CPRA Cookie Requirements: What Businesses Need to Know in 2026

Table of Contents

• What Is the CPRA and How Does It Affect Cookies?
• CCPA vs CPRA: What Changed for Cookies?
• How Does the CPRA Define Sensitive Personal Information?
• How Does the CPRA Affect Cookie Consent?
• Do Not Sell or Share: What Website Owners Must Know
• CPRA Cookie Banner Requirements
• CPRA Enforcement and Penalties
• CPRA Cookie Compliance Checklist
• Conclusion
• Frequently Asked Questions

What Is the CPRA and How Does It Affect Cookies?

The California Privacy Rights Act (CPRA), also known as Proposition 24, amended and expanded the California Consumer Privacy Act (CCPA). Voters approved it in November 2020, and its substantive provisions took effect on January 1, 2023, with enforcement beginning July 1, 2023. The CPRA applies to personal information collected on or after January 1, 2022.

For businesses that use cookies, the CPRA introduced several critical changes. It expanded consumer opt-out rights to cover "sharing" of personal information (not just selling), created a new category of "sensitive personal information" that requires heightened protections, and established the California Privacy Protection Agency (CPPA) — the first dedicated state privacy enforcement body in the United States.

If your website uses analytics cookies, advertising pixels, or any tracking technology that collects data from California consumers, CPRA cookie compliance is not optional. California has nearly 39 million residents and represents the world's fifth-largest economy, making it virtually impossible for online businesses to ignore.

CCPA vs CPRA: What Changed for Cookies?

Understanding the differences between the CCPA and CPRA is essential for CPRA cookie compliance. Here is a side-by-side comparison of the key changes that affect cookie usage:

| Feature | CCPA (Original) | CPRA (Amended) | |---------|-----------------|-----------------| | Opt-out scope | "Do Not Sell" only | "Do Not Sell or Share" | | Sensitive data | No special category | New "Sensitive Personal Information" category with opt-in consent | | Enforcement body | California Attorney General | California Privacy Protection Agency (CPPA) + AG | | Cure period | 30-day cure period for violations | No cure period required | | Data minimization | No requirement | Must limit collection to what is "reasonably necessary" | | Consumer threshold | 50,000 consumers/devices | 100,000 consumers/households (devices removed) | | Revenue threshold | $25 million | $25 million (unchanged) | | Cookie-based sharing | Not explicitly covered | Cross-context behavioral advertising covered |

What Does "Share" Mean Under the CPRA?

The CPRA added "sharing" as a distinct concept from "selling." Under the law, sharing means making personal information available to a third party for cross-context behavioral advertising — even if no money changes hands.

This is a game-changer for cookies. When your website loads a Facebook Pixel, Google Ads tag, or any third-party advertising cookie, you are likely sharing personal information under the CPRA, even though you are not technically selling it. This means the "Do Not Sell or Share" opt-out right applies to virtually all advertising and retargeting cookies.

For a deeper dive into the original CCPA requirements, see our CCPA cookie compliance guide.

How Does the CPRA Define Sensitive Personal Information?

One of the most significant CPRA cookie requirements involves sensitive personal information (SPI). This is a new category that did not exist under the original CCPA, and it carries stricter consent obligations.

Sensitive personal information under the CPRA includes:

• Government identifiers — Social Security numbers, driver's license numbers, passport numbers
• Financial data — Account log-in credentials combined with access codes or passwords
• Precise geolocation — Location data accurate to within 1,850 feet (approximately one-third of a mile)
• Racial or ethnic origin
• Religious or philosophical beliefs
• Union membership
• Contents of private communications — Mail, email, or text messages (unless the business is the intended recipient)
• Genetic data
• Biometric data used for identification purposes
• Health information
• Sex life or sexual orientation

How Does This Affect Cookies?

Cookies that collect sensitive personal information require consumers to opt in before the data is processed. In practice, the most common cookie-related SPI scenario involves precise geolocation tracking. If your website uses cookies or JavaScript that capture GPS-level location data (within 1,850 feet), that qualifies as sensitive personal information.

Additionally, if cookies on your site enable the collection of browsing data that reveals religious beliefs, health conditions, or sexual orientation — even through inference — you may be handling SPI. For example, a health-related website whose cookies track which condition-specific pages a user visits could be collecting SPI.

Key Point: Businesses must display a "Limit the Use of My Sensitive Personal Information" link if they collect SPI through cookies or other means. This gives consumers the right to restrict how their sensitive data is used.

How Does the CPRA Affect Cookie Consent?

CPRA cookie consent operates differently from European regulations like the GDPR. Here is how the consent model works:

Opt-Out Model for Standard Cookies

For most cookies — including analytics and advertising — the CPRA uses an opt-out model. This means you can set these cookies by default, but you must:

1. Inform consumers what personal information you collect and why
2. Provide a clear opt-out mechanism (the "Do Not Sell or Share" link)
3. Honor opt-out requests within 15 business days
4. Respect Global Privacy Control (GPC) browser signals as valid opt-out requests

The CPRA explicitly requires businesses to treat the Global Privacy Control (GPC) signal as a legally binding opt-out request. If a consumer's browser sends a GPC signal, your website must stop selling or sharing their personal information through cookies — automatically, without requiring any additional action from the consumer.

Opt-In Model for Sensitive Personal Information

For cookies that collect sensitive personal information, the CPRA requires opt-in consent. You must not collect SPI through cookies until the consumer has explicitly agreed to it.

Opt-In for Minors

The CPRA strengthened protections for minors. Businesses must obtain:

• Opt-in consent from parents or guardians for consumers under 13
• Opt-in consent directly from the consumer for those aged 13-15

These opt-in requirements apply to selling or sharing personal information through cookies. The CPRA also tripled the maximum fine for violations involving minors' data to $7,500 per violation.

Do Not Sell or Share: What Website Owners Must Know

The "Do Not Sell or Share My Personal Information" requirement is central to CPRA cookie compliance. Here is what it means in practice for your website:

What Triggers the Requirement?

If your website uses any of the following, you are likely "selling" or "sharing" personal information and must provide the opt-out link:

• Google Analytics with advertising features enabled
• Facebook/Meta Pixel or Conversions API
• Google Ads remarketing or conversion tracking
• LinkedIn Insight Tag
• TikTok Pixel
• Any third-party advertising cookie that enables cross-context behavioral advertising

How Must the Link Be Displayed?

Under CPRA regulations adopted by the CPPA, your website must include:

• A "Do Not Sell or Share My Personal Information" link on your homepage and any page where personal information is collected
• The link must be clearly visible and easy to find — burying it in a footer menu is acceptable, but using small, low-contrast text is not
• You may combine it with a "Limit the Use of My Sensitive Personal Information" link if both apply
• You may use a single combined link titled "Your Privacy Choices" or "Your California Privacy Rights", accompanied by the CPPA's opt-out preference signal icon

What Happens After an Opt-Out?

Once a consumer opts out, you must:

• Stop selling or sharing their personal information within 15 business days
• Wait at least 12 months before asking the consumer to opt back in
• Not discriminate against consumers who opt out (no higher prices, reduced service, or degraded experience)

CPRA Cookie Banner Requirements

While the CPRA does not mandate a cookie consent banner in the same way the GDPR does, most businesses find that a well-designed CPRA cookie banner is the most practical way to meet multiple compliance obligations at once.

What Should a CPRA-Compliant Cookie Banner Include?

A CPRA cookie banner should include:

1. Notice of data collection — What categories of personal information your cookies collect
2. Purpose disclosure — Why you collect and use each category (analytics, advertising, personalization)
3. "Do Not Sell or Share" option — A clear button or link for consumers to opt out
4. "Limit Sensitive Information" option — If you collect SPI through cookies
5. Link to your privacy policy — With full details on your cookie practices
6. GPC signal support — Automatic detection and honoring of the Global Privacy Control signal

Cookie Banner Design Best Practices for CPRA

To build a CPRA cookie banner that satisfies the law without frustrating users:

• Do not use dark patterns — The CPPA has explicitly prohibited manipulative design in consent interfaces. Making the "accept" button large and colorful while making the opt-out link small and gray can result in enforcement action.
• Make opt-out equally accessible — The path to opt out should require no more steps than the path to opt in.
• Use plain language — Avoid legal jargon. Explain what cookies do in terms consumers understand.
• Support mobile users — Your banner must be fully functional on mobile devices.
• Record consent choices — Maintain logs of when consumers opted in or out, and what version of your notice was displayed.

Pro Tip: Using a cookie banner builder that handles CPRA compliance automatically saves significant development time and reduces the risk of enforcement action.

CPRA Enforcement and Penalties

CPRA fines are a serious financial risk. The law created the California Privacy Protection Agency (CPPA), the first dedicated state-level privacy enforcement body in the U.S., and gave it substantial enforcement powers.

What Are the CPRA Fine Amounts?

| Violation Type | Maximum Fine | |---------------|-------------| | Unintentional violation | $2,500 per violation | | Intentional violation | $7,500 per violation | | Violation involving a minor's data | $7,500 per violation |

These fines are assessed per violation, per consumer. A single misconfigured advertising cookie running on a high-traffic California website could expose a business to millions of dollars in cumulative penalties.

How Is the CPRA Enforced?

Key enforcement facts:

• The CPPA has full administrative enforcement authority, including the power to investigate, audit, and impose fines
• The California Attorney General retains concurrent enforcement authority
• There is no 30-day cure period — unlike the original CCPA, businesses cannot simply fix violations after receiving notice to avoid penalties
• Consumers have a private right of action for data breaches involving unencrypted personal information, with statutory damages of $100 to $750 per consumer per incident

Recent Enforcement Activity

The CPPA has been active since beginning enforcement in 2023. It has conducted investigations into businesses' handling of opt-out requests, dark patterns in consent interfaces, and failure to honor Global Privacy Control signals. In 2024, the CPPA issued its first enforcement advisory on the use of dark patterns in cookie consent interfaces, signaling that cookie banners are a priority enforcement area.

CPRA Cookie Compliance Checklist

Use this checklist to verify your website meets CPRA cookie requirements:

Notice and Transparency

• [ ] Privacy policy discloses all categories of personal information collected via cookies
• [ ] Privacy policy explains the purposes for each cookie category
• [ ] Privacy policy lists the categories of third parties with whom data is shared
• [ ] "At or before the point of collection" notice is displayed
• [ ] Privacy policy has been updated within the last 12 months

Opt-Out Rights

• [ ] "Do Not Sell or Share My Personal Information" link is clearly visible
• [ ] Opt-out mechanism is functional and processes requests within 15 business days
• [ ] Website detects and honors Global Privacy Control (GPC) signals
• [ ] Opted-out consumers are not asked to re-consent for at least 12 months
• [ ] No dark patterns in the opt-out flow

Sensitive Personal Information

• [ ] Audit completed to identify any cookies collecting SPI (especially precise geolocation)
• [ ] "Limit the Use of My Sensitive Personal Information" link is displayed (if applicable)
• [ ] Opt-in consent is collected before setting cookies that gather SPI

Minors

• [ ] If you knowingly collect data from consumers under 16, age verification is in place
• [ ] Parental/guardian consent is obtained for consumers under 13
• [ ] Direct opt-in consent is obtained from consumers aged 13-15

Technical Implementation

• [ ] Cookie audit completed — all first-party and third-party cookies cataloged
• [ ] Consent management platform (CMP) is configured for CPRA requirements
• [ ] Advertising and tracking cookies are blocked for users who opt out
• [ ] Consent records are stored with timestamps and policy versions
• [ ] Cookie policy is accessible from every page (typically via footer link)

Start your audit: Use our free cookie scanner to identify every cookie on your website and check whether you are meeting CPRA cookie requirements.

Conclusion

CPRA cookie requirements represent a significant expansion of California privacy law. The addition of "sharing" to the opt-out right means virtually all advertising cookies are now covered. The new sensitive personal information category demands opt-in consent for cookies that collect precise geolocation or other SPI. And the elimination of the 30-day cure period, combined with fines of up to $7,500 per violation, makes non-compliance a genuine financial risk.

Key Takeaways:

• The CPRA expanded "Do Not Sell" to "Do Not Sell or Share," covering cross-context behavioral advertising cookies
• Sensitive personal information (including precise geolocation) requires opt-in consent
• The Global Privacy Control (GPC) signal must be honored as a valid opt-out
• Fines reach $7,500 per intentional violation with no cure period
• The CPPA is actively enforcing cookie compliance, including dark pattern prohibitions

Next Steps:

1. Run a free cookie scan to identify all cookies on your site
2. Determine whether your cookies trigger "selling," "sharing," or SPI obligations
3. Implement a compliant cookie banner with a cookie banner builder
4. Add the required opt-out links to your homepage and collection pages
5. Configure your site to detect and honor GPC signals

Frequently Asked Questions

What are the CPRA cookie requirements?

The CPRA requires businesses to honor "Do Not Sell or Share" opt-out requests for cookie-based data collection, obtain opt-in consent before collecting sensitive personal information via cookies, and provide clear notice at or before the point of collection. Businesses must also detect and honor Global Privacy Control (GPC) browser signals as valid opt-out requests.

What is the difference between CCPA and CPRA for cookies?

The CPRA expanded the CCPA by adding "sharing" to the opt-out right, which covers cross-context behavioral advertising through cookies. It also created a new "sensitive personal information" category requiring opt-in consent, established the CPPA as a dedicated enforcement agency, removed the 30-day cure period for violations, and introduced data minimization requirements that affect how businesses use cookies.

Do I need a cookie banner for CPRA compliance?

The CPRA does not mandate a cookie consent banner the way GDPR does. However, you must provide a clearly visible "Do Not Sell or Share My Personal Information" link. If your cookies collect sensitive personal information, you also need a "Limit the Use of My Sensitive Personal Information" link. A cookie banner is the most practical way to present these options to consumers.

What are the penalties for violating CPRA cookie requirements?

CPRA fines reach $2,500 per unintentional violation and $7,500 per intentional violation or any violation involving a minor's data. The California Privacy Protection Agency can enforce these penalties without offering a 30-day cure period. Because fines are assessed per violation per consumer, a single non-compliant cookie on a high-traffic site can generate substantial cumulative liability.

Does the CPRA apply to my business?

The CPRA applies to for-profit businesses that collect California consumers' personal information and meet at least one of three thresholds: annual gross revenue exceeding $25 million, buying, selling, or sharing the personal information of 100,000 or more California consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing consumer personal information.

What counts as sensitive personal information under the CPRA?

Sensitive personal information under the CPRA includes government identifiers (Social Security numbers, driver's licenses), financial account credentials, precise geolocation data (within 1,850 feet), racial or ethnic origin, religious beliefs, union membership, contents of private communications, genetic data, biometric data, health information, and sex life or sexual orientation. Cookies collecting any of these categories require opt-in consent.

Ready to make your website CPRA compliant? Build your cookie banner for free →