What CCPA and CPRA are
The California Consumer Privacy Act (CCPA, 2018) and its amendment, the California Privacy Rights Act (CPRA, in force 2023), give California residents control over how businesses collect, use, and share their personal information. Together they form the most comprehensive consumer privacy law in the United States.
The California Privacy Protection Agency (CPPA) — created by CPRA — is the dedicated regulator and is steadily issuing enforcement actions and updated regulations.
Who CCPA / CPRA applies to
Any for-profit business that does business in California and meets at least one of:
- $25 million+ in annual gross revenue.
- Buys, sells, shares, or receives personal information of 100,000+ California consumers or households annually.
- Derives 50%+ of annual revenue from selling or sharing personal information.
Opt-out, not opt-in
The fundamental difference from GDPR: under CCPA, you can collect and process personal information by default. The user's right is to opt out of sale or sharing — not to consent up front. This is why CookieGap doesn't deduct CCPA points for pre-consent cookie loading the way it does for GDPR.
What you must do is make opt-out trivial: a clear link, a working mechanism, and respect for the user's choice on every subsequent visit.
The Do Not Sell or Share link
If you sell or share personal information, you must place a clear link titled "Do Not Sell or Share My Personal Information" (those words, that order) on the homepage and any page collecting personal information. The link must lead to a way to actually exercise the opt-out — not just a privacy policy page that explains the right.
A second link, "Limit the Use of My Sensitive Personal Information," is required when you process sensitive categories (precise geolocation, race, health, sexual orientation, etc.) for purposes beyond what's necessary to deliver your service.
Global Privacy Control (GPC)
California regulations recognise the Global Privacy Control — a browser-level signal (the Sec-GPC: 1 HTTP header) — as a valid opt-out request. If a request arrives with GPC enabled, you must treat that user as opted out for that browser, even before they click the Do Not Sell link.
Failing to honour GPC is treated by the CPPA as the same offence as ignoring a manual opt-out request — and was the basis of the agency's first major enforcement action (against Sephora) in 2022.
CookieGap does not currently transmit GPC signals during scans or verify a site's response to them. This is on the roadmap — for now, we cover the Do Not Sell link surface but you'll need a GPC-aware audit to confirm signal handling.
Common violations CookieGap detects
- Missing Do Not Sell link — the single biggest CCPA enforcement trigger.
- Link present but doesn't lead to an actual opt-out mechanism.
- Tracking cookies persist after the user opts out.
- No privacy policy, or one that omits the categories of personal information sold or shared.
Note: CookieGap does not yet test Global Privacy Control (GPC) signal handling. GPC enforcement — required by California, Colorado, and Connecticut — is on the roadmap; for now we recommend pairing CookieGap with a GPC-aware audit. See scope & limitations.
Penalties
The California AG and CPPA can fine up to $2,500 per violation, $7,500 per intentional violation, and additional damages of $100 to $750 per consumer per incident in the case of certain data breaches. Per-violation counts can be calculated per affected user, so totals scale fast — Sephora paid $1.2M for failing to honour GPC.
Frequently asked questions
Do I need a cookie banner under CCPA?
Not necessarily a banner. CCPA is opt-out, so you can run analytics and most ad-tech by default — but you must give users a clear way to opt out, prominently link to a 'Do Not Sell or Share My Personal Information' page, and honour the Global Privacy Control browser signal as a valid opt-out request.
Does sharing data with Google Analytics count as a 'sale'?
Under CPRA's expanded definition, 'sale or sharing' covers most cross-context behavioural advertising. Sending data to Google Analytics for advertising purposes, Meta Pixel, or any ad-tech that builds cross-site profiles will typically trigger Do Not Sell obligations. Plain analytics for first-party use is grayer.
Does CCPA apply to my business if I'm not in California?
Yes, if you do business in California (sell to or have meaningful operations targeting Californians) and meet one of the thresholds: $25M+ annual revenue, or buy/sell/share data on 100,000+ California consumers per year, or derive 50%+ of revenue from selling/sharing personal information.
How long do I have to honour a Do Not Sell request?
Under CPRA regulations, you must process the opt-out request as soon as feasible and within 15 business days. You also need to instruct any downstream parties you've shared data with in the prior 90 days to also stop selling.
Are there exceptions for service providers?
Yes. Genuine service providers acting under contract — meaning they only use the data to deliver a service back to you and never independently — are not 'selling.' But the contract terms have to be specific (the regulations spell out required clauses), and many ad-tech vendors don't actually qualify even when they claim to.
See where your site stands
Run a free CookieGap scan and get a CCPA compliance report in under a minute.
Scan your site freeThis guide is informational only and does not constitute legal advice. Privacy laws evolve frequently — always confirm current obligations with qualified counsel before making compliance decisions.