CCPA and Cookies
The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), governs how businesses handle the personal information of California residents. Its approach to cookies differs fundamentally from GDPR.
Opt-out, not opt-in
The most important difference between CCPA and GDPR is the default state. Under GDPR, no non-essential cookies can be set until the visitor opts in. Under CCPA, cookies may be set by default, but the visitor must have a clear and accessible way to opt out.
| GDPR | CCPA | |
|---|---|---|
| Default | Cookies blocked until consent | Cookies allowed until opt-out |
| User action | Must actively accept | Must actively reject |
| Scope | Storing/accessing data on the user's device* | Sale or sharing of personal information* |
| Penalties | Up to 4% of global turnover | $2,500 per unintentional / $7,500 per intentional violation |
* Both laws are broader than cookies alone. The ePrivacy Directive covers any storage on the user's device (including localStorage and fingerprinting). CCPA covers any mechanism through which personal information is sold or shared, not just cookies.
What "sale" and "sharing" mean
The CCPA defines "sale" broadly: it includes any transfer of personal information to a third party for monetary or other valuable consideration. This is not limited to literally selling data for money. If you share visitor data with an advertising network in exchange for ad revenue, that counts as a sale under CCPA, even if no money changes hands directly for the data itself.
The CPRA amendment added "sharing" to cover cross-context behavioral advertising specifically. If your website uses remarketing pixels, advertising cookies, or analytics tools that share data with third parties for ad targeting, this constitutes sharing under the law.
Many site owners assume "we don't sell data" and overlook this. In practice, if you use Google Ads remarketing, Meta Pixel, or similar advertising tools, you are likely "selling or sharing" personal information under CCPA's definitions.
"Do Not Sell or Share My Personal Information"
CCPA requires businesses to provide a mechanism for consumers to opt out. The law specifies that the website must include a link using the exact (or substantially similar) text: "Do Not Sell or Share My Personal Information". This is not just a functional requirement but a specific textual standard. The link must be clearly visible and accessible from the homepage.
When a visitor clicks this link, all cookies and scripts involved in the sale or sharing of personal information must be blocked or disabled.
When CCPA applies
CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds:
- Annual gross revenue over $25 million
- Buy, sell, or share the personal information of 100,000 or more California consumers or households per year
- Derive 50% or more of annual revenue from selling or sharing California consumers' personal information
Even if your business is not based in California, the law applies if you serve California residents and meet the thresholds above.
Consumer rights
Under CCPA/CPRA, California consumers have rights that apply to all personal information, including data collected through cookies and tracking scripts:
- Know what personal information is collected and how it's used
- Delete personal information held by a business
- Opt out of the sale or sharing of their personal information
- Correct inaccurate personal information
- Non-discrimination for exercising their privacy rights
Penalties and private right of action
The California Privacy Protection Agency (CPPA) can impose fines of $2,500 per unintentional violation and $7,500 per intentional violation. Unlike many other privacy laws, CCPA also grants consumers a private right of action in cases involving data breaches resulting from a business's failure to maintain reasonable security. Consumers can sue directly for statutory damages of $100 to $750 per incident, or actual damages if higher.
Global Privacy Control (GPC)
The CPRA recognizes the Global Privacy Control (GPC) browser signal as a valid opt-out mechanism. When a visitor's browser sends a GPC signal, businesses must treat it as a request to opt out of the sale or sharing of personal information.
LiteConsent detects GPC signals automatically and treats them as an opt-out from sale/share categories. This means cookies and scripts tagged with sale or share categories are blocked for visitors with GPC enabled, without requiring them to interact with the banner.
Other US state privacy laws
Several other US states have enacted privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and others. Each state has its own specifics: some require honoring opt-out signals like GPC by default (Colorado, Connecticut), while others do not (Virginia). Some introduce opt-in requirements for sensitive data categories. The details vary enough that treating them as a single "US privacy framework" can be misleading.
How LiteConsent handles CCPA
LiteConsent detects visitors from California using geo-IP at the CDN edge and displays a CCPA-specific consent banner with opt-out language and a "Do Not Sell or Share" action. When the visitor opts out, LiteConsent blocks cookies and scripts in the sale/share categories and records the opt-out for compliance proof.
For details on jurisdiction detection and configuration, see Jurisdictions. For GPC support, see Global Privacy Control.