CCPACPRACookie CompliancePrivacy LawBy Gregor Emm· 4 min read

CPRA Cookie Requirements — What California's Privacy Law Means for Your Website

The California Privacy Rights Act (CPRA) expanded the original CCPA with stricter rules around how websites handle cookies, tracking, and personal data. If your site has California visitors — and most do — these requirements apply to you.

This guide covers exactly what the CPRA requires for cookies, how it differs from the CCPA, and what you need to change on your website.

What Changed from CCPA to CPRA

The CCPA gave California consumers the right to know what personal data businesses collect and to opt out of its sale. The CPRA, which took full effect in 2023, went further:

  • Sensitive personal information is now a separate legal category. Cookies that collect precise geolocation, race, health data, or financial information trigger additional obligations.
  • "Sharing" is now regulated alongside "selling." Cross-context behavioral advertising — the kind powered by third-party cookies — counts as sharing even if no money changes hands.
  • The California Privacy Protection Agency (CPPA) was created as a dedicated enforcement body, replacing the Attorney General as primary enforcer.
  • Data minimization principles now apply. You can only collect data that's "reasonably necessary and proportionate" for the disclosed purpose.

For website owners, this means your cookie practices face more scrutiny than under the original CCPA.

1. Provide a "Do Not Sell or Share" Link

Your website must include a visible link labeled "Do Not Sell or Share My Personal Information" (or equivalent). This applies if you use any advertising cookies, retargeting pixels, or analytics tools that share data with third parties.

Under the CPRA, "sharing" includes sending personal data to a third party for cross-context behavioral advertising — which means Meta Pixel, Google Ads remarketing, and similar tools all qualify.

2. Honor the Global Privacy Control (GPC)

The CPRA explicitly requires businesses to treat the Global Privacy Control (GPC) browser signal as a valid opt-out request. If a visitor's browser sends a GPC signal, your site must stop selling or sharing their data — including stopping third-party cookies from firing.

Many consent management platforms now support GPC detection, but we regularly scan websites that ignore this signal entirely.

3. Disclose Cookie Categories in Your Privacy Policy

Your privacy policy must list:

  • The categories of personal information collected (and which come from cookies)
  • The purposes for each category
  • The categories of third parties you share data with
  • How long you retain each category

Generic language like "we use cookies to improve your experience" does not satisfy this requirement.

4. Limit Use of Sensitive Personal Information

If any cookies collect sensitive personal information — precise geolocation (within 1,750 feet), financial account details, or health data — you must provide a separate "Limit the Use of My Sensitive Personal Information" link.

5. Implement Consent for Minors

If your site knowingly collects data from users under 16, the CPRA requires opt-in consent before selling or sharing their data. For users under 13, a parent or guardian must provide consent.

| Requirement | CPRA | GDPR | |---|---|---| | Default consent model | Opt-out (most cookies allowed by default) | Opt-in (cookies blocked until consent) | | Consent banner required | Not strictly, but opt-out link is | Yes, before any non-essential cookies | | Sensitive data | Extra opt-out link required | Explicit opt-in required | | Enforcement body | CPPA | National DPAs (CNIL, ICO, etc.) | | Fines | Up to $7,500 per intentional violation | Up to 4% of global revenue | | GPC signal | Must be honored | Recognized but not explicitly required |

The key difference: GDPR is opt-in by default. CPRA is opt-out. But both penalize websites that fire tracking cookies without appropriate consent mechanisms.

After scanning hundreds of websites, these are the most frequent CPRA issues:

  1. Third-party cookies fire on page load — Meta Pixel, Google Ads, and TikTok Pixel all active before any user interaction. This is data "sharing" under the CPRA.
  2. No "Do Not Sell or Share" link — Required for any site using behavioral advertising.
  3. GPC signal ignored — The browser sends an opt-out signal, but third-party cookies fire anyway.
  4. Privacy policy missing cookie categories — Generic disclosures instead of specific categories and purposes.
  5. No consent mechanism for sensitive data — Sites collecting geolocation via cookies without a separate opt-out.

The fastest way to audit your site is with a free cookie compliance scan. Tag Leak checks:

  • Whether cookies and tracking scripts fire before user consent
  • Whether a consent banner is present and functional
  • Google Consent Mode v2 implementation
  • Security headers that protect user data in transit

The scan takes 60 seconds and doesn't require signup. You'll get a compliance score out of 100 and a detailed breakdown of every finding.

Next Steps

  1. Scan your website free to see your current compliance score
  2. Review your privacy policy against the CPRA disclosure requirements above
  3. Verify your "Do Not Sell or Share" link is present and functional
  4. Test that your site honors the GPC browser signal
  5. If you use a CMP, check that it's configured for CPRA — not just GDPR

The CPRA enforcement ramp-up is ongoing. The CPPA has been issuing fines and enforcement actions at an increasing pace since 2024. Getting ahead of compliance now is significantly cheaper than dealing with enforcement later.

Share

Frequently Asked Questions

What is the CPRA and how does it relate to the CCPA?

The California Privacy Rights Act (CPRA) is an amendment to the CCPA that took effect January 1, 2023. It expands consumer rights, introduces the concept of sensitive personal information, and created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body.

Does the CPRA require cookie consent before tracking?

The CPRA does not require opt-in consent for most cookies, unlike GDPR. However, it requires a clear 'Do Not Sell or Share My Personal Information' link and opt-out mechanisms. For sensitive personal information collected via cookies, consumers must be able to limit its use.

What cookies are affected by the CPRA?

Any cookies that collect, sell, or share personal information are affected. This includes advertising cookies, analytics cookies that track cross-site behavior, and any cookies that process sensitive personal information like precise geolocation.

How can I check if my website is CPRA compliant?

You can use a free cookie compliance scanner like Tag Leak to audit your website. It checks for pre-consent tracking, consent banner presence, and whether cookies fire before user interaction — all key CPRA compliance factors.

Related articles

Privacy Enforcement News — Latest Fines & Rulings (2026)

Track the latest privacy enforcement actions worldwide: GDPR fines, CCPA penalties, and global privacy rulings that affect your website's compliance obligations.

CCPA Compliance Requirements — The Complete 2026 Guide

Everything website owners need to know about CCPA compliance: thresholds, consumer rights, cookie rules, privacy policy requirements, and enforcement penalties.

What Is Cookie Compliance? A Plain-English Guide for Website Owners

Cookie compliance means following privacy laws like GDPR and CCPA when your website uses cookies. Learn what's required, what happens if you don't comply, and how to check your site.

Tag Leak · Free Tool

Is your site leaking data before consent?

Paste your URL and get a full compliance report in 60 seconds — no signup required. Detects pre-consent tag firing, GCM v2 score, and security headers.

Scan your site free