CCPACookie CompliancePrivacy LawCookie ConsentBy Gregor Emm· 4 min read

CCPA Cookie Consent: What Website Owners Need to Know

If your website has California visitors and uses cookies for advertising or analytics, the CCPA applies to you. But CCPA cookie consent works differently from what you might be used to with GDPR.

This guide covers exactly what the CCPA requires for cookies, the common mistakes websites make, and how to get compliant.

Not in the way GDPR does. Here's the key distinction:

  • GDPR: Opt-in. Cookies must be blocked until the user consents.
  • CCPA: Opt-out. Cookies can fire by default, but users must be able to opt out.

This means the CCPA doesn't require you to show a consent banner before loading cookies. But it does require you to provide clear opt-out mechanisms — and that's where most websites fall short.

1. "Do Not Sell or Share" Link

Your website must include a "Do Not Sell or Share My Personal Information" link that's easy to find. This is required if you use any cookies or tracking technologies that share data with third parties.

Under the CPRA amendment, "sharing" includes providing data for cross-context behavioral advertising — even without payment. This means Meta Pixel, Google Ads remarketing tags, and programmatic advertising cookies all qualify.

The link must lead to a functional page where users can actually exercise this right.

2. Honor the Global Privacy Control (GPC)

When a visitor's browser sends a GPC signal, your website must treat it as a valid opt-out of sale and sharing. This is a legal requirement under the CPRA, not optional.

In practice, this means your consent management platform needs to detect the GPC signal and suppress third-party cookies for those visitors.

3. Cookie Disclosure in Privacy Policy

Your privacy policy must specifically disclose:

  • What categories of personal information cookies collect
  • The business purpose for each category
  • Which third parties receive the data
  • How long the data is retained

The CCPA defines "personal information" broadly — it includes online identifiers, browsing history, and geolocation data. Most advertising and analytics cookies collect data that qualifies.

4. No Discrimination Against Opt-Out Users

You cannot charge different prices, provide different quality of service, or deny service to users who opt out of cookie tracking. The website experience must remain the same whether or not cookies are active.

5. Opt-In for Minors

If you knowingly collect personal information from users under 16, you must get opt-in consent before selling or sharing that data. For users under 13, a parent or guardian must provide consent.

While the CCPA doesn't mandate a GDPR-style consent banner, most websites serving both EU and California visitors use a unified banner that handles both. Here's what a CCPA-compliant banner needs:

  • A clear "Do Not Sell or Share My Personal Information" option
  • GPC signal detection — suppressing third-party cookies when GPC is active
  • Links to your privacy policy and cookie categories
  • The ability to opt out of specific categories (advertising, analytics)

What you don't need under CCPA (but do need under GDPR):

  • Blocking all cookies before consent
  • An "Accept All" / "Reject All" choice
  • Consent records storage

CCPA Cookie Banner vs. GDPR Cookie Banner

| Feature | CCPA Banner | GDPR Banner | |---|---|---| | Required before cookies fire | No | Yes | | Must block tracking by default | No | Yes | | Opt-out mechanism | Required | Required (via reject button) | | Opt-in mechanism | Only for minors | Required for all users | | "Do Not Sell" link | Required | Not applicable | | GPC support | Required | Recommended | | Consent storage | Not required | Required |

We scan hundreds of websites for compliance. Here are the most common CCPA issues:

No Opt-Out Mechanism

Many websites have a cookie banner with an "Accept" button but no way to decline or opt out. Under CCPA, users must be able to stop the sale and sharing of their personal data.

GPC Signal Ignored

The Global Privacy Control is supported in browsers like Firefox and Brave, and via browser extensions. We regularly find websites that completely ignore this signal — third-party cookies fire even when GPC is active.

Privacy Policy Gaps

Generic privacy policies that say "we use cookies" without listing specific categories, purposes, and third parties don't satisfy CCPA requirements.

Third-Party Cookies Active by Default

While CCPA allows cookies by default (unlike GDPR), the opt-out must actually work. We often find that clicking "Do Not Sell" doesn't actually suppress advertising cookies — they continue to fire in the background.

Who Does the CCPA Apply To?

The CCPA applies to for-profit businesses that collect California residents' personal information AND meet at least one of these thresholds:

  • Annual gross revenue exceeds $25 million
  • Buys, sells, or shares the personal information of 100,000+ California residents, households, or devices annually
  • Derives 50% or more of annual revenue from selling or sharing personal information

Even if you don't meet these thresholds, implementing CCPA-level cookie controls is good practice — the thresholds may change, and other states are passing similar laws.

  1. Run a free scan — Tag Leak checks whether your site fires tracking before consent, detects your consent banner, and audits consent signals
  2. Check your opt-out link — search your site for "Do Not Sell" and verify it works
  3. Test GPC — install the GPC browser extension, visit your site, and check if third-party cookies are suppressed
  4. Review your privacy policy — verify it lists cookie categories, purposes, and third parties

For ongoing compliance, set up monitoring to catch regressions when marketing adds new tags or your CMP configuration changes.

Share

Frequently Asked Questions

Does the CCPA require a cookie consent banner?

The CCPA doesn't explicitly require a cookie consent banner like GDPR does. However, it does require a 'Do Not Sell or Share My Personal Information' link and opt-out mechanisms. Many websites use a cookie banner to provide these controls, though it's the opt-out functionality — not the banner itself — that's legally required.

What is the CCPA cookie banner requirement?

The CCPA requires a clear and conspicuous 'Do Not Sell or Share My Personal Information' link on your website. This link must lead to a page where users can opt out of the sale or sharing of their personal information, including data collected via cookies and tracking technologies.

Does CCPA apply to cookies?

Yes. Under the CCPA (and its amendment, the CPRA), cookies that collect personal information are regulated. This includes advertising cookies, analytics cookies that track user behavior, and any cookies that enable the sale or sharing of personal data with third parties.

What are the CCPA cookie requirements?

The CCPA requires websites to: (1) provide a 'Do Not Sell or Share' opt-out link, (2) honor the Global Privacy Control (GPC) browser signal, (3) disclose cookie data collection in the privacy policy, (4) not discriminate against users who opt out, and (5) implement opt-in consent for minors under 16.

How is CCPA cookie consent different from GDPR?

GDPR requires opt-in consent (cookies blocked until the user agrees). CCPA uses an opt-out model (cookies can fire by default, but users must be able to opt out). GDPR requires a consent banner before tracking; CCPA requires an opt-out link but not necessarily a pre-tracking banner.

Related articles

Privacy Enforcement News — Latest Fines & Rulings (2026)

Track the latest privacy enforcement actions worldwide: GDPR fines, CCPA penalties, and global privacy rulings that affect your website's compliance obligations.

Should You Accept Cookies? What Actually Happens When You Click Accept

What happens when you accept cookies on a website? Learn what cookies do, which ones track you, when to accept or reject, and how to protect your privacy online.

Cookie Consent Examples — Good, Bad, and Non-Compliant

Real examples of cookie consent banners that get it right and wrong. Learn what makes a banner GDPR compliant, what dark patterns to avoid, and what regulators look for.

Tag Leak · Free Tool

Is your site leaking data before consent?

Paste your URL and get a full compliance report in 60 seconds — no signup required. Detects pre-consent tag firing, GCM v2 score, and security headers.

Scan your site free