Cookiewise
Features Pricing Documentation About Contact
Log In Start Free Trial

Analytics & Reporting

Analytics & Reporting Team Management

CCPA Guidelines

Implementing California Consumer Privacy Act compliance with Cookiewise.

CCPA Overview

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents specific rights over their personal information, including data collected via cookies.

Key Differences from GDPR

CCPA uses an opt-out model (vs GDPR's opt-in)
Applies to businesses meeting specific revenue/data thresholds
Requires a "Do Not Sell or Share My Personal Information" link
Covers "sale" and "sharing" of data, not just cookies specifically

Who Must Comply?

CCPA applies to for-profit businesses that collect California residents' personal information AND meet at least one of these thresholds:

  • Annual gross revenue exceeding $25 million
  • Buy, sell, or share personal information of 100,000+ California consumers, households, or devices annually
  • Derive 50% or more of annual revenue from selling or sharing California consumers' personal information

CCPA Requirements for Cookies

1. "Do Not Sell or Share" Link

You must provide a clear, prominent link in your website footer titled "Do Not Sell or Share My Personal Information." Cookiewise can be configured to display this link automatically for visitors detected as being from California.

2. Privacy Policy Disclosures

Your privacy policy must list:

  • Categories of personal information collected (including via cookies)
  • Purposes for collection
  • Categories of third parties with whom data is shared
  • Whether data is sold or shared for cross-context behavioral advertising

3. Opt-Out Mechanism

When a user clicks "Do Not Sell or Share," you must:

  • Stop sharing their data with third parties for advertising purposes
  • Disable marketing and advertising cookies
  • Honour the request within 15 business days
  • Not require the user to create an account to opt out

4. Global Privacy Control (GPC)

CCPA requires businesses to honour the Global Privacy Control signal. When a browser sends Sec-GPC: 1, you must treat it as a valid opt-out request. Cookiewise automatically detects and honours GPC signals.

Implementing CCPA with Cookiewise

  1. Enable CCPA mode in your domain settings - this adds the "Do Not Sell" link and adjusts banner language
  2. Configure opt-out behaviour - specify which cookie categories are disabled on opt-out (typically marketing and social)
  3. GPC auto-detection is enabled by default - no configuration needed
  4. Review consent records - CCPA opt-out events are logged separately from GDPR consent for clear audit trails

Sensitive Personal Information

CPRA (the CCPA amendment) added protections for sensitive personal information. If any cookies on your site process sensitive data (precise geolocation, race, religion, health data, etc.), you must provide an additional opt-out mechanism: "Limit the Use of My Sensitive Personal Information."

Enforcement

  • California Privacy Protection Agency (CPPA) - The dedicated enforcement body
  • Fines: Up to $2,500 per unintentional violation, $7,500 per intentional violation
  • Private right of action: Consumers can sue for data breaches involving unencrypted personal information
  • 30-day cure period was removed by CPRA - violations can be enforced immediately
GDPR Compliance LGPD Framework