CCPA / CPRA compliance scanner
CCPA and its 2023 amendment CPRA are opt-out frameworks — different from GDPR's opt-in model. But several technical requirements still apply: Do Not Sell or Share links, the USP API string, GPP API support, and increasingly, pre-consent tracking restrictions for sensitive personal information.
Free scan · No signup · Every scan covers all 6 major privacy regulations
Technical checks
These are scanner-detectable technical requirements. Regulatory compliance also requires legal review of your policies, contracts, and data processing activities.
CCPA requires a clear and conspicuous link titled "Do Not Sell or Share My Personal Information" (or a compliant abbreviation) in the footer or homepage of any covered business. Tag Leak checks for this link on every scan.
CPRA introduced a new opt-out right specifically for sensitive personal information. Businesses that collect sensitive PI must provide a separate "Limit the Use of My Sensitive Personal Information" link. Tag Leak checks for this alongside the DNSMPI link.
The IAB US Privacy Framework requires a USP API implementation that allows CMPs and ad vendors to read the user's privacy preferences. Tag Leak verifies this API is present and functioning correctly.
GPP is the successor to USP and is required by an increasing number of ad partners and SSPs. Tag Leak checks for GPP API support and whether it returns a valid string, covering CPRA's extended opt-out requirements.
While CCPA is an opt-out framework for standard PI, CPRA added opt-in requirements for sensitive personal information. Tag Leak flags which ad networks and analytics platforms fire before any user interaction — relevant for sites that collect sensitive PI categories.
CCPA requires a Privacy Policy that discloses the categories of PI collected, the purposes, and the rights of California residents. Tag Leak checks for a privacy policy link on the homepage as a baseline indicator.
California law (including CCPA and the California Customer Records Act) requires businesses to implement 'reasonable security measures' for personal data. Tag Leak checks six security response headers as a technical indicator of baseline security posture.
Your CCPA result is presented as a 0–100 score weighted for the opt-out model. Key checks: DNSMPI link present, Limit Sensitive PI link present (CPRA), USP API detected, GPP API detected, privacy policy link present. Pre-consent tracker findings carry less weight than under GDPR.
Note: CCPA / CPRA compliance also depends on your Privacy Policy content, data processing records, opt-out fulfillment workflows, service provider contracts, and data sale / sharing disclosures. The law also applies based on revenue and data volume thresholds — consult legal counsel to confirm whether your business is covered and what obligations apply.
You do not need to select CCPA — every Tag Leak scan automatically audits all six major privacy regulations in one pass. Run a single scan and get scores for CCPA, GDPR, UK GDPR, LGPD, POPIA, and PDPA simultaneously.
Free scan. No signup. Results in 60 seconds.
Every Tag Leak scan also audits GDPR · UK GDPR · CCPA · LGPD · POPIA · PDPA automatically.
The CCPA does not require a GDPR-style opt-in cookie banner. However, it does require a visible "Do Not Sell or Share My Personal Information" link and functional opt-out mechanisms. Many websites use a cookie banner to provide these controls, but the legal requirement is the opt-out capability — not the banner itself.
The CCPA requires websites to: provide a "Do Not Sell or Share" opt-out link, honor the Global Privacy Control (GPC) browser signal, disclose cookie data collection in the privacy policy, not discriminate against users who opt out, and implement opt-in consent for users under 16. The CPRA amendment added requirements for sensitive personal information.
The CPRA (California Privacy Rights Act) is an amendment to the CCPA that took effect in 2023. It added: sensitive personal information as a separate category, a "Limit the Use of My Sensitive Personal Information" link requirement, the California Privacy Protection Agency (CPPA) as a dedicated enforcer, data minimization principles, and explicit GPC signal requirements.
Scan your website with Tag Leak for free. It checks whether tracking cookies fire before user interaction, whether your consent banner and opt-out mechanisms are present, and whether your site properly handles consent signals. You should also verify your "Do Not Sell or Share" link works, your privacy policy lists cookie categories, and your site honors the GPC browser signal.
The CPPA can impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation, with no cap on total fines. Consumers can also sue directly for data breaches involving their personal information, with statutory damages of $100 to $750 per consumer per incident.