Your CCPA compliance guide covering: what are the CCPA compliance requirements, the differences between GDPR and CCPA cookie compliance, and the best solutions to comply with the California law.
It’s important to note that these businesses need not be physically located in California. If they collect personal data from California residents, they are subject to the CCPA cookie compliance requirements.
Scan your website, block non-compliant cookies, and achieve compliance in minutes with Cookie Information’s cookie consent banner tool.
The CCPA law applies to a broad range of personal information, including but not limited to:
The CCPA text also covers cookies and online trackers. Businesses must inform consumers about the use of cookies and similar tracking technologies and obtain their consent.
Under the California Consumer Privacy Act (CCPA), cookies are considered as personal information. Businesses must inform consumers about the use of cookies and obtain their consent.
Businesses must disclose their use of cookies to consumers. This information is usually presented in a clear and accessible way, often through a cookie consent banner or notice that appears when a user first visits a website. This notice should explain what cookies are, how they are used, and why they are used.
Under the CCPA, businesses must obtain consumer consent before using cookies. This is typically done through an opt-in mechanism on the cookie notice or consent banner. The consumer must actively agree to the use of cookies on the website, typically by clicking a button or checkbox that indicates their consent. It’s important to note that under the CCPA, silence or inactivity cannot be interpreted as consent.
In addition, the CCPA law provides consumers with the right to know what personal information a business collects about them, including through cookies. Businesses should provide a way for consumers to request this information and must respond to these requests within 45 days.
To comply with the CCPA, websites must also recognize and respect the universal opt-out signal, also known as Global Privacy Control (GPC). This feature allows users to configure their privacy and consent preferences directly within their browser, ensuring that their choices are automatically applied across all websites they visit.
The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), are two major privacy laws designed to enhance data protection rights for California residents.
The CCPA, which took effect in 2020, introduced groundbreaking consumer rights, including the right to access, delete, and opt out of the sale of personal data. However, as data privacy concerns evolved, so did the need for stricter regulations.
This led to the passage of the CPRA, which builds upon the CCPA by expanding consumer rights, introducing new obligations for businesses, and establishing a dedicated enforcement agency – the California Privacy Protection Agency (CPPA).
While the CCPA laid the foundation for consumer data rights, the CPRA strengthens and refines these protections. Key changes include the introduction of Sensitive Personal Information (SPI) regulations, expanded opt-out rights for data sharing (not just sales), and stricter data retention and security requirements.
The CPRA also raises compliance thresholds for businesses, potentially exempting smaller companies from certain obligations.
The California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are two major data privacy regulations that impact businesses handling personal data. While both aim to protect consumer privacy, they have key differences in scope, requirements, and enforcement.
GDPR, which applies to EU citizens, is broader in its definition of personal data and consent requirements. CCPA, focused on California residents, emphasizes consumer rights like opting out of data sales. If you’re operating in both jurisdictions, make sure you understand the nuances to achieve compliance.
By adhering to these cookie requirements, you can ensure that your website complies with the CCPA’s provisions regarding the use of cookies.
CCPA (California)
GDPR (EU)
Businesses meeting revenue or data thresholds that handle California residents’ data.
Any organization processing the personal data of EU citizens, regardless of location.
Personal data definition
Covers personal identifiers, household data, and inferences drawn from personal information.
Broadly defines personal data, including directly or indirectly identifiable information.
Consumer rights
Right to know, delete, opt-out of sale, and non-discrimination.
Right to access, rectify, erase, restrict processing, data portability, and object to processing.
Consent requirements
Opt-out model for data sales; implied consent for most data processing.
Requires explicit opt-in consent for data collection and processing in most cases.
Penalties
$2,500 per unintentional violation, $7,500 per intentional violation.
Up to €20 million or 4% of global annual revenue, whichever is higher.
Enforcement
California Attorney General and the California Privacy Protection Agency (CPPA).
Data protection authorities (DPAs) across EU member states.
Applicability outside of jurisdiction
Affects businesses outside California if they process California residents’ personal information.
Affects businesses worldwide if they process EU citizens’ data.
Businesses can take several steps to achieve compliance with the CCPA:
2. Update privacy policies and procedures: Make sure your privacy policies are.
CCPA stands for California Consumer Privacy Act and refers to a data protection law that standardizes the rights of California consumers. As of January 1, 2023, the CCPA has been amended to include the CPRA (California Privacy Rights Act). If you run a profit-oriented business that collects, processes, or sells data from California citizens, you may be required to comply with the CCPA if you meet some additional criteria.
CCPA defines what personal data, or personally identifiable information (PII) is and is not affected. The information includes name, address, email address, social security number, biometric information, job data, educational information, and browsing history. It does not cover publicly available information, like that found in government documents or newspaper articles, and personal health information, which is regulated separately under Health Insurance Portability and Accountability Act (HIPAA).
Californian consumers have the right to be disclosed by companies exactly what personal information is collected. A request in this regard may be made by consumers up to twice a year. Additionally, an individual must be notified of these intentions at or before the point of data collection. To inform your consumers about your data processing activities, you can use a pop-up window or banner that appears when a page is first accessed. Tell your customers that you collect data, for what purpose, and also include links with additional information about your CCPA practices.
Section 1798.130. of CCPA requires you to provide consumers with two or more methods to contact you to make requests such as disclosures of personal information. Here, you must provide a toll-free telephone number and your website address. If a request is raised, you only have 45 days to comply. To make it as easy as possible for consumers to practice their CCPA rights, you should place your contact information prominently on your website.
To fully comply with CCPA, you need a privacy policy that complies with current CCPA/CPRA rules and is updated at least every 12 months. The privacy policy should elaborate that data is collected and why. Furthermore, how to deny access to personal information for specific purposes must be stated in the CCPA privacy policy. Do not forget to mention that you do not discriminate against once someone takes away your right for data storage.
Under the CCPA, consent does not have to be obtained for data processing – but consumers must be able to opt out of the sale of personal data to third parties at any time. The opt-out option must include a separate page in your online presence with the mandatory heading, “Do not sell my personal information.” Create the mandatory opt-out page and preferably link to it in your footer as well as your privacy policy.
Californian consumers have the right to have their data that has been collected by the company deleted, and therefore to “be forgotten.” In certain cases, you do not have to comply with this obligation to delete, namely if it was necessary for your company to continue maintaining the requested data to detect security incidents, comply with legal obligations, or the like, as described in Section 1798.105. Make sure your IT team knows exactly where personal data is stored and how to delete it in a CCPA-compliant manner.
Need to ensure CCPA compliance? Sign up for a free trial of Cookie Information CMP.
Cookie Information CMP offers a CCPA compliance solution that simplifies the process of complying with the California privacy law. Our cookie consent management platform (CMP) automatically scans your website to detect all cookies and tracking technologies in use. This data is then used to populate your cookie banner and notice, ensuring your website visitors receive the required accurate and transparent privacy information.
By displaying a fully compliant CCPA consent banner, you can meet CCPA requirements while also aligning with other global privacy regulations, including GDPR, LGPD, and PDPA.
Automated scanning
to detect cookies and trackers on your website.
Compliant consent banners
that allow users to opt out.
Integration with Global Privacy Control (GPC)
for universal opt-outs.
Customizable
cookie consent popup to match your website design.
Automated privacy policy
updates to reflect new legal requirements.
Secure consent storage
and audit logs for regulatory compliance.
Try Cookie Information CMP for 14 days – free of charge! No credit card required.
CCPA compliance refers to adherence to the California Consumer Privacy Act, which requires businesses to protect consumer privacy, including data transparency, consumer rights management, and security measures. Compliance with the CCPA ensures your company provides the necessary disclosures, allows opt-out options, and responds to consumer data requests.
The California Consumer Privacy Act (CCPA) was introduced to enhance consumer data privacy rights and increase transparency in how businesses collect, use, and share personal information. It was designed to give California residents more control over their personal data in response to growing concerns about data privacy and misuse.
The CCPA went into effect on January 1, 2020, and enforcement began on July 1, 2020. The California Privacy Rights Act (CPRA) later amended and strengthened the CCPA, with its provisions fully enforceable as of July 1, 2023.
Businesses operating in California that meet any of the following criteria:
Businesses must comply with the CCPA if they meet at least one of the following criteria:
Yes, any business that collects personal information from California residents and meets the applicability criteria must comply, regardless of its physical location.
The CCPA grants California residents the following key data privacy rights:
CCPA requires businesses to:
CCPA website compliance involves properly informing website visitors about data collection, providing an opt-out option, and ensuring that cookies and tracking technologies respect user privacy preferences. Businesses must display a compliant cookie consent banner, update their privacy policy, and integrate a Global Privacy Control (GPC) mechanism.
Under the CCPA, cookies that collect personal information are subject to compliance. Businesses must inform users about data collection via cookies and provide opt-out mechanisms if the data is sold. This can be done, for example, via a website cookie consent banner that respects CCPA text requirements.
Unlike the GDPR, which requires explicit opt-in consent for cookies, the CCPA/CPRA does not mandate cookie banners by default. However, businesses that sell or share personal data must:
While cookie consent banners are not explicitly required, many businesses use them to ensure transparency and simplify compliance by allowing users to manage tracking preferences.
You can achieve CCPA compliance by:
The best CCPA compliance software depends on your business needs, but a cookie consent management platform (CMP) like Cookie Information CMP can help you automate the process. Key features include:
By using a reliable CCPA compliance solution like our website cookie banner, you can streamline the compliance process while improving consumer trust and transparency.
Businesses that sell or share personal data must provide a clear and accessible “Do Not Sell or Share My Personal Information” link on their website. They must also honor Global Privacy Control (GPC) signals, which allow users to set privacy preferences in their browser that apply across all websites.
Businesses that fail to comply with the CCPA can face fines of:
Additionally, the law allows consumers to sue businesses in the case of a data breach due to inadequate security measures.
While both laws aim to protect consumer privacy, key differences include:
Yes, CCPA applies to apps if they meet the law’s applicability thresholds.
Apps that collect personal information, such as user behavior, location data, or device identifiers, must comply with CCPA by:
Even if an app does not sell data, it may still need to comply if it shares personal data with third parties for targeted advertising or analytics purposes.
There is no standalone “Cookie Act” in California, but cookies and online tracking are regulated under the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA). These laws govern how businesses collect, store, and share personal information, including personal data collected through cookies.
Under the CCPA/CPRA, cookies that collect personal information (such as IP addresses, browsing behavior, and device identifiers) must be disclosed, and consumers must be given the option to opt out of the sale or sharing of their personal data.
A CCPA compliance checklist is a tool that outlines the steps you must take to comply with the CCPA, including data mapping, updating privacy policies, implementing consumer rights processes, and training employees.
CCPA cookies refer to cookies that collect personal information and are subject to CCPA regulations. These include tracking cookies, analytics cookies, and advertising cookies that store user behavior, preferences, and identifiers.
PRODUCTS
