In this post, we’ll explain what cookies are and how businesses use them. We’ll also cover GDPR and CCPA cookie consent, and which businesses are required to comply with those requirements, as well as best practices for ensuring compliance.
What is a website cookie?
A cookie is a small block of data that a website or webpage sends to a device. The device stores the cookie and transmits the data back to the source, which authenticates the device and user. When you visit a website that requires you to log in, and the site “remembers” your username and password, that’s because you’ve previously exchanged a cookie with that site.
Cookies can create a better experience for website visitors, particularly on e-commerce sites, where — without cookies — shopping carts could not retain items as shoppers navigate from page to page. But cookies also raise concerns about privacy.
What types of cookies do websites use?
First-party cookies are created and/or placed on a website by the website’s administrators. These cookies support essential functions (like the shopping cart example we mentioned). They may also collect information about site visitors, such as page views, session duration, and time on site.
Third-party cookies may appear across several websites. These cookies track user behavior across multiple domains and platforms. If you’ve ever visited a website to view a product, then seen an ad for that product when you visited an unrelated site, a third-party cookie has likely tracked your activity online.

An explanation of how first- and third-party cookies differ. Source
What is a cookie policy?
A cookie policy is the language that appears on your website when a visitor arrives that informs them of the types of cookies on your site and how you use the data they collect. The policy must also explain the issue of consent, and allow users to customize their cookie preferences.

This cookie consent popup (powered by Monsido’s Cookie Consent Manager) appears when visitors land on Monsido.com. Visitors can click on “Cookie Preferences” to select which cookies to allow.
An overview of the CCPA and GDPR
The GDPR went into effect in May 2018, instituting several requirements designed to protect consumer privacy. While the GDPR originated in the EU, its regulations extend to businesses that have digital customers or website visitors in the EU, regardless of where the business is located.
Like the GDPR, the CCPA applies not just in California, but also to businesses anywhere that have customers or website visitors in California. Businesses that meet any of the following criteria are required to comply with the CCPA:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
CCPA and GDPR requirements for cookies
CCPA and cookie consent
The CCPA does not require companies to develop a separate cookie policy, as long as they include cookie-policy language in their privacy policy.
GDPR and cookie consent
Cookie consent should be changeable
Best practices for CCPA-compliant cookie management
The fines for CCPA non-compliance are $2,500 to $7,500 per violation, and that’s for every individual affected. That means a company with 50,000 customers could face a minimum fine of $125 million for failure to state its cookie policy.
Discover which cookies are on your site
Explain what cookies are
Explain how you use cookies
Let users choose which cookies to allow
Ensure the cookie notification is accessible
Review the accessibility of your cookie notification
Review and update your privacy policy at least once a year
Talk to an expert
Try Monsido's Consent Manager
Monsido Consent Manager takes the guesswork out of compliance, and includes features that ensure your banner/cookie popup is customizable and accessible for users who use assistive reading technology.
In addition, you’ll be able to customize popup branding, view acceptance rates, and access a complete consent log to ensure ongoing compliance.
GDPR and CCPA compliance with Monsido Consent Manager
See how Monsido can help you create a better, more inclusive, and fully compliant experience for your website visitors.
