California Privacy Law

CCPA/CPRA CookieCompliance Guide

Complete compliance guide for California businesses. Learn CCPA/CPRA cookie requirements, "Do Not Sell" implementation, and consumer rights management.

What is CCPA/CPRA?

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) - California's comprehensive privacy laws

CCPA (California Consumer Privacy Act)

Effective January 1, 2020
  • • Applies to businesses that collect California residents' personal information
  • • Requires disclosure of data collection and use practices
  • • Grants consumers right to know, delete, and opt-out of sale
  • • Requires "Do Not Sell My Personal Information" link

CPRA (California Privacy Rights Act)

Effective January 1, 2023
  • • Expands CCPA with additional consumer rights
  • • Adds right to correct inaccurate personal information
  • • Introduces right to limit use of sensitive personal information
  • • Creates California Privacy Protection Agency (CPPA)

Who Must Comply?

Business Requirements (Any of the following)

  • • Annual gross revenues > $25 million
  • • Buys/sells/shares personal information of 100,000+ consumers
  • • Derives 50%+ of annual revenue from selling personal information

Cookie-Specific Requirements

  • • Collects personal information through cookies
  • • Uses cookies for advertising/targeting
  • • Shares cookie data with third parties
  • • Sells personal information obtained through cookies

Consumer Rights Under CCPA/CPRA

Understanding the rights California consumers have regarding their personal information

Right to Know

Consumers have the right to know what personal information is collected, used, shared, or sold.

Right to Delete

Consumers can request deletion of their personal information, subject to certain exceptions.

Right to Opt-Out

Consumers can opt-out of the sale or sharing of their personal information.

Right to Correct

Consumers can request correction of inaccurate personal information (CPRA addition).

Right to Limit Sensitive Information

Consumers can limit the use of sensitive personal information (CPRA addition).

Right to Non-Discrimination

Businesses cannot discriminate against consumers who exercise their privacy rights.

"Do Not Sell My Personal Information" Requirements

Critical compliance requirements for businesses that sell or share personal information

What Constitutes "Sale" Under CCPA?

Sale Includes

  • Exchanging personal information for monetary consideration
  • Sharing data with third parties for advertising
  • Allowing third parties to collect data on your site
  • Data sharing for cross-context behavioral advertising

Not Considered Sale

  • Sharing with service providers under contract
  • Sharing with affiliates under common control
  • Disclosure required by law
  • Business transfers (mergers, acquisitions)

1"Do Not Sell" Link Requirements

  • Must be prominently displayed on your website homepage
  • Link text must include "Do Not Sell My Personal Information" or "Do Not Sell or Share My Personal Information"
  • Must be accessible from all pages where personal information is collected
  • Cannot be hidden in privacy policy or footer
  • Must be easily accessible on mobile devices

2Opt-Out Mechanism Requirements

  • Must provide at least two methods for consumers to opt-out
  • One method must be a toll-free phone number
  • Alternative methods include webform, email, or postal mail
  • Must honor opt-out requests within 15 business days
  • Cannot require consumers to create an account to opt-out

3Cookie-Specific Considerations

  • Third-party cookies used for advertising likely constitute "sale"
  • Analytics cookies shared with third parties may be "sale"
  • Social media widgets that track users may be "sale"
  • Consider implementing Global Privacy Control (GPC) signals
  • Cookie banners should include opt-out options

CCPA/CPRA Cookie Implementation Guide

Step-by-step guide to implementing CCPA/CPRA-compliant cookie consent

1Assess Your Data Practices

Determine if CCPA/CPRA applies to your business:

  • Calculate annual revenue and data collection thresholds
  • Identify all personal information collected through cookies
  • Determine if you "sell" or "share" personal information
  • Map data flows to third parties

2Update Privacy Policy

Enhance your privacy policy with CCPA/CPRA required disclosures:

  • Categories of personal information collected
  • Sources of personal information
  • Business or commercial purposes for collection
  • Categories of third parties with whom information is shared
  • Consumer rights and how to exercise them

3Implement Opt-Out Mechanisms

Set up required opt-out mechanisms:

  • Add "Do Not Sell" link to website homepage
  • Implement opt-out webform or other methods
  • Provide toll-free phone number for opt-outs
  • Process opt-out requests within 15 business days
  • Implement Global Privacy Control (GPC) support

4Cookie Consent Management

Implement cookie consent that supports CCPA/CPRA rights:

  • Provide granular opt-out options for cookie categories
  • Honor opt-out requests immediately
  • Block third-party cookies when opt-out is exercised
  • Maintain records of consumer choices
  • Provide easy access to change preferences

CCPA/CPRA Penalties and Enforcement

Understanding the consequences of non-compliance

Penalties

Intentional Violations

Up to $7,500 per violation

For intentional violations of CCPA

Unintentional Violations

Up to $2,500 per violation

For unintentional violations of CCPA

CPRA Violations

Up to $7,500 per violation

For violations involving minors under 16

Enforcement

  • California Attorney General enforcement
  • California Privacy Protection Agency (CPPA) enforcement
  • Private right of action for data breaches
  • 30-day cure period before penalties
  • Regular enforcement actions and settlements

Ready to Get CCPA/CPRA Compliant?

Our cookie consent solution makes California privacy law compliance simple and automatic. Get started in minutes.