CJakCiasteczko
Get started
← HomeCompliance · CCPA

CCPA cookie consent — what California requires in 2026

CCPA / CPRA cookie consent in plain English. What the law actually says, what the AG has been enforcing, and the minimal implementation that satisfies it.

The California Consumer Privacy Act (CCPA), as amended by CPRA, governs how businesses handle the personal information of California residents. It is fundamentally an opt-out regime — different from GDPR's opt-in posture — and that single difference reshapes what your banner needs to do.

Who this applies to

CCPA reaches any for-profit business that does business in California and meets one of: $25M+ annual revenue, processes PI of 100k+ Californians, or earns 50%+ revenue from selling/sharing PI.

If you're below the thresholds you're not legally bound, but "selling" is broad — passing data to ad networks counts. Any site with Meta Pixel + Google Ads is selling/sharing PI under CCPA.

Opt-out, not opt-in

Unlike GDPR, you do not need pre-consent for cookies under CCPA. You may set marketing cookies by default, as long as you give the visitor a clear way to opt out.

The opt-out must be a link labelled exactly "Do Not Sell or Share My Personal Information". The link must be on every page where PI is collected — typically the footer.

Global Privacy Control (GPC)

Since July 2023 the California AG enforces GPC as a valid opt-out signal. If a visitor's browser sends Sec-GPC: 1, you must treat it as Do-Not-Sell-or-Share without further interaction.

Failing to honor GPC is the #1 enforcement priority of the CPPA in 2025–26.

Frequently asked

Do I need a banner for California visitors?

Not a consent banner like GDPR — but you do need a "Do Not Sell or Share" link in your footer and a working preference centre.

What's the fine for ignoring GPC?

Civil penalties of up to $7,500 per intentional violation. The CPPA has issued multiple cease-and-desist orders in 2024–25.

Does CCPA apply if my company is based in Europe?

Yes, if you do business in California and meet a size threshold.

Can I show one banner for both EU and California?

Yes, but it should adapt. Show opt-in defaults to EEA visitors and opt-out + Do Not Sell link to California ones.

Want a banner that ships compliant by default?

CJakCiasteczko's defaults match the strictest EU interpretation, geo-relax automatically for the rest of the world, and capture a hash-chained audit trail of every consent.

Start 30-day free trialSee live demo →