Handling User Rights Requests under GDPR and CCPA for Cookies

Cookie compliance is a critical part of managing your website and respecting your users' privacy. Cookies are used everywhere, and they collect all kinds of data, from what users do on your site to what products they might be interested in or even their location.

Under General Data Protection Regulation (GDPR) in the EU and California Consumer Privacy Act (CCPA) in California, these cookies and the data they collect are tightly regulated. These laws give users specific rights over their data, such as the ability to see what data you’ve collected on them, request its deletion, or even stop you from selling or sharing it.

If you're running a website or a digital business that collects data through cookies, you need to understand how to handle these requests in a way that’s clear, efficient, and legally compliant. Failing to comply can lead to penalties, damaged trust, and potential loss of business.

In this blog, we’ll break down how to handle user rights requests effectively under both GDPR and CCPA, ensuring your processes are both user-friendly and legally sound.

Understanding GDPR vs. CCPA

Let’s start with understanding the main differences between GDPR and CCPA, especially when it comes to cookies:

• GDPR: The regulation is built around user consent. Specifically, if your website uses non-essential cookies (like analytics, ads, or tracking), you must ask for explicit consent before setting them. Users should be aware of why cookies are being used and should have clear options to accept or reject them.
• CCPA: Unlike GDPR, CCPA is built around opt-out consent. This means that businesses can set cookies by default, but users must be given an easy way to opt out of the sale or sharing of their data. It’s a bit more relaxed when compared to GDPR's "opt-in" approach, but it still requires you to disclose and respect user preferences.

So if you want to know the difference at a glance,

• GDPR: Opt-in before setting cookies.
• CCPA: Opt-out from data sale or sharing.

Even though these laws take different approaches to consent, both ensure that users are given control over their personal data, especially when it's being collected by technologies like cookies.

What Cookies Are Regulated?

Cookies are small text files that websites use to track and store information about users. Not all cookies are created equal, and under GDPR and CCPA, only certain types are heavily regulated. There are several types of cookies like strictly necessary cookies, functional cookies, analytics cookies, marketing cookies etc. You need to manage how these cookies are used and ensure users know exactly what they’re consenting to.

Step-by-Step Guide to Handling User Rights Requests

Below is a quick step by step guide to handle user rights request:

1. Start with a Cookie Audit

Before you can respond to user rights requests, you need to understand what cookies are actually running on your website and how they collect and use personal data. This is where a cookie audit comes in. And now let’s take a look at how you can go about it:

How to Conduct a Cookie Audit:

• Scan Your Website: Use a custom cookie consent UI that complies with EU / GDPR law like ConsentBit to scan your site for cookies. These tools will give you a list of all cookies running on your site and provide information about what each one does.
• Categorize Cookies: Once you have the list, organize cookies by category:
• Strictly Necessary: These are essential and don’t need user consent.
• Preference and Functional: These may require consent, depending on their use.
• Analytics and Marketing: These always require user consent under GDPR and often under CCPA.
• Document Data Usage: For each cookie, document what data it collects (e.g., personal data, IP address, user behavior) and whether that data is shared with third parties. You need this for responding to access and deletion requests.

It’s crucial that this audit is updated regularly. As you add new tools or third-party services to your site, they can introduce new cookies.

2. Write a Cookie Policy That Actually Makes Sense

Once you have a clear picture of the cookies you use, you need to make sure users can easily find and understand how their data is being used.

Your cookie policy should be clear, concise, and written in simple terms. Avoid technical jargon and legal speak wherever possible. This is your chance to explain how cookies are used on your site, what data is collected, and what users can do if they’re not comfortable with it.

What Should Be in Your Cookie Policy?

Now you might be wondering what all details should be there in your cookie policy. Below is a quick list:

• What Cookies Are Used: List all cookies, grouped by type (e.g., strictly necessary, marketing, etc.).
• Why They Are Used: Explain their purpose. For instance, “We use Google Analytics to understand how users interact with our site and improve user experience.”
• How Long Data Is Kept: Let users know how long the cookies store data (e.g., “Data is kept for up to 12 months”).
• Who Has Access to the Data: If any third parties have access to the data collected by cookies, mention them here.
• How to Control Cookies: Provide clear instructions on how users can change their cookie preferences or withdraw consent.

While considering all these points, it’s also important to make sure this policy is:

• Accessible: Link to it in your website’s footer, cookie banners, and other relevant places.
• Regularly Updated: Anytime your cookie usage changes, update the policy accordingly.
• Easy to Understand: Avoid complex legal language. Your users should understand what’s happening with their data in a few simple sentences.

3. Make Consent Clear and Easy

How you collect consent is key to compliance. Both GDPR and CCPA require you to give users the ability to choose what cookies are placed on their devices, but they have slightly different requirements.

For GDPR:

You must obtain explicit, informed consent before setting non-essential cookies (e.g., marketing, analytics). That means you cannot load those cookies until the user has clicked to accept them.

• Cookie Banners: When users first land on your site, show a banner that allows them to:
  
  • Accept all cookies
  • Reject all cookies
• Manage cookie preferences (for more granular control)
• Clear Language: The language in the banner should be clear. Something like: “We use cookies to personalize content and ads, to provide social media features, and to analyze our traffic. By clicking ‘Accept,’ you consent to our use of cookies.”
• Easy Opt-Out: Users should be able to change their preferences anytime, often through a persistent "Cookie Settings" link in the footer.

For CCPA:

Unlike GDPR, CCPA allows businesses to set cookies by default but requires you to provide a mechanism for users to opt out of the sale or sharing of their data.

• Do Not Sell My Personal Information: This is a mandatory link in the footer that leads users to a page where they can request to opt out of the sale or sharing of their data.
• Respect Opt-Out Requests: When users submit an opt-out request, you must honor it by stopping the sale or sharing of their data.

4. Responding to Access and Deletion Requests

When a user exercises their rights under GDPR or CCPA, you need to know exactly how to respond in a timely manner. Here's what to do:

Access Requests (Right to Know):

• Under GDPR, users can ask for a copy of their data that’s been collected via cookies.
• Under CCPA, users have the right to know what data has been collected and if it’s been sold or shared.

Steps for Handling Access Requests:

• Verify the user's identity (a simple confirmation email works well)
• Look through your records for data associated with that user (based on their cookies and browsing history)
• Respond within 30 days (under GDPR) or 45 days (under CCPA), ensuring the response is clear and concise.

Deletion Requests (Right to Erasure):

• Users may request that you delete any personal data you’ve collected via cookies.
• Under GDPR, this is a must if the data is no longer needed, or if they withdraw their consent.
• Under CCPA, users can request deletion, but there are exceptions (e.g., for legal obligations or completing transactions).

Steps for Handling Deletion Requests:

• Verify the user's identity.
• Identify and remove all the data you’ve stored or processed related to that user.
• If you share data with third parties (e.g., ad platforms), instruct them to delete the data too.

5. Respect Global Privacy Control (GPC)

A relatively new feature, Global Privacy Control (GPC) allows users to opt out of the sale of their personal data via a browser signal. This is particularly relevant for CCPA compliance.

• When a user has GPC enabled:
  
  • You must honor it as a valid opt-out;  no extra steps should be needed from the user.
  • This should apply to cookies, third-party data sharing, and any other user data.
  • Ensure your consent management platform can interpret and respond to this signal automatically.

6. Don’t Punish Users for Exercising Their Rights

It’s tempting to show a pop-up saying, “If you opt out of cookies, some features may not work,” but you must avoid penalizing users for exercising their privacy rights.

While you can explain that opting out might affect the user experience (e.g., no personalized content or ads), you cannot restrict access to the core functionality of your site or app simply because a user opted out.

7. Regular Review and Updates

The next most important stage is to maintain compliance over time. To stay on top of your commitments, you must regularly evaluate and amend the modifications as needed.

• Audit cookies regularly to see if new tools or integrations are adding new cookies.
• Review policies annually to ensure they align with the latest laws and best practices.
• Monitor legal updates, especially with new state-level privacy laws in the U.S. (e.g., Colorado, Virginia) or updates to GDPR guidelines.

Conclusion

Cookie compliance doesn’t have to be overwhelming. By starting with a comprehensive cookie audit, being transparent in your cookie policy, and setting up simple, clear consent mechanisms, you can stay compliant with GDPR and CCPA.

More importantly, these steps help build user trust. Today’s consumers are more aware than ever about their privacy rights, and being proactive in respecting them can set you apart from competitors.

If you’re unsure whether your website is fully compliant with GDPR and CCPA, now’s the time to take action. Get in touch with us today.

FAQs

• Does GDPR apply to cookies?

Yes. GDPR applies to cookies that collect personal data, such as IP addresses, device IDs, or browsing behavior. Consent is required before placing non-essential cookies on users’ devices.

• Does GDPR require cookie banners?

Yes. Under GDPR, cookie banners are required to inform users and obtain their explicit consent before setting any non-essential cookies (like tracking or advertising cookies).

• Which directive requires asking for consent to set cookies?

The EU ePrivacy Directive (also known as the Cookie Law) requires websites to ask for user consent before setting non-essential cookies. GDPR complements this by defining personal data and strengthening consent rules.

• Is ConsentBit GDPR compliant?

ConsentBit is a cookie consent management tool specifically made for Webflow that complies with the GDPR and CCPA. This user-friendly app provides tools for controlling user preferences and cookie consent. Reach out if you would like more information about ConsentBit and find out if it satisfies your particular requirements, such as consent logs, geo-targeting, and simple opt-out.

• What are the 4 key rules of GDPR?

The core principles include:

• Lawfulness, Fairness & Transparency
• Purpose Limitation
• Data Minimization
• Accountability & Security

These guide how personal data must be handled, including data collected via cookies.

• How does GDPR affect cookies?

GDPR requires explicit, informed consent for non-essential cookies. Websites must clearly state what data is collected, why, and how it's used, and allow users to withdraw consent at any time.

• What is CCPA and GDPR?

Both are data privacy laws:

• GDPR (EU): Requires opt-in consent for personal data use.
• CCPA (California): Allows users to opt-out of data selling and request access or deletion of their data.

• What are the CCPA cookie guidance points?

Under CCPA:

• Users must be able to opt-out of cookie-based data sales.
• A "Do Not Sell My Personal Information" link must be provided.
• Websites should honor Global Privacy Control (GPC) signals as opt-outs.

• How to comply with GDPR and CCPA for cookies?

Here are a few steps you can take to ensure compliance with privacy laws like GDPR and CCPA:

• Use a reliable Consent Management Platform (CMP) like ConsentBit
• Show cookie banners based on user location
• Get explicit consent (GDPR) or offer opt-out options (CCPA)
• Keep logs of consent and preferences
• Provide easy access to privacy settings

• Do I need to comply with GDPR if I only target US users?

Usually, no, GDPR applies if you target or monitor users in the EU. But if you collect data from EU users (e.g., via marketing or analytics), compliance is required.

• How can I automate cookie consent for my website?

Use a reliable CMP like ConsentBit that detect cookies, display consent banners, manage user preferences, and keep consent logs, all automatically.

• What is the penalty for non-compliance with CCPA?

Fines can reach $2,500 per violation or $7,500 per intentional violation. That can add up quickly for each affected user, even for something as small as improperly handling cookie-based data sharing.

‍