California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
A practical compliance guide for website owners. Learn what California's privacy law requires and how to implement it on your site.
Who Must Comply
Annual gross revenue over $25M, OR buys/sells personal information of 100K+ consumers/households, OR derives 50%+ revenue from selling/sharing personal information
What Your Website Must Do
| Requirement | Status |
|---|---|
| Cookie consent banner | Recommended |
| Do Not Sell link | Required |
| Do Not Share link | Required |
| Honor GPC browser signals | Required |
| Universal opt-out mechanism | Required |
| Sensitive data opt-in consent | Required |
Required Links & Notices
The CCPA/CPRA requires the following links or notices to be visible on your website:
- 1Do Not Sell or Share My Personal Information
- 2Limit the Use of My Sensitive Personal Information
- 3Privacy Policy
Enforcement & Penalties
Key Things to Know
California has the most comprehensive state privacy law in the US. The CPRA (effective January 2023) significantly expanded the original CCPA with new consumer rights, the concept of "sensitive personal information," and created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body.
Key distinction: California requires honoring Global Privacy Control (GPC) browser signals as a valid opt-out mechanism. Websites must treat GPC as equivalent to a "Do Not Sell or Share" request.
Cookie consent: While California does not require opt-in cookie consent (unlike GDPR), you must provide clear opt-out mechanisms for sale/sharing of personal data, which often includes data collected via cookies and tracking technologies.
How to Configure LegalBanner for CCPA/CPRA
- 1
Create your site
Sign up for free and add your website domain in the dashboard.
- 2
Set consent mode to "Opt-out"
In Settings, select the consent mode that matches California's requirements.
- 3
Install the snippet
Add the one-line script tag to your website. The banner, opt-out links, and GPC support are automatic.
- 4
Generate your Privacy Policy
Use the built-in policy wizard to generate a CCPA/CPRA-compliant privacy policy.
Set up CCPA/CPRA compliance in 5 minutes
LegalBanner handles California privacy requirements automatically — cookie banner, opt-out links, and GPC support included.
Frequently Asked Questions
Does California require a cookie consent banner?
California does not require opt-in cookie consent like GDPR. However, you must provide a clear 'Do Not Sell or Share My Personal Information' link and honor opt-out requests. A cookie preference center that allows users to opt out of sale/sharing categories is strongly recommended.
What is the difference between CCPA and CPRA?
The CPRA (effective January 2023) expanded the CCPA with new rights including data correction, opt-out of automated decision-making, and limits on sensitive personal information use. It also created the California Privacy Protection Agency (CPPA) for dedicated enforcement.
Do I need to honor Global Privacy Control (GPC) signals?
Yes. California law requires businesses to treat GPC browser signals as a valid opt-out of sale/sharing of personal information. LegalBanner automatically detects and honors GPC signals.
What are the penalties for CCPA/CPRA violations?
$2,500 per unintentional violation and $7,500 per intentional violation. Consumers also have a private right of action for data breaches, with statutory damages of $100-$750 per consumer per incident.
Does the CCPA apply to my small business?
The CCPA applies if your business has annual gross revenue over $25 million, buys/sells/shares personal information of 100,000+ consumers or households, or derives 50%+ of annual revenue from selling/sharing personal information. If none apply, you are generally exempt.
What is 'sensitive personal information' under CPRA?
Sensitive personal information includes Social Security numbers, financial account information, precise geolocation, racial/ethnic origin, religious beliefs, genetic data, biometric data, health information, sex life/sexual orientation data, and contents of mail, email, and text messages.