CCPA Cookie Compliance: What California Law Requires for Your Website

Table of Contents

• What Is CCPA Cookie Compliance?
• CCPA vs CPRA: What Changed for Cookies?
• Which Cookies Fall Under the CCPA?
• CCPA Cookie Consent: Opt-Out vs Opt-In
• CCPA Cookie Banner Requirements
• Do Not Sell or Share: What It Means for Cookies
• How CCPA Cookie Requirements Compare to GDPR
• CCPA Cookie Compliance Checklist
• Penalties and Enforcement: Real Cases
• How to Implement CCPA-Compliant Cookie Consent
• Frequently Asked Questions

What Is CCPA Cookie Compliance?

CCPA cookie compliance is the process of ensuring your website's use of cookies and tracking technologies meets the requirements of the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA). Together, these California cookie laws govern how businesses collect, use, sell, and share the personal information of California residents — including data gathered through browser cookies, tracking pixels, and similar technologies.

The CCPA was signed into law in 2018 and took effect on January 1, 2020. The CPRA, often called "CCPA 2.0," was approved by California voters in November 2020 and its substantive provisions took effect on January 1, 2023. The CPRA did not replace the CCPA; it amended and expanded it. When people refer to "CCPA" today, they typically mean the CCPA as amended by the CPRA.

Who must comply? The CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds:

• Annual gross revenue exceeding $25 million
• Buy, sell, or share the personal information of 100,000 or more California consumers, households, or devices annually
• Derive 50% or more of annual revenue from selling or sharing consumers' personal information

Even if your business is not physically located in California, you must comply if you serve California residents and meet any of these criteria. With California's population of nearly 39 million people, most mid-size and large websites with US traffic will trigger these thresholds.

CCPA vs CPRA: What Changed for Cookies?

Understanding the difference between CCPA and CPRA is critical for cookie compliance. The CPRA significantly expanded the original CCPA in ways that directly affect how you handle cookies and tracking technologies.

Key CPRA Changes That Affect Cookies

| Area | Original CCPA (2020) | CPRA Amendment (2023) | |------|----------------------|----------------------| | Scope of opt-out | Right to opt out of "sale" of personal information | Right to opt out of "sale" and "sharing" of personal information | | "Sharing" definition | Not defined | Sharing personal information for cross-context behavioral advertising, including through cookies and pixels | | Sensitive personal information | Not a separate category | New category with additional opt-out rights (precise geolocation, race, health data, etc.) | | Enforcement body | California Attorney General only | New California Privacy Protection Agency (CPPA) plus the Attorney General | | Penalties | $2,500/$7,500 per violation | Same fines, but $7,500 for violations involving minors' data and a dedicated enforcement agency | | Consent for minors | Opt-in required for under-16 | Extended to include opt-in for known children under 16; businesses must wait 12 months before asking again after opt-out | | Global Privacy Control | Not addressed | Businesses must honor GPC signals as valid opt-out requests | | Data minimization | Not required | Businesses must limit data collection to what is reasonably necessary |

The most significant change for cookie compliance is the expanded definition of "sharing." Under the original CCPA, only the "sale" of personal information triggered opt-out rights. The CPRA broadened this to include "sharing" data with third parties for cross-context behavioral advertising — which is exactly what most advertising cookies, retargeting pixels, and third-party trackers do.

Key Insight: If your website uses Google Ads remarketing, Facebook Pixel, or any third-party advertising cookie, you are almost certainly "sharing" personal information under the CPRA and must provide opt-out mechanisms.

Which Cookies Fall Under the CCPA?

Not all cookies trigger CCPA requirements. The law is concerned with cookies that collect "personal information" — and the CCPA defines personal information broadly to include IP addresses, device identifiers, browsing history, and geolocation data.

Cookies That Typically Require Opt-Out

These cookies collect personal information that is sold or shared with third parties, triggering CCPA opt-out requirements:

• Third-party advertising cookies — Google Ads, Meta/Facebook Pixel, LinkedIn Insight Tag, TikTok Pixel
• Retargeting and remarketing cookies — Cookies that track users across websites to serve targeted ads
• Cross-site tracking cookies — Any cookie set by a domain other than the one the user is visiting
• Data broker cookies — Cookies placed by data aggregators who compile and sell consumer profiles
• Affiliate tracking cookies — When personal information is shared with affiliate networks

Cookies That Generally Do Not Require Opt-Out

These cookies are used for the website's own purposes and do not involve selling or sharing personal information:

• Strictly necessary cookies — Session management, authentication, security, load balancing
• First-party functional cookies — Language preferences, theme settings, shopping cart
• First-party analytics cookies — Analytics tools where data stays with the website owner and is not shared with third parties (e.g., self-hosted Matomo, Plausible Analytics)

The Gray Area: Google Analytics

Google Analytics deserves special attention. When you use Google Analytics, data is sent to Google's servers, and Google may use that data for its own purposes, including advertising. This can constitute "sharing" under the CPRA. According to guidance from the California Privacy Protection Agency, if your analytics provider uses consumer data for its own commercial purposes, that relationship may trigger opt-out obligations.

Best practice: Treat Google Analytics as a cookie that requires CCPA opt-out unless you have a contractual agreement with Google that strictly limits their use of your data to service-provider functions only.

CCPA Cookie Consent: Opt-Out vs Opt-In

One of the most misunderstood aspects of CCPA cookie compliance is the consent model. The CCPA uses an opt-out framework, which is fundamentally different from the opt-in model used by the EU's GDPR and Canada's PIPEDA.

How the CCPA Opt-Out Model Works

Under the CCPA opt-out model:

1. You can set cookies by default — Unlike GDPR, you do not need to obtain prior consent before placing tracking cookies
2. You must provide a clear opt-out mechanism — A "Do Not Sell or Share My Personal Information" link must be prominently displayed
3. Once a consumer opts out, you must stop — No more selling or sharing their personal information via cookies or other means
4. You cannot use dark patterns — The opt-out process must be straightforward, not designed to discourage users from opting out

When the CCPA Requires Opt-In Consent

There are important exceptions where the CCPA requires opt-in consent rather than just opt-out:

• Consumers under 16 years old: Businesses that have actual knowledge that a consumer is under 16 must obtain opt-in consent before selling or sharing their data. For children under 13, a parent or guardian must provide consent.
• Sensitive personal information: Under the CPRA, consumers can limit the use of sensitive personal information (such as precise geolocation, race/ethnicity, or health data) to purposes that are necessary for the service. If you collect sensitive data through cookies, consumers must have the ability to limit its use.
• After opt-out: Once a consumer has opted out, you must obtain opt-in consent before selling or sharing their personal information again. Under the CPRA, you must wait at least 12 months before asking a consumer to re-authorize the sale or sharing of their data.

What About Global Privacy Control (GPC)?

The CPRA requires businesses to treat Global Privacy Control signals as a valid opt-out request. GPC is a browser-level setting (available in Firefox, Brave, and DuckDuckGo, among others) that automatically sends an opt-out signal to every website the user visits.

If a consumer's browser sends a GPC signal, your website must:

• Recognize and honor the signal as an opt-out of sale and sharing
• Stop selling or sharing that consumer's personal information
• Not require the consumer to take additional steps to opt out

The California Attorney General has already taken enforcement action against businesses that failed to honor GPC signals. In 2022, Sephora was fined $1.2 million in part for failing to process opt-out requests sent via GPC.

CCPA Cookie Banner Requirements

While the CCPA does not explicitly mandate a "cookie banner" in the same way the GDPR does, practical compliance with the CCPA's opt-out requirements means most websites need some form of cookie notice or banner. Here is what a CCPA-compliant cookie banner needs to include.

Required Elements for a CCPA Cookie Banner

1. "Do Not Sell or Share My Personal Information" link — This must be a clear, conspicuous link on your homepage and in your cookie banner. The CPRA expanded this from "Do Not Sell" to include "Do Not Share."

2. "Limit the Use of My Sensitive Personal Information" link — If you collect sensitive personal information (including precise geolocation through cookies), you must provide this additional link.

3. Clear disclosure of data practices — Your banner or linked privacy policy must explain what categories of personal information you collect through cookies and why.

4. Accessible opt-out mechanism — The process to opt out must require no more than a few simple steps. You cannot force users to create an account, navigate multiple pages, or call a phone number to opt out.

5. No dark patterns — Under CPRA regulations, the opt-out process must not use confusing language, unnecessary steps, or design tricks to dissuade consumers from opting out.

What Text Should a CCPA Cookie Banner Include?

A compliant CCPA cookie banner should communicate:

• That your website uses cookies and similar tracking technologies
• What purposes the cookies serve (analytics, advertising, personalization)
• That consumers have the right to opt out of the sale or sharing of their personal information
• A direct link to exercise that right
• A link to your full privacy policy for more details

Example of compliant banner text:

"We use cookies and similar technologies to personalize content and ads, analyze traffic, and improve your experience. Some of this data may be shared with third parties. You have the right to opt out. [Do Not Sell or Share My Personal Information] [Privacy Policy]"

Cookie Banner Design Requirements

The CPRA's implementing regulations, issued by the California Privacy Protection Agency, include specific guidance on user interface design for opt-out mechanisms. Key design requirements:

• Symmetry in choices — If you provide an "Accept All" button, you should provide an equally prominent way to opt out
• No manipulative design — You cannot make the opt-out button smaller, a different color, or harder to find than the accept button
• Toggle or preference center — Providing a toggle-based preference center where consumers can control specific cookie categories is considered best practice
• Mobile responsiveness — The opt-out mechanism must work properly on mobile devices

Do Not Sell or Share: What It Means for Cookies

The "Do Not Sell or Share" requirement is the centerpiece of CCPA cookie compliance. Understanding what constitutes a "sale" or "sharing" of personal information through cookies is essential.

What Counts as "Selling" Personal Information Through Cookies?

Under the CCPA, "selling" means making personal information available to a third party for monetary or other valuable consideration. In the cookie context, this includes:

• Allowing ad networks to place third-party cookies that track users in exchange for ad revenue
• Sharing cookie-collected user data with data brokers
• Providing user behavioral data gathered by cookies to third parties in exchange for services, discounts, or other benefits

What Counts as "Sharing" Personal Information Through Cookies?

The CPRA added "sharing" as a separate category. "Sharing" means making personal information available to a third party for cross-context behavioral advertising — regardless of whether money changes hands. This specifically targets:

• Programmatic advertising — Real-time bidding where user data from cookies is shared with multiple advertisers
• Retargeting — Using cookie data from your site to show ads to users on other websites
• Audience building — Sharing cookie-based user segments with advertising platforms like Meta or Google
• Lookalike audiences — Providing cookie data so advertising platforms can find similar consumers

Key Insight: Even if you do not directly "sell" data for money, using Facebook Pixel or Google Ads remarketing tags on your website likely constitutes "sharing" under the CPRA because these tools transmit user data to third parties for cross-context behavioral advertising.

Implementing the Opt-Out for Cookies

When a consumer exercises their right to opt out:

1. Stop setting third-party advertising cookies for that consumer
2. Remove or disable existing tracking pixels (Facebook Pixel, Google Ads tags, etc.)
3. Do not share the consumer's personal information with advertising partners
4. Maintain the opt-out preference for at least 12 months
5. Respect the opt-out across all your domains and services if you operate multiple websites

How CCPA Cookie Requirements Compare to GDPR

If your website serves both California and European users, you need to understand how CCPA cookie consent differs from GDPR cookie consent requirements. The two frameworks take fundamentally different approaches.

| Requirement | CCPA/CPRA (California) | GDPR (EU/EEA) | |-------------|----------------------|----------------| | Consent model | Opt-out (cookies allowed by default) | Opt-in (no cookies until consent) | | When consent is needed | Before the "sale" or "sharing" can be stopped | Before any non-essential cookies are set | | Cookie banner required | Not explicitly, but practically necessary | Yes, mandatory before setting cookies | | Pre-checked boxes | Allowed (opt-out model) | Not allowed | | Right to withdraw | Must honor opt-out requests | Must allow consent withdrawal | | Children's data | Opt-in for under 16 | Opt-in for under 16 (varies by country) | | Scope | California residents | Anyone in EU/EEA | | Browser signals | Must honor GPC | Varies; no uniform requirement yet | | Fines | $2,500-$7,500 per violation | Up to 4% of global revenue or EUR 20 million |

Practical implications: If you serve both GDPR and CCPA audiences, the simplest approach is to default to GDPR's stricter opt-in standard for EU users and implement the CCPA's opt-out mechanism for California users. A geolocation-aware consent management platform can serve the appropriate banner based on the visitor's location.

For a comparison with Canadian cookie law, see our cookie consent guide for Canada.

CCPA Cookie Compliance Checklist

Use this checklist to verify your website meets all CCPA and CPRA cookie requirements:

Discovery and Audit

• [ ] Audit all cookies on your website using a cookie scanner to identify every cookie, pixel, and tracker
• [ ] Categorize each cookie as strictly necessary, functional, analytics, or advertising/marketing
• [ ] Identify which cookies involve "selling" or "sharing" personal information with third parties
• [ ] Document the purpose, duration, and provider for each cookie
• [ ] Determine if you meet CCPA thresholds ($25M revenue, 100K consumers, or 50% revenue from data)

Cookie Banner and Opt-Out

• [ ] Display a "Do Not Sell or Share My Personal Information" link prominently on your homepage and cookie banner
• [ ] Add a "Limit the Use of My Sensitive Personal Information" link if applicable
• [ ] Ensure the opt-out process takes no more than a few steps and does not require account creation
• [ ] Avoid dark patterns — make opt-out choices equally prominent as opt-in choices
• [ ] Honor Global Privacy Control (GPC) signals automatically
• [ ] Provide a cookie preference center where users can control specific categories

Technical Implementation

• [ ] Block advertising and tracking cookies for users who opt out
• [ ] Implement server-side opt-out mechanisms to ensure cookies are not set even if client-side blocking fails
• [ ] Test that cookies are actually suppressed after opt-out using browser developer tools
• [ ] Maintain opt-out preferences for at least 12 months
• [ ] Ensure mobile compatibility — the opt-out mechanism works on all devices

Privacy Policy and Disclosures

• [ ] Update your privacy policy to list all categories of personal information collected through cookies
• [ ] Disclose the business or commercial purpose for each category of data collection
• [ ] List the categories of third parties with whom you share personal information
• [ ] Include a description of consumer rights under the CCPA/CPRA
• [ ] Provide at least two methods for consumers to submit opt-out requests (e.g., cookie banner link and email)

Ongoing Compliance

• [ ] Re-scan your website for cookies whenever you add new tools, plugins, or integrations
• [ ] Review your cookie practices at least annually
• [ ] Train your team on CCPA requirements and how to handle consumer requests
• [ ] Keep records of opt-out requests and how they were processed
• [ ] Monitor regulatory updates from the California Privacy Protection Agency

Penalties and Enforcement: Real Cases

CCPA enforcement is active and growing. The California Attorney General and the California Privacy Protection Agency have brought actions against businesses of all sizes for cookie-related violations.

Notable Enforcement Actions

Sephora — $1.2 Million (2022)

The California Attorney General settled with Sephora for $1.2 million after finding the cosmetics retailer:

• Failed to disclose to consumers that it was selling their personal information
• Did not provide a "Do Not Sell" link on its website
• Failed to process opt-out requests made through Global Privacy Control
• Did not cure violations within the 30-day window (which no longer exists under the CPRA)

This was the first public CCPA enforcement action and sent a clear signal about the importance of cookie compliance.

DoorDash — $375,000 (2024)

DoorDash was fined after the California Attorney General found it had sold consumer personal information to a marketing co-op without complying with CCPA requirements, including proper opt-out mechanisms.

Ongoing Investigations

The California Privacy Protection Agency has stated publicly that it is investigating multiple companies for cookie-related violations, particularly around:

• Failure to honor GPC signals
• Dark patterns in cookie consent interfaces
• Inadequate opt-out mechanisms for data sharing through advertising cookies

Penalty Structure

| Violation Type | Fine Amount | |---------------|-------------| | Unintentional violation | $2,500 per violation | | Intentional violation | $7,500 per violation | | Violations involving minors' data (CPRA) | $7,500 per violation | | Consumer private right of action (data breaches) | $100 — $750 per consumer per incident |

The "per violation" structure is significant. If you are collecting data through non-compliant cookies from thousands of California consumers, each instance can count as a separate violation. A website with 10,000 affected California users could theoretically face fines ranging from $25 million to $75 million.

How to Implement CCPA-Compliant Cookie Consent

Implementing CCPA cookie compliance involves both technical and operational steps. Here is a practical approach.

Step 1: Scan Your Website for Cookies

Before you can comply, you need to know what cookies your website sets. Use a free cookie scanner to:

• Identify all first-party and third-party cookies
• Detect tracking pixels and scripts (Facebook Pixel, Google Ads, etc.)
• Categorize cookies by purpose (necessary, analytics, advertising)
• Discover cookies you may not know about (from plugins, embedded content, or CDNs)

Step 2: Choose a Consent Management Platform

A consent management platform (CMP) handles the technical complexity of CCPA cookie compliance. Look for a solution that:

• Provides a "Do Not Sell or Share" link and preference center
• Supports GPC signal detection and automatic opt-out
• Actually blocks advertising cookies for opted-out users (not just cosmetic changes)
• Offers geolocation detection to serve CCPA-specific banners to California visitors and GDPR banners to EU visitors
• Keeps records of consumer opt-out requests
• Is easy to install and customize

Step 3: Configure Your Cookie Banner

Set up your cookie banner with the required elements:

• Clear, plain-language disclosure about cookie use
• "Do Not Sell or Share My Personal Information" link
• Cookie category controls (if providing granular choices)
• Link to your full privacy policy
• Accessible design that works on desktop and mobile

Step 4: Implement Technical Blocking

Ensure that when a consumer opts out:

• Third-party advertising scripts (Google Ads, Meta Pixel, etc.) do not load
• Cross-site tracking cookies are not set
• Data is not transmitted to advertising partners
• The opt-out preference is stored and respected on subsequent visits

Step 5: Update Your Privacy Policy

Your privacy policy must include:

• A list of cookie categories and their purposes
• Categories of personal information collected in the preceding 12 months
• Whether you sell or share personal information and with whom
• How consumers can exercise their opt-out rights
• Your process for handling consumer requests

Step 6: Test and Monitor

After implementation:

• Test the opt-out flow from start to finish on desktop and mobile
• Verify cookies are blocked using browser developer tools after opting out
• Check GPC signal handling using a browser with GPC enabled (Firefox, Brave)
• Monitor for new cookies when you add plugins, tools, or third-party integrations
• Review compliance quarterly and after any website changes

Frequently Asked Questions

Does the CCPA require cookie consent?

The CCPA does not require opt-in cookie consent the way GDPR does. Instead, it requires you to give California consumers the right to opt out of the sale or sharing of their personal information, which includes data collected through tracking cookies, pixels, and similar technologies. You can set cookies by default but must provide a clear opt-out mechanism.

What is the difference between CCPA and CPRA?

The CPRA (California Privacy Rights Act) amended and expanded the CCPA effective January 1, 2023. Key differences include a new category of sensitive personal information, expanded opt-out rights covering "sharing" of data for cross-context behavioral advertising (not just "selling"), a dedicated enforcement agency (the California Privacy Protection Agency), stricter penalties for violations involving minors' data, mandatory recognition of Global Privacy Control signals, and data minimization requirements.

Do I need a cookie banner for CCPA compliance?

If you use cookies that collect personal information for sale or sharing with third parties, you need a cookie banner or similar mechanism that includes a "Do Not Sell or Share My Personal Information" link. While the CCPA does not use the term "cookie banner," the practical requirements effectively mandate one for most commercial websites that use advertising or analytics cookies.

What cookies require opt-out under the CCPA?

Third-party advertising cookies, retargeting pixels, cross-site tracking cookies, and any cookies that share personal information with third parties for monetary or other valuable consideration require opt-out capabilities. First-party cookies used solely for your own operational purposes (session management, authentication, security) generally do not require an opt-out mechanism.

What are the penalties for CCPA cookie non-compliance?

CCPA violations carry fines of $2,500 per unintentional violation and $7,500 per intentional violation, enforced by the California Attorney General and the California Privacy Protection Agency. Violations involving minors' data are automatically treated as $7,500 per violation under the CPRA. Consumers can also sue for data breaches involving their personal information, with statutory damages of $100 to $750 per consumer per incident.

Does the CCPA apply to my website?

The CCPA applies to for-profit businesses that do business in California and meet at least one threshold: annual gross revenue over $25 million, buying/selling/sharing personal information of 100,000 or more consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing personal information. Non-profit organizations and government agencies are exempt.

How does CCPA cookie consent differ from GDPR?

GDPR requires opt-in consent before setting any non-essential cookies — no cookies until the user clicks "Accept." The CCPA uses an opt-out model, meaning you can set cookies by default but must provide consumers the right to opt out of the sale or sharing of their data. For websites serving both jurisdictions, the standard practice is to apply GDPR's stricter opt-in for EU visitors and CCPA's opt-out for California visitors.

Do I need to honor Global Privacy Control under the CCPA?

Yes. Under the CPRA's implementing regulations, businesses must treat Global Privacy Control (GPC) signals as a valid opt-out request. When a consumer's browser sends a GPC signal, your website must stop selling or sharing that consumer's personal information. The $1.2 million Sephora settlement specifically cited failure to honor GPC signals as a violation.

Ready to make your website CCPA-compliant? Cookie Banner makes it simple with a free plan that includes CCPA and CPRA compliance, GPC signal detection, and automatic cookie blocking. Set up your compliant cookie banner in minutes.

Create your free cookie banner →

Related reading: GDPR Cookie Consent Requirements | Cookie Consent Canada Guide | PIPEDA Compliance Checklist