The CCPA is the California Consumer Privacy Act, California’s privacy law that grants California residents specific rights over their personal data. The CPRA, approved by California voters in 2020 through Proposition 24, did not create a separate law, but amended and strengthened the CCPA by introducing new protections and new obligations that have applied since January 1, 2023. California authorities still refer to the framework as the CCPA, as amended.
For anyone running a website, the CCPA/CPRA is especially important because it affects data collection, cookies, advertising, analytics, sharing with third parties, privacy notices, and opt-out mechanisms. It is not limited to large platforms: it can also affect digital businesses, ecommerce projects, and organizations that interact with users in California and meet the thresholds established by law.
What the CCPA is
The CCPA is a state law designed to give California consumers greater control over the personal information collected by businesses. Among the main rights granted to California residents are the right to know what data is collected, the right to request deletion, the right to opt out of the sale or sharing of data, and the right not to be discriminated against for exercising privacy rights.
The concept of personal information is broad: it includes data that identifies, relates to, describes, or can reasonably be linked to a consumer or household, including names, email addresses, IP addresses, online identifiers, cookies, pixels, browsing history, geolocation, and other persistent identifiers. The law also makes clear that cookies, beacons, pixel tags, and similar technologies may fall within the scope of unique identifiers relevant under the CCPA.
What the CPRA is
The CPRA is the most significant update to the CCPA. It expanded consumer rights, introduced the concept of sensitive personal information, strengthened the rules on sharing and cross-context behavioral advertising, and created the California Privacy Protection Agency (CPPA), the agency dedicated to implementing and enforcing the law.
In practical terms, the CPRA transformed the CCPA from a law focused mainly on disclosure and opt-out into a more developed system, with greater attention to data minimization, limits on the use of sensitive data, proper interfaces for collecting privacy choices, and more detailed controls over digital technologies.
Who it applies to
The CCPA/CPRA generally applies to for-profit businesses that do business in California and meet at least one of the thresholds set by law. Today, following the CPI adjustment that took effect on January 1, 2025, one of the economic thresholds is annual gross revenues above $26,625,000. The other thresholds include annually buying, selling, or sharing the personal information of 100,000 or more consumers or households, or deriving at least 50% of annual revenue from selling or sharing consumers’ personal information.
This means that not every business in the world is automatically subject to the CCPA/CPRA, but many online organizations may fall within its scope if they process data relating to California residents and exceed the legal thresholds. In addition, the law focuses on California residents: the rights established by the CCPA belong to California residents, not automatically to all global users.
Why it matters for a website
For a modern website, the CCPA/CPRA matters because many of the technologies used every day – analytics, advertising tags, remarketing pixels, embedded content, CRMs, marketing automation tools, and profiling tools – may involve the collection, use, disclosure, sharing, or sale of personal information under California legal definitions.
The key point is that the CCPA/CPRA does not look only at “sale” in the traditional sense. The CPRA added and clarified the concept of sharing, defining it as communicating personal information to third parties for cross-context behavioral advertising, even where no money changes hands. For many websites, this is the most important concept to understand: some advertising or tracking integrations may require opt-out mechanisms even if you do not believe you are “selling data” in the everyday sense.
Consumer rights under the CCPA/CPRA
The CCPA/CPRA framework grants consumers several substantive rights. These include the right to know what data is collected, used, shared, or sold; the right to deletion; the right to correct inaccurate data; the right to opt out of the sale or sharing of personal information; the right to limit the use and disclosure of sensitive personal information; and the right not to be discriminated against for exercising those rights.
For a website, this means compliance does not end with a privacy policy. You must be ready to receive, manage, and document consumer requests, clearly explain the categories of data collected, the sources, the purposes, the categories of third parties involved, and any sale or sharing activities.
Personal information and sensitive personal information
One of the most relevant aspects introduced by the CPRA is the distinction between personal information and sensitive personal information. The latter category includes, among other things, certain government identifiers, login credentials, financial account information with security codes, precise geolocation, the contents of emails and messages, genetic data, biometric information used to identify a person, data concerning health, sex life, sexual orientation, racial or ethnic origin, religious or philosophical beliefs, and union membership.
When a business uses or discloses sensitive personal information for purposes beyond those strictly permitted by law, the consumer has the right to limit its use and disclosure. This is especially important for digital projects that collect precise geolocation, health-related data, sensitive authentication data, or other high-impact privacy information.
What it means for cookies, pixels, and advertising
For websites, this is often the operational core of CCPA/CPRA compliance. The law includes cookies, beacons, pixel tags, mobile advertising identifiers, and similar technologies among relevant identifiers, and the CPRA strengthened the rules governing sharing for cross-context behavioral advertising. In practice, many marketing and advertising implementations may trigger specific opt-out obligations.
If a business sells or shares personal information, it must provide consumers with a clear way to opt out. The law requires a clear and conspicuous link such as “Do Not Sell or Share My Personal Information,” along with a description of these rights in the privacy policy. Where relevant, there must also be a mechanism such as “Limit the Use of My Sensitive Personal Information,” or a combined solution consistent with the law and applicable regulations.
The role of Global Privacy Control (GPC)
One of the most concrete points for websites is the Global Privacy Control (GPC). California authorities explain that, for businesses that collect data online and sell or share personal information, a GPC signal enabled by the user is a valid method for exercising the opt-out right. In other words, when a business is subject to these obligations, the GPC must be honored as a valid request to stop the sale or sharing of personal information.
For anyone developing or managing a website, this translates into a precise operational requirement: the platform must be able to detect and respect the opt-out signal sent by the browser or compatible tools, integrating it into consent flows and into the logic of the vendors involved.
The importance of clear interfaces without dark patterns
In recent years, the CPPA has paid particular attention to the way websites present privacy choices to users. In September 2024, the agency published a specific advisory on dark patterns, making clear that interfaces that obstruct, confuse, or bias user choice may be incompatible with the CCPA. Enforcement does not focus only on legal wording, but also on the concrete effect of the UI on the consumer’s freedom of choice.
For a site page such as Cookiedad’s, this is a central concept: it is not enough to have an opt-out link or a formal privacy policy. Choices must be presented in a way that is understandable, accessible, balanced, and genuinely usable, without deceptive or disproportionate flows.
What practical obligations a business has
Operationally, the law requires a business to provide proper notices at or before the point of collection, specifying the categories of data collected, the purposes, and whether those data are sold or shared. In addition, if the business sells or shares personal information, it must provide the required opt-out mechanisms, may not require consumers to create an account in order to exercise their rights, and may use information collected during a request only to handle that request.
The law also requires that personnel responsible for privacy requests be informed about the law’s requirements and know how to properly guide consumers in exercising their rights. For this reason, CCPA/CPRA compliance is not only technical: it is also organizational.
The most recent implementations
From a regulatory standpoint, the framework did not stop in 2023. The main implementing regulations for the CCPA updated in light of the CPRA became effective on March 29, 2023. The CPPA subsequently advanced another major regulatory package concerning updates to the CCPA, cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT), and clarifications regarding the insurance sector. That package was approved in 2025 and took effect on January 1, 2026.
This is probably the most important recent development to highlight today on an information page: the CCPA/CPRA framework continues to mature and expand beyond the traditional topics of notice, opt-out, and consumer requests. Regulatory attention now also includes risk, cybersecurity, and the use of automated decision-making technologies.
Penalties and legal risk
The CCPA/CPRA provides for administrative enforcement and, in some cases, limited private actions. Based on the amounts updated from January 1, 2025, the monetary thresholds were adjusted for inflation: violations may reach up to $2,663 per violation and up to $7,988 per intentional violation or a violation involving minors under 16, according to the amounts updated by the CPPA.
There is also a limited private right of action for data breaches linked to a failure to implement reasonable security measures. The statutory damages range was also updated from 2025 to $107-$799 per consumer per incident, or actual damages if higher.
What all this means for a website like yours
For a website, being aligned with the CCPA/CPRA means understanding exactly what data is collected, which vendors or third parties are involved, whether certain integrations amount to sale or sharing, how GPC is handled, how privacy choices are presented to users, and whether the privacy notice matches the website’s actual behavior.
In practice, it is not enough to “have a banner” or “have a privacy policy.” You must translate CCPA/CPRA requirements into script-loading logic, opt-out management, technology classification, and regular reviews of active implementations.
How Cookiedad helps
Cookiedad is designed to help websites and digital businesses manage cookie, tracking, privacy preference, and compliance-configuration issues in a more structured and practical way. It does not replace legal advice and cannot automatically guarantee regulatory compliance in every situation, but it can help make technical processes much clearer and more controllable, which in the CCPA/CPRA context often makes the difference between merely claimed compliance and more concrete compliance.
For businesses with users in California, this means better visibility into cookies and trackers, better preference management, clearer opt-out logic, better organization of notices, and closer alignment between what the website says and what it actually does.
Conclusion
Today, the CCPA/CPRA is one of the most important references in the world for digital privacy as applied to websites, advertising, and consumer data. For many companies, the main issue is not whether they “sell data” in the traditional sense, but whether their marketing, analytics, or advertising stack creates sharing activities or other processing operations that trigger specific rights and obligations.