear and compliant method for providing this opt-out. This link may be integrated with cookie preference management to ensure users can control data collection and sharing. Additionally, businesses are required to honor opt-out signals such as the Global Privacy Control (GPC), which facilitates user privacy preferences automatically.

Consent management platforms such as CookieYes are cited as practical tools that meet CPRA requirements. They enable websites to display opt-out banners containing DNSMPI links, allowing visitors to exercise their rights under the CPRA by opting out of the sale or sharing of their personal information.

In summary, while a cookie banner alone is not mandated, compliance under CPRA requires:

• A clear and accessible opt-out mechanism that addresses both sale and sharing,
• Integration or support for global opt-out signals,
• Transparent communication of consumer rights via DNSMPI links or similar tools.

This nuanced approach reflects CPRA’s focus on consumer control over data rather than simple notification.