The CCPA in Plain Terms
The California Consumer Privacy Act (CCPA) is a state-level privacy law that grants California residents specific rights over their personal information. Signed into law in 2018 and effective from January 2020, it was the first comprehensive privacy statute in the United States. California voters then approved Proposition 24 in November 2020, which introduced the California Privacy Rights Act (CPRA) - an amendment that expanded consumer rights and created a dedicated enforcement agency, the California Privacy Protection Agency (CPPA).
The CPRA is not a separate law. It amends the CCPA, and the California Attorney General's office typically refers to the combined legislation simply as "CCPA" or "CCPA, as amended."
Twenty US states now have comprehensive privacy laws in effect. But CCPA remains the most influential and heavily enforced. If your website collects data from California residents, the rules below likely apply to you - even if your business is based in another state or another country entirely.
Who Must Comply with the CCPA
The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of three thresholds. As of January 2025, the California Privacy Protection Agency adjusted these thresholds for inflation:
| Threshold | Requirement |
|---|---|
| Annual gross revenue | Exceeds $26,625,000 (previously $25 million) |
| Data volume | Buys, sells, or shares the personal information of 100,000 or more California consumers, households, or devices annually |
| Revenue from data sales | Derives 50% or more of annual revenue from selling or sharing personal information |
You only need to meet one of these. Crucially, the law is extraterritorial - it protects California residents regardless of where the business processing their data is located. A marketing agency in London or an e-commerce shop in Berlin that serves Californian customers can fall within scope.
Consumer Rights Under the CCPA
The CCPA, as amended by the CPRA, grants California residents a set of rights that have been expanding since the law first took effect. These rights apply to any personal information a business has collected, whether through cookies, forms, purchase history, or any other channel.
The core rights
Residents can request to know what categories of personal information a business collects and how that data is used or shared. They can ask for the specific pieces of data a business holds about them. Deletion requests require businesses to erase collected personal information, subject to certain exceptions such as legal obligations or ongoing transactions. Since the CPRA amendments, consumers can also request corrections to inaccurate personal information.
The right to opt out of the sale or sharing of personal information is central to how the CCPA affects websites. Any business that sells personal data - or shares it for cross-context behavioural advertising - must provide a clear mechanism for consumers to say no.
Two additional CPRA-era rights round out the framework: the right to limit how businesses use and disclose sensitive personal information (such as precise geolocation, financial data, or health information), and the right to non-discrimination, which prevents businesses from penalising consumers who exercise their privacy rights.
How the CCPA Differs from the GDPR
Website owners who already comply with the EU's GDPR sometimes assume they are covered for California too. That assumption is risky. The two laws share goals but differ in mechanics.
The GDPR requires opt-in consent before setting non-essential cookies. A visitor to your site must actively agree before analytics or advertising scripts fire. The CCPA takes the opposite approach: an opt-out model. Businesses can collect personal information without asking first, but they must give consumers the ability to stop the sale or sharing of that data after the fact.
This means the CCPA does not technically require a cookie consent banner in the way the GDPR does. What it does require is a conspicuous "Do Not Sell or Share My Personal Information" link, typically placed in the website footer and optionally within a cookie notice. If a visitor clicks that link and opts out, all cookies and tracking technologies involved in selling or sharing data must stop for that user.
Practical implications for your cookie setup
If you serve both European and Californian visitors, the simplest approach is to use a consent management platform (CMP) that supports both opt-in and opt-out models with geo-detection. European visitors see a GDPR-compliant banner requiring consent before cookies load. Californian visitors see an opt-out notice with a "Do Not Sell or Share" link. Kukie.io's geo-detection feature handles this automatically, showing the right banner to the right visitor based on their location.
Cookies and the CCPA: What Counts as Selling or Sharing
The word "sell" under the CCPA is broader than you might expect. It covers any exchange of personal information for monetary or other valuable consideration. If your website drops a third-party advertising cookie - say, _fbp from Meta or a Google Ads remarketing tag - and that cookie transmits browsing data to the third party, the CCPA may classify this as a sale or share of personal information.
The CPRA introduced the concept of "sharing," which specifically targets cross-context behavioural advertising. Even if no money changes hands, passing a consumer's browsing data to an ad network for targeted advertising constitutes sharing and triggers opt-out obligations.
First-party analytics cookies like _ga from Google Analytics generally do not count as selling or sharing, provided the data stays within your control and is not passed to third parties for their own purposes. But the moment a third-party script accesses that data or sets its own cookies to build consumer profiles, the calculus changes.
Global Privacy Control: The Opt-Out Signal You Must Honour
Global Privacy Control (GPC) is a browser-level signal that tells websites a visitor wants to opt out of the sale and sharing of their personal information. Under the CCPA, honouring this signal is not optional - it is a legal requirement.
GPC is currently supported natively in browsers like Brave, DuckDuckGo, and Firefox. Chrome and Safari do not yet offer built-in GPC support, though extensions like Privacy Badger and DuckDuckGo Privacy Essentials add the capability. That is about to change. In October 2025, Governor Newsom signed the Opt Me Out Act (AB 566), which requires all browsers operating in California to include built-in GPC functionality by January 2027.
Regulators have already shown they take GPC seriously. The very first CCPA enforcement action, in August 2022, resulted in a $1.2 million fine against Sephora - partly for failing to honour GPC signals. In September 2025, the CPPA, the California Attorney General, and attorneys general from Colorado and Connecticut launched a joint investigative sweep targeting businesses that ignore GPC.
Your CMP must be configured to detect the Sec-GPC HTTP header (sent with a value of 1) and treat it as a valid opt-out request. When the signal is detected, all cookies and scripts that facilitate data sales or sharing should be suppressed for that visitor - no banner interaction required. If there is a conflict between a visitor's GPC signal and their choices on your cookie banner, the CCPA regulations state that the GPC signal takes priority.
CCPA Enforcement: Who Is Watching and What Are the Fines
Two bodies enforce the CCPA. The California Attorney General's office has been active since the law took effect in 2020. The California Privacy Protection Agency (CPPA), created by the CPRA, began enforcement in early 2024 after a legal challenge over timing was resolved by a California appellate court in February 2024.
Since then, both agencies have escalated their efforts significantly. At a September 2025 board meeting, CPPA staff reported hundreds of investigations and enforcement actions in progress - many targeting businesses that did not yet know they were under scrutiny.
Recent enforcement actions
The fines are growing. In March 2025, the CPPA issued a $632,500 penalty against American Honda Motor Company. The investigation found that Honda's cookie management tool lacked "symmetry of choice" - it took two clicks to turn off advertising cookies but only one click to turn them on. The CPPA required Honda to add a "Reject All" button alongside its "Allow All" option.
That Honda decision is significant for every website owner. It signals that the CPPA now interprets the CCPA's anti-dark-pattern provisions as effectively requiring opt-in-style consent interfaces for third-party cookies, even though the statute itself does not explicitly mandate this.
In September 2025, the CPPA issued its largest fine to date: $1.35 million against Tractor Supply Company for various CCPA violations, including failure to honour GPC signals. The California AG has also been busy. A $1.55 million settlement with Healthline Media in July 2025 targeted failures to honour opt-out requests and the improper sharing of sensitive health data with advertisers. Then in late 2025, the AG secured a $2.75 million settlement with Disney - the largest CCPA penalty by the AG's office - over failures in its streaming services' opt-out mechanisms.
Current penalty amounts
| Violation type | Maximum fine per violation (from Jan 2025) |
|---|---|
| Unintentional violation | $2,663 |
| Intentional violation or involving a minor | $7,988 |
| Consumer damages (per consumer, per incident) | $107 to $799 |
These amounts adjust biennially for inflation. The next increase is expected in January 2027. California is also the only US state with a comprehensive privacy law that allows a private right of action - consumers can sue businesses directly for data breaches affecting their personal information.
The Symmetry of Choice Rule and Dark Patterns
California's CCPA regulations prohibit dark patterns - user interface designs that manipulate or trick consumers into giving up their privacy rights. Section 7004(a)(2) of the CCPA regulations requires businesses to offer "symmetry of choice," meaning that selecting the most privacy-protective option must not be harder or more time-consuming than selecting the least privacy-protective one.
A cookie banner with "Accept All" and "More Information" as the only two buttons would likely fail this test. The privacy-protective path (rejecting cookies) requires extra steps, while acceptance is a single click. The Honda enforcement action confirmed this interpretation in practice.
For your cookie banner, this means:
- If you offer an "Accept All" button, you should also offer a "Reject All" or "Decline All" button at the same level of prominence.
- Opt-out mechanisms should require no more steps than opt-in.
- Do not use confusing language, double negatives, or pre-selected toggles that default to data sharing.
What the CCPA Requires on Your Website
Compliance is not just about having the right cookie banner. The CCPA imposes several specific obligations that affect how your website collects, stores, and communicates about personal information.
Privacy policy
Your privacy policy must list the categories of personal information collected in the past 12 months, the purposes for collection, whether you sell or share data, and the categories of third parties receiving that data. It must describe each consumer right and explain how visitors can exercise them. The policy should be updated at least annually and include the date of the last revision.
Notice at collection
Before or at the point of data collection, you must inform visitors what categories of information you are collecting and why. This notice should be concise, accessible, and separate from your full privacy policy - though it can link to it.
Do Not Sell or Share link
If your website sells or shares personal information (including through advertising cookies or third-party trackers), you must display a clear, conspicuous link labelled "Do Not Sell or Share My Personal Information" on your homepage and ideally in your footer on every page. Clicking this link should allow the visitor to opt out without creating an account or verifying their identity.
Responding to consumer requests
Businesses must acknowledge consumer requests within 10 business days and fulfil them within 45 calendar days. When a consumer opts out of sales or sharing, that decision must be respected for at least 12 months before the business can ask them to reconsider.
CCPA Beyond California: The Growing US Privacy Patchwork
California started the trend, but it is no longer alone. Twenty US states have enacted comprehensive privacy laws as of early 2026, with Indiana, Kentucky, and Rhode Island being the most recent additions. States like Colorado, Connecticut, and Texas are actively enforcing their own privacy statutes, and many of these laws explicitly require businesses to honour universal opt-out mechanisms like GPC.
There is no federal comprehensive privacy law on the horizon. The American Privacy Rights Act of 2024 stalled in Congress, and the current political climate does not favour federal preemption of state privacy laws. For website owners, this means building a compliance strategy that can adapt across jurisdictions - not one that treats California as a one-off exception.
A consent management platform that supports geo-targeted banners, GPC signal detection, and cookie categorisation across multiple regulatory frameworks is no longer a nice-to-have. It is operational infrastructure. Kukie.io's cookie scanner detects all first-party and third-party cookies on your site and maps them against the requirements of CCPA, GDPR, and other applicable laws.
How to Prepare Your Website for CCPA Compliance
Start by understanding what your website actually does. Run a cookie scan to identify every cookie and tracking script. Categorise them: strictly necessary, functional, analytics, or advertising. Determine which ones involve data being sent to third parties - those are the ones that trigger CCPA obligations.
Update your privacy policy to include all CCPA-required disclosures. Add a "Do Not Sell or Share My Personal Information" link to your website footer. Configure your CMP to detect GPC signals and suppress non-essential cookies when the signal is present.
If you serve visitors from multiple US states, check whether other state privacy laws apply to you. Many share similar opt-out requirements but differ in thresholds and definitions. A scalable CMP that handles geo-targeting will save you from maintaining separate compliance configurations for each jurisdiction.
Document everything. The CPPA has signalled that it expects businesses to maintain records of privacy programme operations, audit results, and consumer rights responses. When - not if - an investigation comes, those records are your first line of defence.
Frequently Asked Questions
Does the CCPA require a cookie consent banner?
Not explicitly in the same way the GDPR does. The CCPA requires a "Do Not Sell or Share My Personal Information" link and a notice at collection, but it does not mandate a pop-up consent banner. However, the CPPA's Honda enforcement decision suggests that cookie management tools must offer symmetrical choices (such as "Accept All" and "Reject All" buttons), which in practice resembles a consent banner.
What is the difference between the CCPA and the CPRA?
The CPRA is an amendment to the CCPA, not a separate law. It was approved by California voters in November 2020 and took effect on 1 January 2023. The CPRA expanded consumer rights (adding correction and limiting use of sensitive data), created the California Privacy Protection Agency, and introduced concepts like "sharing" for cross-context behavioural advertising.
Can I be fined under the CCPA if my business is not in California?
Yes. The CCPA applies to any for-profit business that meets the applicability thresholds and collects personal information from California residents. Physical location does not matter - a company in New York, London, or Sydney can face CCPA enforcement if it processes Californian consumers' data.
What happens if my website ignores Global Privacy Control signals?
Ignoring GPC signals is a CCPA violation. The California AG fined Sephora $1.2 million in 2022 partly for this failure. In September 2025, California, Colorado, and Connecticut launched a coordinated enforcement sweep specifically targeting businesses that do not honour GPC. From January 2027, all browsers will be required to offer built-in GPC functionality under the Opt Me Out Act.
Do analytics cookies like Google Analytics fall under the CCPA?
First-party analytics cookies generally do not count as selling or sharing personal information, provided the data remains under your control. However, if your Google Analytics implementation sends data to Google in a way that Google can use for its own purposes, or if you have enabled data sharing features, the data transfer may be classified as sharing under the CCPA.
How much can the CCPA fine per violation in 2025?
As of January 2025, the maximum administrative fine is $2,663 per unintention
