Please wait

Loading...

Acquia Help

Filter by product:

Acquia Optimize common questions

GDPR and CCPA¶

GDPR (General Data Protection Regulation)¶

GDPR regulations apply to any EU company. GDPR requires that all personal data that is collected and/or processed is made transparent, including the disclosure of the purpose for data collection.

Europe

1. Main legislation:

E-privacy directive: how to use cookies (this directive will change soon).
GDPR applies in the circumstances where cookies work as online identifiers (for example, a user authentication cookie would involve the processing of personal data, as it is used to enable the user to log in to their account at an online service).

2. Requirements

Information on the use of cookies (which cookies, for what purposes, and for what duration).
Consent for all types of cookies (but not for strictly necessary cookies*)
- Consent can be asked only once, but it is recommended to refresh after a certain period of time.
- Consent can be withdrawn at any time and in an easy way.
- Consent needs to be a positive action (e.g. pre-ticked boxes or ‘on’ slides cannot be used). This also includes consent banners that might be difficult to read on mobile devices.
Duration of cookies needs to be determined (period of time and/or number of visits to the website) - it can also be determined by national legislation

Note
The above requirements also apply for Statistics Cookies (performance cookies). These cookies collect information about user behavior on a website, such as which pages they visited and which links they clicked on.

*Strictly Necessary Cookies: Cookies that are needed in order for a website to carry out online communication.

User-input cookies (session-id) such as first-party cookies to keep track of user input when they fill out online forms, place items in digital shopping carts, and so on.
Authentication cookies are used to identify the users once they are logged in.
User-centric security cookies are used to detect authentication misuse.
Multimedia content cookies include player cookies that are used to store technical data that is needed in order for the user to play video or audio content.
Load-balancing cookies Load balancers use a specific load balancing cookie to track the instance of each request to each listener.
User interface customization cookies include, for example, language or font preferences (these can be first or third-party cookies).

	Responsibilities under the GDPR
Customer	Acquia Optimize powered by Acquia
Define (and explain) which cookies are used (applicable also for 3rd party cookies), their purpose, and their duration.	Provide/display information on the use of cookies to website’s visitors
Document and store consent	Obtain consent for all types of cookies and document it
Control how long the cookies are stored for	Information about the possibility of revoking consent
Allow users to access the website even if they reject all cookies	Allow users to access website even if they reject all non-necessary cookies
If cookies imply the collection of personal data, then the customer needs to be in compliance with the GDPR as a data controller	We will be classified as data processors

¶

CCPA ( California Consumer Privacy Act)¶

The California Consumer Privacy Act is basically a set of regulations that apply to any organization that collects personal data on any California resident.

CCPA regulations apply to any organization that meets two criteria:

The organization collects personal information from consumers.
or:
The organization meets any of the following:

Has an annual gross revenue of more than 25 million USD
Buys, receives, or sells the personal information of 50,000 or more consumers or households.
More than 50% of annual revenue comes from selling the personal information of their consumers.

The data that is collected by cookies is considered to be personal information. CCPA does not require businesses to gain opt-in consent for cookies, but it does require that companies disclose what data is being collected by cookies and what is done with the data. Additionally, businesses need to take steps to comply with the option for their website users to opt-out of the sale of personal information collected by cookies.

It is therefore recommended to include information on first-party session cookies in the Privacy Policy. A statement such as this is normally sufficient:

"Personal information is sold and this might include information obtained by cookies."

Additional Resources¶

APA: Australia's Privacy Act includes thirteen codes of conduct with regards to the disclosure of personal information. Websites, companies, and organizations that operate in Australia must follow these codes of conduct in order to be compliant.
SHIELD: The Privacy Shield Program Overview is a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
PIPEDA: The Personal Information Protection and Electronic Documents Act of Canada applies to transfers of personal information to a third party operating outside of Canada.
Cookie Policies and Privacy Policies
General Data Protection Regulation
California Consumer Privacy Act.

Did not find what you were looking for?

If this content did not answer your questions, try searching or contacting our support team for further assistance.

Acquia Optimize Support