CCPA Cookie Compliance:
Complete Requirements Guide (2026)
Everything you need to know about CCPA cookie requirements, opt-out obligations, GPC signals, and how to implement compliance. Includes step-by-step guide, enforcement examples, and a comparison with GDPR and PIPEDA.
What Is CCPA?
The California Consumer Privacy Act (CCPA) is a state privacy law that gives California residents control over their personal information. It took effect on January 1, 2020, and was significantly amended by the California Privacy Rights Act (CPRA), which voters approved in November 2020. The CPRA amendments became enforceable on January 1, 2023.
CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of three thresholds: annual gross revenue exceeding $25 million, buying, selling, or sharing the personal information of 100,000 or more consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing personal information.
For websites, CCPA is primarily relevant because cookies and tracking technologies collect personal information as defined by the law. Unlike GDPR, CCPA does not require opt-in consent before cookies load. Instead, it mandates that businesses provide consumers the right to opt out of the sale and sharing of their data — which has direct implications for how you configure advertising and analytics cookies on your site.
How CCPA Defines Personal Information Collected by Cookies
CCPA defines personal information broadly as any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (Cal. Civ. Code §1798.140(v)). This definition captures most data that cookies collect:
- Unique identifiers and device IDs stored in cookies, including advertising IDs and tracking pixels
- IP addresses logged by analytics and advertising scripts
- Browsing history and interaction data — pages visited, time on site, and click paths
- Geolocation data inferred from IP addresses or collected directly
- Internet activity information, including search queries, referral sources, and content interactions
- Inferences drawn from the above to create consumer profiles, such as purchasing preferences or behavioral segments
Cookies that collect only aggregated, de-identified data that cannot reasonably be linked back to a specific consumer are not considered personal information under CCPA. However, the threshold for “reasonably linkable” is low — if a cookie stores any unique identifier that could be combined with other data to identify a user, CCPA treats that data as personal information. In practice, nearly all third-party advertising cookies and most analytics cookies fall within scope.
CCPA Cookie Categories: What Needs Opt-Out?
How CCPA applies depends on each cookie's purpose and whether it involves selling or sharing personal information with third parties.
Strictly Necessary
No opt-out requiredSession management, shopping cart, security tokens, and load balancing cookies do not involve selling or sharing personal information. These are permitted without any opt-out requirement but should still be disclosed in your privacy policy.
Analytics
May require opt-outFirst-party analytics cookies typically do not constitute a sale. However, if you use third-party analytics like Google Analytics and the service uses data for its own purposes (improving products, serving ads), this may qualify as "sharing" under CPRA.
Advertising & Remarketing
Opt-out requiredGoogle Ads, Meta Pixel, LinkedIn Insight Tag, and similar cookies send user data to ad platforms for cross-context behavioral advertising. This falls squarely within CCPA's definition of "sharing" and requires a clear opt-out option.
Social Media
Opt-out requiredEmbedded social widgets and share buttons from Facebook, X (Twitter), or LinkedIn place cookies that track behavior across sites. When data is sent back to the platform for ad targeting or profiling, users must be able to opt out.
CPRA Amendments: What Changed for Cookies in 2023
The California Privacy Rights Act (CPRA) amended CCPA with several changes that directly affect how websites handle cookies. These amendments took effect on January 1, 2023, and are enforced by the newly created California Privacy Protection Agency (CPPA).
"Sharing" is now regulated alongside "selling"
Before CPRA, CCPA only covered the "sale" of personal information, which required monetary or other valuable consideration. CPRA added the concept of "sharing," defined as transferring personal information to a third party for cross-context behavioral advertising. This means advertising cookies that send data to ad networks are now covered even if no money changes hands.
Sensitive personal information gets special treatment
CPRA introduced a new category of "sensitive personal information" that includes precise geolocation, racial or ethnic origin, and other data. If cookies collect sensitive personal information, you must provide a separate "Limit the Use of My Sensitive Personal Information" link.
GPC is legally recognized
The CPRA regulations (11 CCR §7025) confirm that businesses must treat GPC browser signals as valid requests to opt out of the sale and sharing of personal information.
New enforcement agency
The California Privacy Protection Agency (CPPA) now shares enforcement authority with the Attorney General, creating a dedicated privacy regulator with rulemaking power. The CPPA has been actively issuing enforcement actions since 2023.
What Does CCPA Require for Cookies?
The California Consumer Privacy Act (CCPA), as amended by CPRA, focuses on giving consumers control over the sale and sharing of their personal information — including data collected through cookies.
"Do Not Sell or Share My Personal Information" link
If you sell or share personal information (including through advertising cookies), you must display a prominent opt-out link on your homepage and every page where data is collected.
Opt-out model, not opt-in
Unlike GDPR, CCPA allows cookies to load by default. However, users must be able to opt out of the sale or sharing of their personal information at any time, and you must honor that choice immediately.
Honor Global Privacy Control (GPC) signals
California law requires businesses to treat a GPC browser signal as a valid opt-out request. If a user has GPC enabled, you must stop selling or sharing their data without requiring any additional action.
Privacy policy disclosures
Your privacy policy must list the categories of personal information collected, the purposes for collection, the categories of third parties you share data with, and specific information about cookie usage.
Right to know and right to delete
Consumers can request to know what personal information you have collected about them (including through cookies) and can request that you delete it. You must respond within 45 days.
No discrimination for exercising rights
You cannot deny goods or services, charge different prices, or provide a different quality of service to users who exercise their CCPA rights, including opting out of cookie tracking.
Do You Need a Cookie Banner for CCPA?
It depends on how you use cookies.
CCPA does not require a traditional cookie consent banner like GDPR does. Cookies can load by default. However, if any of your cookies involve selling or sharing personal information with third parties (which advertising and remarketing cookies almost always do), you must provide opt-out controls. A cookie banner with a “Do Not Sell or Share” option is the most straightforward way to do this.
Since many websites serve both EU and California visitors, a single cookie banner that handles both GDPR (opt-in) and CCPA (opt-out) is the practical approach. Our banner detects visitor location and applies the correct consent model automatically.
CCPA applies to your business if...
- You are a for-profit business that collects California residents' personal information
- Your annual gross revenue exceeds $25 million
- You buy, sell, or share personal information of 100,000+ consumers or devices annually
- You derive 50% or more of annual revenue from selling or sharing personal information
You only need to meet one of the three thresholds (revenue, data volume, or revenue share) for CCPA to apply.
CCPA vs GDPR vs PIPEDA: Cookie Consent Compared
How the three major privacy laws differ in their approach to cookie consent.
| Requirement | CCPA/CPRA | GDPR | PIPEDA |
|---|---|---|---|
| Consent Model | Opt-out (cookies load by default) | Opt-in (no cookies until consent) | Meaningful consent (opt-in for tracking) |
| Cookie Banner Required? | No, but "Do Not Sell" link required | Yes, effectively mandatory | Yes, for non-essential cookies |
| Who It Applies To | For-profit businesses meeting thresholds | Any org processing EU residents' data | Private-sector orgs in Canada |
| GPC/Browser Signals | Legally required to honor | No equivalent requirement | Not addressed |
| Max Penalties | $7,500 per intentional violation | €20M or 4% of global revenue | Up to $100,000 per violation |
For websites with visitors from multiple jurisdictions, the practical approach is a geo-aware cookie banner that applies the correct standard to each visitor based on their location.
How to Implement CCPA Cookie Compliance: Step-by-Step
Follow these 8 steps to bring your website into full CCPA cookie compliance.
Audit your cookies
Use a cookie scanning tool to identify every cookie and tracker on your site. Document the name, provider, purpose, duration, and data collected for each one. Classify each cookie as strictly necessary, analytics, advertising, or social media.
Determine if you "sell" or "share" personal information
Review each third-party cookie and script. If data flows to a third party that uses it for its own purposes — such as ad targeting, profiling, or product improvement — this likely constitutes selling or sharing under CCPA. Common examples include Google Ads, Meta Pixel, TikTok Pixel, and LinkedIn Insight Tag.
Add "Do Not Sell or Share" link
Place this link prominently on your homepage footer and on every page where personal information is collected. Under CPRA, this must be a clear, conspicuous link — not buried in your privacy policy. If you collect sensitive personal information through cookies (such as precise geolocation), also add a "Limit the Use of My Sensitive Personal Information" link.
Implement GPC detection
Add code to detect the Global Privacy Control signal (navigator.globalPrivacyControl in JavaScript). When GPC is detected, automatically suppress all cookies that involve selling or sharing personal information. Do not prompt GPC users to take additional action.
Build opt-out functionality
When a user clicks the "Do Not Sell or Share" link, immediately stop all advertising and tracking cookies from firing. Remove any existing third-party cookies. Do not reload the page. Save the user's opt-out preference so it persists across sessions.
Update your privacy policy
Disclose all categories of personal information collected through cookies, the business purposes for each category, the categories of third parties receiving the data, and the consumer's right to opt out. CCPA requires this disclosure to be updated at least once every 12 months.
Set up consumer request handling
Create a process for responding to "right to know" and "right to delete" requests related to cookie data. You must respond within 45 days. Verify the identity of the requesting consumer before disclosing any data.
Test with California IP addresses
Verify that your opt-out mechanism works correctly for visitors with California IP addresses. Test GPC detection in browsers that send GPC by default (Brave, DuckDuckGo, Firefox with the GPC extension). Confirm that opted-out users do not have advertising cookies reloaded on subsequent visits.
CCPA Enforcement: Fines and Real Examples
CCPA enforcement is real and accelerating. The California Attorney General began enforcement on July 1, 2020, and the California Privacy Protection Agency (CPPA) joined enforcement efforts in 2023.
Sephora (2022) — $1.2 million
Failed to disclose it was selling consumer personal information through third-party advertising cookies, failed to honor GPC opt-out signals, and did not provide a "Do Not Sell" link. This was the first public CCPA enforcement action specifically involving cookies and online tracking.
DoorDash (2024) — $375,000
Shared consumer personal information with a marketing cooperative without providing opt-out rights, directly implicating cookie and tracking data shared with third-party advertising partners.
Penalty calculations escalate quickly
At $7,500 per intentional violation per consumer, a website with 10,000 California visitors who were denied opt-out rights faces theoretical exposure of $75 million. While actual settlements are negotiated below maximums, the per-consumer calculation gives the AG and CPPA significant leverage. Private individuals can also sue under CCPA Section 1798.150 if a data breach occurs, with statutory damages of $100 to $750 per consumer per incident.
Service Providers vs Third Parties: Why It Matters for Cookies
CCPA draws a critical legal distinction between “service providers” and “third parties,” and the classification of your cookie vendors determines your opt-out obligations.
A service provider processes personal information on your behalf, under a written contract that prohibits them from using the data for their own purposes. If a cookie vendor qualifies as a service provider, sharing data with them is not a “sale” or “share” under CCPA, and you do not need to offer an opt-out for that specific cookie.
A third party receives personal information and can use it for their own commercial purposes — building advertising profiles, improving their own products, or reselling the data. Sharing data with a third party triggers CCPA's opt-out requirements.
In practice: Google Analytics in its default configuration may qualify as a third party because Google uses the data to improve its own services. Most advertising platforms (Google Ads, Meta, programmatic ad exchanges) operate as third parties. Review your contracts with every cookie vendor — if the contract does not explicitly restrict the vendor from using data for its own purposes, CCPA treats that vendor as a third party.
How Our Banner Handles CCPA Cookie Compliance
Our banner automatically applies the correct consent model for California visitors.
"Do Not Sell" opt-out built in
California visitors see a clear opt-out option for the sale and sharing of their personal information, satisfying the core CCPA requirement.
GPC signal detection
Our banner detects Global Privacy Control signals from the browser and automatically treats them as valid opt-out requests.
Geo-aware consent model
California visitors get the CCPA opt-out model. EU visitors get GDPR opt-in. Canadian visitors get PIPEDA meaningful consent. One banner, correct behavior everywhere.
Immediate opt-out enforcement
When a user opts out, advertising and tracking cookies stop immediately. No page reload required.
Persistent preferences
Opt-out choices are saved and respected across sessions. Users are not re-prompted on every visit.
Consent records for audits
All opt-out decisions are logged with timestamps, supporting your compliance documentation if the CPPA or AG requests it.
CCPA Cookie Consent FAQ
Common questions about California cookie law and CCPA cookie compliance, answered clearly.
Get CCPA Cookie Compliance Today
Our banner handles CCPA cookie requirements automatically — “Do Not Sell” link, GPC support, geo-aware consent, and audit-ready consent logs. Scan your site for free to see what cookies you have, then build your compliant banner in minutes.