The California Consumer Privacy Act does not require you to ask permission before setting cookies. That single fact trips up more website owners than almost any other privacy requirement, because it runs counter to the consent-first model that the GDPR made familiar across Europe.
California operates on an opt-out model. Cookies can load when a visitor arrives. But if those cookies collect personal information that gets sold or shared with third parties, the visitor must have a clear way to say no. The California Privacy Protection Agency (CPPA) has been fining businesses that get it wrong since 2022.
How the CCPA Defines Personal Information From Cookies
Under Cal. Civ. Code Section 1798.140(v), personal information includes any data that identifies, relates to, or could reasonably be linked to a particular consumer or household. Cookies fall squarely within this definition when they store or transmit identifiers such as IP addresses, device fingerprints, browsing history, or advertising IDs.
A session cookie that keeps a shopping cart alive does not raise the same issues as a _fbp pixel cookie that tracks a visitor across sites for retargeting. The first is strictly necessary. The second is almost certainly being shared with a third party, which triggers the CCPA's opt-out obligations.
Common cookies in regulated territory include _ga and _gid (Google Analytics), _fbp and fr (Meta), IDE and DSID (Google Ads), and any cross-site tracking script loaded by an advertising partner.
Opt-Out, Not Opt-In: How CCPA Differs From GDPR
This is the most important conceptual difference between the two frameworks. The ePrivacy Directive and GDPR require websites to block all non-essential cookies until the visitor clicks "Accept". Under the CCPA, cookies can fire immediately.
What California demands instead is transparency and control after the fact. A business that sells or shares personal information collected via cookies must:
- Display a "Do Not Sell or Share My Personal Information" link on every page where personal information is collected - typically the homepage and privacy settings page.
- Honour opt-out requests promptly and without adding unnecessary steps.
- Detect and respect the Global Privacy Control (GPC) browser signal as a valid opt-out request.
For consumer rights more broadly, the CCPA also grants the right to know what data has been collected, the right to delete it, and the right to correct inaccurate records.
| Requirement | GDPR / ePrivacy | CCPA / CPRA |
|---|---|---|
| Consent model | Opt-in (block before consent) | Opt-out (allow, then let users refuse) |
| Cookie banner required? | Yes - must block non-essential cookies | Not technically required; a "Do Not Sell" link suffices |
| GPC signal recognition | Not legally mandated (yet) | Mandatory since January 2023 |
| Minors | Parental consent under 16 (varies by member state) | Opt-in required for under-16s; parental consent for under-13s |
| Fines per violation | Up to 4% of global turnover or EUR 20 million | $2,663 per violation; $7,988 for intentional or minors-related |
| Enforcement body | National DPAs (CNIL, ICO, etc.) | CPPA and California Attorney General |
Who Needs to Comply?
The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one threshold: annual gross revenue exceeding $26,625,000 (the 2025-2026 adjusted figure), processing personal information of 100,000 or more California residents per year, or deriving 50% or more of annual revenue from selling or sharing personal information.
Location does not matter. A business registered anywhere in the world falls within scope if it processes California residents' data and crosses one of those thresholds.
The "Do Not Sell or Share" Link
Since the CPRA amended the CCPA in 2023, the required link wording expanded to "Do Not Sell or Share My Personal Information". The word "share" covers cross-context behavioural advertising - a category that captures most third-party tracking cookies.
The link must be conspicuous on the homepage and any page collecting personal information. The CPPA's 2024 enforcement advisory on dark patterns made this explicit: the number of steps to opt out must be equal to or fewer than the steps needed to opt in.
Regulations effective 1 January 2026 added a further requirement. Businesses must visibly confirm that an opt-out preference signal has been processed - for example, by displaying an "Opt-Out Request Honoured" message when a GPC-enabled visitor arrives.
Global Privacy Control: The Browser Signal You Must Honour
The Global Privacy Control is a browser-level signal that automatically communicates a user's choice to opt out of the sale or sharing of personal data. Brave, DuckDuckGo, and Firefox send GPC natively. Chrome and Safari do not yet include it, but California's Opt Me Out Act (AB 566), signed in October 2025, requires all major browsers to offer built-in GPC settings by January 2027.
As of January 2026, twelve US states legally require websites to honour universal opt-out mechanisms. California, Colorado, and Connecticut have confirmed that GPC qualifies, and a joint enforcement sweep in September 2025 specifically targeted businesses failing to detect it.
The technical implementation is straightforward. GPC arrives as an HTTP header (Sec-GPC: 1). A consent management platform that supports GPC will detect the header and suppress sale/sharing automatically. If your CMP does not handle GPC, you will need server-side or JavaScript detection logic.
Dark Patterns and Banner Design Rules
The CPRA banned dark patterns in consent interfaces. Regulations effective since January 2026 define specific prohibited practices:
- Closing or scrolling past a consent pop-up does not count as consent.
- An opt-in prompt offering only "Yes" and "Ask Me Later" is invalid - it lacks a genuine refusal option.
- The opt-out path must involve the same number of steps or fewer than the opt-in path.
If your site serves visitors in both the EU and California, geo-targeted consent flows are the practical solution: show an opt-in banner to European visitors and an opt-out notice to Californians.
Recent Enforcement: The CPPA Is Not Bluffing
Enforcement has accelerated sharply. The CPPA reported hundreds of active investigations by late 2025, and the fines speak for themselves.
Tractor Supply Company paid $1.35 million in October 2025 for failing to honour GPC signals and not properly informing consumers of their privacy rights. American Honda was fined $632,500 for similar failures. Todd Snyder paid $345,178 after its cookie consent banner malfunctioned for 40 days.
Most recently, Ford Motor Company settled for $375,703 in March 2026 after requiring consumers to confirm their email address before processing opt-out requests. Under CCPA regulations, opt-out requests are explicitly non-verifiable - businesses cannot add authentication steps. The CPPA's message is clear: when a consumer says stop, you stop.
Sensitive Personal Information and Minors
The CPRA introduced sensitive personal information (SPI) as a separate category covering precise geolocation, biometric data, health information, and financial details. Businesses processing SPI beyond what is needed for the expected service must provide a "Limit the Use of My Sensitive Personal Information" link.
For minors, the rules flip to opt-in. Businesses with actual knowledge that a consumer is under 16 must obtain affirmative consent before selling or sharing that person's data. For children under 13, a parent or guardian must provide the consent. The CPRA also bars businesses from asking a minor to opt back in for at least 12 months after an opt-out.
Six Steps to CCPA Cookie Compliance
Step 1: Audit your cookies
Run a cookie scan to identify every cookie on your site, who sets it, and what data it collects. Focus on third-party cookies from advertising networks, analytics platforms, and social media embeds.
Step 2: Classify by purpose
Sort cookies into categories: strictly necessary, non-essential (analytics, marketing, personalisation). Any cookie collecting data that is sold or shared triggers opt-out obligations.
Step 3: Add the required links
Place a "Do Not Sell or Share My Personal Information" link in your website footer and on any page that collects personal information.
Step 4: Implement GPC detection
Configure your CMP or add server-side logic to detect the Sec-GPC: 1 header. When detected, suppress sale/sharing activities and display a confirmation such as "Opt-Out Preference Honoured".
Step 5: Update your privacy policy
Disclose which categories of personal information you collect, the purposes for collection, and how consumers can exercise their rights. California's 2026 regulations also require mobile apps to link directly to the privacy policy from the app settings menu.
Step 6: Keep records
Log opt-out requests and responses. The CPPA can request documentation at any time, and businesses must produce records within 30 calendar days.
Frequently Asked Questions
Does the CCPA require a cookie consent banner?
Not in the way the GDPR does. The CCPA does not mandate a pop-up banner that blocks cookies before consent. It requires a "Do Not Sell or Share My Personal Information" link and the ability to honour opt-out requests, including GPC signals. Many businesses use a banner for transparency, but it is not a legal requirement under California law.
Can I set analytics cookies without asking California visitors first?
Yes, the CCPA allows cookies to load before consent. But if the analytics data is shared with third parties (as it often is with Google Analytics when linked to Google Ads), the visitor must be able to opt out of that sharing. First-party analytics used purely for your own site optimisation carry lower risk.
What happens if my website ignores GPC signals?
Failing to honour GPC signals is a CCPA violation. The CPPA fined Tractor Supply Company $1.35 million in 2025 partly for this failure. California, Colorado, and Connecticut ran a joint enforcement sweep in September 2025 targeting businesses that did not detect or honour GPC. Fines are assessed per violation at $2,663 (or $7,988 for intentional violations).
Do I need CCPA compliance if my business is outside California?
Yes, if you collect personal information from California residents and meet the revenue or data-volume thresholds. The CCPA applies based on where the consumer lives, not where the business is incorporated. Ford Motor Company, headquartered in Michigan, was fined $375,703 in March 2026 for CCPA opt-out violations.
How is the CCPA different from the CPRA?
The CPRA is an amendment to the CCPA, not a separate law. It expanded the original act by introducing the concept of "sharing" (covering cross-context behavioural advertising), creating the CPPA as a dedicated enforcement agency, adding sensitive personal information protections, and banning dark patterns in consent interfaces. All CPRA provisions are now part of the CCPA.
Can I use the same cookie banner for GDPR and CCPA visitors?
You can, but it is not ideal. The GDPR requires opt-in consent that blocks cookies before acceptance. The CCPA requires opt-out controls. Showing a full opt-in banner to California visitors creates unnecessary friction and reduces analytics data. The better approach is geo-targeted consent: opt-in for EU/UK visitors and opt-out for California visitors.
What are the current CCPA fine amounts for cookie violations?
As of 2025-2026, fines are $2,663 per unintentional violation and $7,988 per intentional violation or violation involving minors' data. These amounts were adjusted for inflation by the CPPA in December 2024 and remain in effect through 2026, with the next review scheduled for 2027. Consumers can also seek statutory damages of $107 to $799 per incident in data breach cases.
Get Your Cookie Compliance Right
If your website collects data from California visitors through tracking cookies, the CCPA's opt-out requirements apply. Kukie.io scans your site for cookies, categorises them, detects GPC signals, and provides the opt-out controls California law demands.
