Can a business outside California be fined under the CPRA?

Yes. The CPRA applies to any for-profit business that collects personal information from California residents and meets the revenue, data volume, or revenue-source thresholds - regardless of where the business is physically located.

What is Global Privacy Control and do I have to honour it?

Global Privacy Control (GPC) is a browser signal that communicates a consumer's preference to opt out of data sales and sharing. Under the CCPA, businesses must treat GPC signals as valid opt-out requests. From January 2027, all browsers will be required to offer GPC functionality under California's Opt Me Out Act.

How much can my business be fined for CPRA violations?

As of 2025, fines are up to $2,663 per unintentional violation and $7,988 per intentional violation or violations involving minors. Each affected consumer counts as a separate violation, so fines can scale rapidly. Consumers can also sue for $107 to $799 per incident in data breach cases.

Do I need a cookie banner for CPRA compliance?

The CPRA does not explicitly require a cookie banner. However, you must disclose your data collection practices and provide accessible opt-out mechanisms. A cookie banner is the most practical way to meet both requirements while also complying with other privacy laws your visitors may be covered by.

What is the CPPA's position on dark patterns in cookie consent?

The CPPA has made dark patterns a central enforcement priority. Cookie interfaces must present privacy choices symmetrically - if accepting cookies takes one click, rejecting them must also take one click. The CPPA fined Honda, Todd Snyder, and Tractor Supply Company for asymmetric consent designs.

CPRA Explained: California Privacy Rights Act Guide

CPRA and CCPA: How California's Privacy Law Evolved

California voters approved Proposition 24 in November 2020, creating the California Privacy Rights Act. The CPRA does not replace the California Consumer Privacy Act (CCPA) of 2018 - it amends and expands it. The California Attorney General's office and the California Privacy Protection Agency (CPPA, also known as CalPrivacy) both refer to the combined law simply as the CCPA.

The CPRA's amendments took effect on 1 January 2023. They introduced a new category of sensitive personal information, added consumer rights to correct data and limit the use of sensitive data, and - most significantly - established the CPPA as a dedicated enforcement body with its own rulemaking authority.

That last point matters more than anything else. Before the CPRA, enforcement sat entirely with the Attorney General's office, which had limited resources and competing priorities. The CPPA has a singular focus: privacy. Its recent track record shows it intends to use that focus aggressively.

Does the CPRA Apply to Your Website?

The CPRA applies to for-profit businesses that collect personal information from California residents and meet at least one of three thresholds. As of 2025, those thresholds (adjusted for inflation) are:

Threshold	Details
Revenue	Gross annual revenue exceeding $26.625 million (adjusted from the original $25 million)
Data volume	Buys, sells, or shares the personal information of 100,000 or more California residents or households per year
Revenue source	Derives 50% or more of annual revenue from selling or sharing personal information

The data volume threshold was raised from 50,000 under the original CCPA to 100,000 under the CPRA. That change narrowed the scope slightly, but most mid-sized websites with California traffic still fall within at least one of these brackets - particularly the revenue threshold.

The CPRA applies regardless of where the business is physically located. A company based in London, Berlin, or Sydney that serves California residents and meets the thresholds must comply.

Consumer Rights Under the CPRA

The CPRA grants California residents a set of rights over their personal information that goes well beyond the original CCPA. These rights directly affect how your website handles cookies, analytics, and advertising scripts.

Rights Carried Over from the CCPA

Consumers can request to know what personal information a business has collected about them, including the categories of data, the sources, the business purpose, and the third parties it has been shared with. They can request deletion of that information, subject to certain exceptions. They can opt out of the sale of their personal information.

Rights Added or Expanded by the CPRA

The CPRA added the right to correct inaccurate personal information. It expanded the opt-out right to cover not just the sale of data but also the sharing of personal information for cross-context behavioural advertising - a critical distinction for any website running third-party advertising pixels. It introduced the right to limit the use and disclosure of sensitive personal information, covering data such as precise geolocation, financial account details, biometric data, and health information.

In 2025, the CPPA adopted final regulations that further expand the right to know to include information about automated decision-making technology (ADMT). These regulations, effective from January 2026, require businesses using ADMT for significant decisions - such as employment screening or credit approvals - to disclose the logic, purpose, and outcome of those decisions to consumers.

How the CPRA Treats Cookies and Tracking

This is where the CPRA diverges sharply from the GDPR, and where many website owners get confused.

The GDPR requires opt-in consent before placing non-essential cookies. The CPRA does not. Under the CPRA, cookies can be set without prior consent, provided the business gives consumers a clear way to opt out afterwards. The default position is: you may collect, but you must let people say no.

That opt-out framework comes with specific obligations:

Your website must include a clearly visible link titled "Do Not Sell or Share My Personal Information"
If you process sensitive personal information for purposes beyond what is reasonably necessary, you must also provide a "Limit the Use of My Sensitive Personal Information" link
You must honour Global Privacy Control (GPC) signals sent by browsers - this is a legal requirement under the CCPA, not optional
Your opt-out mechanism must not use dark patterns - if accepting all cookies takes one click, rejecting them must not take five

The "sharing" concept is particularly important for cookies. Under the CPRA, "sharing" means making personal information available to a third party for cross-context behavioural advertising, whether or not money changes hands. If your website loads the _fbp cookie from Meta's Pixel, or shares data with Google Ads via the _gcl_au cookie, that likely constitutes "sharing" under the CPRA - and your visitors must be able to opt out.

The Cookie Consent Banner Under the CPRA

The CPRA does not explicitly require a cookie consent banner. What it requires is transparency about data collection and accessible opt-out mechanisms. A well-designed cookie banner is simply the most practical way to deliver both.

Your banner should disclose which categories of cookies your site uses and their purposes. It should offer category-level controls so visitors can opt out of advertising cookies while keeping functional ones. It should link to your privacy policy. And critically, it should present choices symmetrically - the CPPA's enforcement actions have made this a priority.

Symmetry in Choice: The CPPA's Dark Pattern Crackdown

In September 2024, the CPPA issued an enforcement advisory specifically targeting dark patterns - user interface designs that steer consumers away from exercising their privacy rights. The Honda enforcement action in March 2025 turned that advisory into a concrete, expensive lesson.

The CPPA found that Honda's cookie management tool allowed consumers to accept all cookies with a single click but required multiple steps to opt out: toggling individual categories off and then confirming the selection. The agency ruled this violated the CCPA's requirement for symmetry in choice under Section 7004(a)(2) of the regulations. Honda was ordered to add a "Reject All" button to its cookie management tool.

If your cookie banner has an "Accept All" button, it needs a "Reject All" button of equal prominence. No exceptions. The CPPA has made this a central enforcement theme, and subsequent actions against Todd Snyder and Tractor Supply Company reinforced the same principle.

Global Privacy Control and the Opt Me Out Act

Global Privacy Control is a browser-level signal that tells websites a visitor wants to opt out of the sale and sharing of their personal information. Firefox, Brave, and DuckDuckGo support GPC natively. Chrome, Edge, and Safari users can enable it via extensions.

Under the CCPA, businesses must treat a GPC signal as a valid opt-out request. This is not a suggestion - the California Attorney General confirmed it, and the CPPA has enforced it. The Sephora settlement in 2022 ($1.2 million) was partly based on the company's failure to honour GPC signals. The Honda enforcement action cited the same issue: Honda did not extend GPC-based opt-outs to logged-in users with accounts.

In October 2025, Governor Newsom signed AB 566, the Opt Me Out Act. Starting 1 January 2027, all browsers - including Chrome, Safari, and Edge - must include built-in functionality for consumers to send opt-out preference signals. Browsers must make this setting easy to find and clearly explain what it does.

The practical impact is significant. GPC adoption has been limited because most major browsers did not support it. Once Chrome and Safari are required to offer it, opt-out signal volume will increase dramatically. Any website relying on third-party advertising cookies needs a consent management system that can detect and respond to GPC signals automatically.

Kukie.io's consent management features include GPC signal detection, ensuring your website respects browser-level opt-out preferences without manual intervention.

Enforcement: Fines Are Getting Larger and More Frequent

The CPPA adjusted its fine structure in January 2025 to keep pace with inflation. The current per-violation penalties are:

Violation Type	Maximum Fine Per Violation (2025)
Unintentional violation	$2,663
Intentional violation	$7,988
Violation involving a minor under 16	$7,988
Consumer private right of action (data breach)	$107 - $799 per incident

Each affected consumer counts as a separate violation. A single data practice applied across a large user base can result in fines reaching millions.

The CPRA also removed the 30-day cure period that existed under the original CCPA. The CPPA now has discretion over whether to offer a business time to fix a violation before imposing penalties - and recent enforcement actions suggest it does not always extend that courtesy.

Recent Enforcement Actions

The pace of enforcement accelerated sharply in 2025. American Honda Motor Co. received a $632,500 fine in March 2025 for asymmetric cookie consent, excessive data collection during opt-out requests, and missing vendor contracts. Todd Snyder Inc. was fined $345,178 in May 2025 for requiring photo ID for all privacy requests, including opt-outs that legally cannot require identity verification. Tractor Supply Company was hit with $1.35 million in September 2025 for failing to honour GPC signals and other CCPA violations.

The California Attorney General has not stepped back either. In July 2025, Healthline Media LLC agreed to the largest CCPA settlement to date: $1.55 million over health data privacy violations.

The CPPA has also launched a Data Broker Enforcement Strike Force, fining companies like National Public Data ($46,000), Datamasters ($45,000), S&P Global ($62,600), and Accurate Append ($55,400) for failing to register under the Delete Act.

CPRA vs GDPR: Key Differences for Website Owners

If you serve visitors from both California and the EU, you need to understand how these two frameworks differ in their approach to cookies and consent.

Aspect	CPRA (California)	GDPR (EU/EEA)
Consent model	Opt-out: cookies may be set first, consumers can refuse later	Opt-in: non-essential cookies blocked until consent is given
Legal basis for cookies	Notice and right to opt out	Prior consent (Article 5(3) ePrivacy Directive)
Required links	"Do Not Sell or Share My Personal Information" + "Limit the Use of My Sensitive Personal Information"	Cookie consent banner with accept/reject options
Browser signals	Must honour GPC as valid opt-out	No equivalent legal requirement (yet)
Enforcement body	CPPA + California Attorney General	National DPAs (CNIL, ICO, Irish DPC, etc.)
Fines	Per violation, per consumer ($2,663 - $7,988)	Up to 4% of global annual turnover or EUR 20 million
Sensitive data	Separate "sensitive personal information" category with right to limit	Article 9 "special categories" with stricter processing conditions

The critical takeaway: if your site already complies with the GDPR's opt-in model, you likely meet most CPRA requirements by default. But you still need the specific CPRA links ("Do Not Sell or Share") and must honour GPC signals - requirements that have no GDPR equivalent.

Running a geo-targeted consent experience is the practical solution. Show a GDPR-compliant opt-in banner to EU visitors and a CPRA-compliant opt-out banner to California visitors. Kukie.io's geo-detection handles this automatically, applying the correct consent rules based on visitor location.

What Is Coming Next: 2026 and 2027 Regulations

The CPPA finalised a major regulations package in July 2025, with most provisions taking effect on 1 January 2026. These include mandatory cybersecurity audits for businesses whose data processing presents significant risk, risk assessments similar to GDPR Data Protection Impact Assessments, and expanded consumer rights around automated decision-making technology.

In 2025, the California Legislature also expanded the definition of sensitive personal information to include neural data - information generated by measuring the activity of a consumer's central or peripheral nervous system. Companies processing data from brain-computer interfaces, neurofeedback devices, or similar technologies now face additional CPRA obligations.

The Delete Request and Opt-Out Platform (DROP), a first-of-its-kind mechanism allowing consumers to send a single deletion request to all registered data brokers, is expected to launch in 2026. And from 1 January 2027, all browsers must support opt-out preference signals under the Opt Me Out Act.

The direction is clear: more enforcement, more consumer tools, and less room for businesses that treat compliance as optional.

How to Comply with the CPRA: A Practical Checklist

Start by scanning your website for cookies. You need a complete inventory of every cookie your site sets - first-party and third-party - along with its purpose, duration, and the data it collects. A tool like Kukie.io's free scanner automates this step and categorises cookies for you.

Next, review your privacy policy. It must disclose the categories of personal information collected, the purposes for collection, the categories of third parties with whom data is shared, and the specific rights California consumers have under the CCPA. If you process sensitive personal information, your policy needs to address that separately.

Implement the required opt-out links. Your website needs a "Do Not Sell or Share My Personal Information" link. If applicable, add the "Limit the Use of My Sensitive Personal Information" link. Both should be accessible from every page - typically in the footer.

Set up GPC signal detection. Your consent management platform must detect the Sec-GPC HTTP header or the navigator.globalPrivacyControl JavaScript property and automatically treat it as a valid opt-out request. This is not optional.

Audit your cookie banner for symmetry. If there is an "Accept All" button, there must be a "Reject All" button with equal visual weight. The number of clicks to opt out must not exceed the number of clicks to opt in.

Review your vendor contracts. Every advertising technology partner, analytics provider, or data processor that receives personal information from your website needs a contract that includes CCPA-compliant provisions limiting how they can use, retain, and disclose that data. The Honda enforcement action specifically cited missing ad-tech contracts as a violation.

Document everything. Keep records of your cookie scan results, privacy policy updates, consent rates, and consumer rights requests. The CPPA expects businesses to demonstrate compliance, not just claim it.

Frequently Asked Questions

Does the CPRA require opt-in consent for cookies?

No. The CPRA uses an opt-out model, meaning cookies can be set without prior consent. However, you must provide consumers with clear opt-out mechanisms, including a "Do Not Sell or Share My Personal Information" link, and honour Global Privacy Control signals from browsers.

What is the difference between "selling" and "sharing" personal information under the CPRA?

Selling involves exchanging personal information for monetary consideration. Sharing means making personal information available to a third party for cross-context behavioural advertising, even if no money changes hands. Loading a third-party advertising pixel on your website typically qualifies as sharing.

Europe

United States

Brazil

Canada

Asia-Pacific

Middle East & Africa

Categories

Latest Articles

Cookie Consent Laws by Country: A Beginner's World Map

GDPR for Beginners: What Every Website Owner Must Know About Cookies

What Happens When a User Rejects All Cookies on Your Website

What Is the CPRA? California's Privacy Rights Act Explained for Website Owners