CCPA Cookie Compliance: What Your Website Needs

If you've spent any time looking into privacy compliance for your website, you've probably been bombarded with advice about cookie consent banners. Pop-ups, opt-in forms, cookie preference centers -- the whole annoying apparatus.

Here's something most people get wrong: the CCPA does not require cookie consent banners.

That's a GDPR thing. The CCPA takes a fundamentally different approach to cookies and tracking technologies. Understanding the difference will save you from implementing the wrong solution and help you focus on what California law actually requires.

This guide covers what the CCPA does and doesn't require for cookies, what counts as "selling" or "sharing" data through tracking technologies, and the practical steps your website needs to take.

For the full law overview, see our Complete Guide to CCPA Compliance.

CCPA vs. GDPR: Two Very Different Cookie Models

Let's clear up the confusion right away.

The GDPR Model: Opt-In Consent

Under the EU's GDPR (and the ePrivacy Directive), you need explicit, affirmative consent before placing most cookies on a user's device. That means:

• No tracking cookies until the user says "yes"
• A consent banner that asks permission before cookies are set
• Real opt-in (not pre-checked boxes or implied consent)
• Separate consent for different cookie categories
• The ability to reject all non-essential cookies
• Equal prominence for "accept" and "reject" buttons

This is why every European website has a cookie pop-up. It's legally required.

The CCPA Model: Opt-Out Rights

The CCPA takes the opposite approach. Under California law:

• You can place cookies and collect data by default
• You don't need prior consent for most tracking
• You do need to let consumers opt out of the sale or sharing of their data (Cal. Civ. Code § 1798.120)
• You do need to disclose your data collection practices in your privacy policy (Cal. Civ. Code § 1798.130)
• You do need to honor Global Privacy Control (GPC) signals

In other words: the CCPA lets you collect first and asks you to provide an opt-out. The GDPR requires you to ask first and not collect until you get a yes.

Why This Matters for Your Website

If your website only serves California residents (or only U.S. visitors), you probably don't need a traditional cookie consent banner. What you need is a "Do Not Sell or Share My Personal Information" link and the ability to honor opt-out requests.

If your website serves both U.S. and European visitors, you may need both systems: a GDPR-compliant consent banner for European visitors and a CCPA-compliant opt-out mechanism for California visitors. Many consent management platforms handle both, but it's important to understand that they're solving two different legal problems.

What Counts as "Selling" or "Sharing" Data Through Cookies

This is the critical question for CCPA cookie compliance. The CCPA's opt-out rights apply to the "sale" or "sharing" of personal information. If your cookies don't result in data being sold or shared, the opt-out requirements don't apply to them.

The CCPA Definition of "Sale"

A "sale" under the CCPA (Cal. Civ. Code § 1798.140(ad)) is any disclosure of personal information to a third party for monetary or other valuable consideration. That last part -- "other valuable consideration" -- is what makes this definition so broad.

If you place a third-party advertising cookie on your website that sends user data to an ad network, and in return you receive targeted advertising services, analytics, or any other benefit, that could be a "sale." The ad network gets data; you get value. That's consideration.

The CPRA Definition of "Sharing"

CPRA expanded the CCPA to also cover "sharing" (Cal. Civ. Code § 1798.140(ah)), defined as disclosing personal information to a third party for cross-context behavioral advertising, whether or not money changes hands.

Cross-context behavioral advertising means targeting ads to a consumer based on their activity across different websites, apps, or services. This captures the core of how modern ad tech works: you visit a shoe website, and then you see shoe ads on a news website. The data flow that makes that possible is "sharing" under CPRA.

Common Tracking Technologies and Whether They "Sell" or "Share" Data

Let's go through the tracking tools most small business websites use and assess their CCPA implications.

Google Analytics (GA4)

Google Analytics collects user behavior data (pages visited, time on site, device information, IP address) and sends it to Google.

• Does it "sell" data? Google's terms state that they don't use Analytics data for their own advertising purposes (if you've accepted the data processing terms). Under this interpretation, GA4 with proper configuration is generally not considered a "sale."
• Does it "share" data? If you've enabled Google Signals or linked Google Analytics to Google Ads, data may flow to advertising systems, which could constitute "sharing." Without those features enabled, standard GA4 is generally not considered "sharing."
• What to do: Review your GA4 configuration. Disable Google Signals if you don't need it. If you link GA4 to Google Ads, you should provide a "Do Not Sell or Share" mechanism and honor GPC signals for that data flow.

Google Ads / Google Tag Manager

Google Ads conversion tracking and remarketing tags send user data to Google's advertising platform.

• Does it "sell" or "share" data? Very likely yes. Remarketing tags enable cross-context behavioral advertising. Conversion tracking shares data with Google's advertising ecosystem. Both likely constitute "sharing" under CPRA.
• What to do: Implement the "Do Not Sell or Share" link and honor GPC signals. When a user opts out or sends a GPC signal, suppress Google Ads tags.

Facebook/Meta Pixel

The Meta Pixel sends user behavior data to Meta's advertising platform.

• Does it "sell" or "share" data? Almost certainly yes. The entire purpose of the Meta Pixel is to enable targeted advertising across Meta's platforms -- which is cross-context behavioral advertising by definition.
• What to do: Implement opt-out and GPC support. When a user opts out, suppress the Meta Pixel. Consider using Meta's Conversions API with proper data handling instead of client-side pixels, but understand that server-side sharing of personal information for advertising is still "sharing."

TikTok Pixel, Pinterest Tag, LinkedIn Insight Tag, Twitter/X Pixel

Same analysis as Meta Pixel. These are all advertising tracking technologies that send user data to advertising platforms for cross-context behavioral advertising.

• What to do: Implement opt-out and GPC support for all of them. When a user opts out, suppress these tags.

Session Replay Tools (Hotjar, FullStory, etc.)

These tools record user sessions for UX analysis.

• Does it "sell" or "share" data? Generally no, if the data is used solely for your own website improvement and the tool provider's terms restrict them from using the data for other purposes. These are typically service providers, not third parties.
• What to do: Ensure your contract with the provider includes CCPA-compliant service provider terms. Review whether the provider uses the data for any purpose beyond providing the service to you.

Customer Chat Tools (Intercom, Drift, etc.)

Live chat and chatbot tools collect user data for customer support purposes.

• Does it "sell" or "share" data? Generally no, if used for customer support. But if the tool uses customer data for cross-selling or shares it with advertising partners, it could qualify.
• What to do: Review the tool's data practices and ensure service provider terms are in place.

Essential Cookies (Authentication, Shopping Cart, Security)

First-party cookies used for basic website functionality (keeping a user logged in, maintaining a shopping cart, fraud prevention).

• Does it "sell" or "share" data? No. These are first-party cookies used for essential purposes. They don't involve disclosure to third parties.
• What to do: Nothing special. These are exempt from opt-out requirements.

What Your Website Actually Needs

Based on the above analysis, here's what most small business websites need to do for CCPA cookie compliance.

Step 1: Audit Your Tracking Technologies

Before you can comply, you need to know what you're running. Audit your website for:

• All third-party scripts and tags
• All cookies set by your website (first-party and third-party)
• All data flows to third parties

Tools like browser developer tools (check the Network tab and Application > Cookies) or dedicated cookie scanning tools can help identify what's running on your site. Many consent management platforms include a free cookie scan feature.

Create a list of every tracking technology on your site and categorize it:

1. Essential (authentication, shopping cart, security) -- no opt-out needed
2. Analytics (first-party analytics, session replay) -- likely no opt-out needed if data stays with you or your service provider
3. Advertising (ad pixels, remarketing tags) -- opt-out required
4. Third-party sharing (social media plugins, data partnerships) -- opt-out likely required

Step 2: Add the "Do Not Sell or Share My Personal Information" Link

If you have any tracking technologies in categories 3 or 4 above, you need this link on your website (Cal. Civ. Code § 1798.135). Requirements:

• Location: Must be on your homepage. Best practice is to put it in the footer of every page.
• Text: Must say "Do Not Sell or Share My Personal Information" (or substantially similar language). You can also combine it with a "Limit the Use of My Sensitive Personal Information" link if applicable.
• Function: Clicking the link should take the consumer to a page or mechanism where they can exercise their opt-out right. This could be a simple form, a toggle, or a preference center.
• No account required: Consumers must be able to opt out without creating an account or logging in.
• Accessible: The link must be accessible to people with disabilities, following web accessibility guidelines.

You may also use an alternative opt-out icon. California regulations allow the use of a toggle or icon that clearly communicates the opt-out function. But the text link is the safest and simplest approach.

Step 3: Implement Global Privacy Control (GPC) Support

Under CPRA regulations, businesses must treat GPC signals as valid opt-out requests. GPC is a browser-level signal that tells websites "this user opts out of the sale or sharing of their personal information."

How to implement GPC support:

1. Detect the GPC signal. GPC is sent as an HTTP header (Sec-GPC: 1) and is also available via the JavaScript API (navigator.globalPrivacyControl).
2. When GPC is detected, treat it as an opt-out request. Suppress all advertising and tracking tags that constitute "selling" or "sharing."
3. Don't require additional steps from the user. The GPC signal itself is the opt-out request. Don't show a pop-up asking for confirmation.

If you use a consent management platform (CMP), most major CMPs have built-in GPC detection. Check your CMP's settings and make sure GPC support is enabled.

If you don't use a CMP, you can implement GPC detection with a few lines of JavaScript:

if (navigator.globalPrivacyControl) {
  // User has opted out — suppress advertising/sharing tags
  // Don't load ad pixels, remarketing tags, etc.
}

The specifics of implementation depend on how your tags are loaded. If you use Google Tag Manager, you can create a custom variable that checks for GPC and use it as a trigger condition to block advertising tags.

Step 4: Suppress Tracking When Users Opt Out

When a consumer opts out (either through your "Do Not Sell or Share" mechanism or via GPC), you must stop the data flows that constitute selling or sharing. Practically, this means:

• Don't load advertising pixels (Meta, Google Ads, TikTok, etc.)
• Don't set third-party cookies associated with advertising networks
• Don't send data to advertising APIs (like Meta's Conversions API for advertising purposes)
• You can still load essential cookies, first-party analytics (if properly configured), and service provider tools

The most common implementation approach is:

1. Set a cookie or local storage flag when the user opts out (or when GPC is detected)
2. Before loading any advertising tags, check for the opt-out flag
3. Only load advertising/sharing tags if the user has not opted out

Step 5: Update Your Privacy Policy

Your privacy policy must disclose your cookie and tracking practices in CCPA-compliant terms:

• List the categories of personal information collected through cookies and tracking
• Identify whether this collection constitutes a "sale" or "sharing"
• Explain how consumers can opt out
• Describe your approach to GPC signals

Don't just list cookies by name. Describe them in terms of the CCPA categories: "We collect internet or network activity information (including browsing history and interactions with our website) through cookies and similar technologies."

For full privacy policy requirements, see our CCPA Compliance Checklist.

Step 6: Handle Opt-Outs for Logged-In Users

If your website has user accounts, opt-out preferences should persist across sessions and devices where possible. When a logged-in user opts out:

• Save the preference to their account
• Apply it consistently across all devices they use
• Don't reset it when they clear their cookies

For anonymous visitors, the opt-out preference is typically stored in a first-party cookie. If they clear cookies, you won't know they opted out -- but the GPC signal (if enabled in their browser) will tell you on subsequent visits.

What You Don't Need to Do

Just as important as knowing what's required is knowing what's not. The CCPA does not require:

• A cookie consent banner. You don't need to ask permission before setting cookies (unless you also serve European visitors and need GDPR compliance).
• An opt-in for analytics cookies. First-party analytics that don't share data with third parties for advertising don't require opt-in or opt-out under CCPA.
• Blocking all cookies for opted-out users. Essential cookies and first-party analytics cookies can remain active even when a user has opted out. Only advertising and sharing-related cookies need to be suppressed.
• A cookie preference center. While these are common (and useful if you serve GDPR-covered visitors), the CCPA only requires a "Do Not Sell or Share" mechanism. A full preference center is optional.

The "Do I Even Need This?" Flowchart

Still not sure what your website needs? Walk through this:

1. Does the CCPA apply to your business?

• No: No CCPA cookie requirements. (But consider voluntary best practices.)
• Yes: Continue.
• Not sure: See Who Does the CCPA Apply To?

2. Does your website use third-party advertising or tracking technologies?

• No (only essential cookies and first-party analytics): You likely don't need the "Do Not Sell or Share" link or GPC support for cookie-related purposes. But check your other data practices -- you may still sell or share data through non-cookie channels.
• Yes: Continue.

3. Do these technologies share data with third parties for advertising purposes?

• No (all service providers with proper contracts): You're likely fine without additional cookie-specific opt-outs.
• Yes: You need the "Do Not Sell or Share" link, GPC support, and the ability to suppress these technologies when users opt out.

Common Mistakes

Implementing a GDPR-style banner for California visitors. It's not required and it confuses users. Worse, if you implement an opt-in banner, you might inadvertently commit to a higher standard than the CCPA requires -- and then fail to meet it.

Ignoring GPC signals. After the Sephora enforcement action, there is no ambiguity: you must honor GPC signals. If your website doesn't detect and respond to GPC, fix it.

Assuming Google Analytics is fine by default. GA4 can be configured in ways that do or don't constitute "sharing." If you've linked GA4 to Google Ads or enabled Google Signals, data may be flowing to advertising systems. Review your configuration.

Forgetting about server-side tracking. Client-side cookie blocking is the most visible part of compliance, but many businesses also share data through server-side integrations (APIs, data feeds, CRM syncs). These data flows are subject to the same opt-out requirements. When a consumer opts out, you need to suppress server-side sharing too.

Not testing the opt-out. After implementing your opt-out mechanism, test it. Click the link, submit the opt-out, and then check (using browser developer tools) whether advertising tags are actually suppressed. A "Do Not Sell" link that doesn't actually stop anything is worse than not having one at all -- it looks like you're trying to comply but not actually doing it, which regulators may treat as intentional rather than unintentional non-compliance.

Practical Implementation for Common Website Platforms

WordPress

If you run a WordPress site, consent management plugins like CookieYes, Complianz, or WP Consent API can handle CCPA opt-out functionality. Look for plugins that:

• Support the "Do Not Sell or Share" link
• Detect GPC signals
• Can conditionally block scripts based on opt-out status
• Don't just block cookies -- also prevent the scripts from loading entirely

Shopify

Shopify has built-in privacy compliance features, including a cookie consent banner and the ability to restrict tracking based on consent status. Check your Shopify admin under Settings > Customer Privacy for CCPA-specific options. Shopify's Customer Privacy API allows theme developers to conditionally load tracking scripts.

Squarespace, Wix, and Other Builders

These platforms have varying levels of built-in privacy compliance. Most offer a cookie banner, but CCPA-specific "Do Not Sell" functionality may be limited. You may need a third-party consent management platform that integrates with your builder.

Custom Websites

If you have a custom-built website, implement GPC detection and opt-out logic in your tag management system (Google Tag Manager, Segment, etc.) or directly in your codebase. The key is ensuring that when an opt-out is detected, advertising and sharing-related scripts are not loaded.

The Bottom Line

CCPA cookie compliance is simpler than GDPR cookie compliance. You don't need a consent banner. You need an opt-out mechanism for data selling and sharing, GPC support, and the ability to actually suppress tracking technologies when someone opts out.

Focus on the advertising and tracking tools that share data with third parties. That's where the CCPA cares about cookies. Essential functionality and first-party analytics are generally fine.

And for the love of privacy, test your implementation. The "Do Not Sell" link should actually do what it says.

References

• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
• California Privacy Rights Act (CPRA): Proposition 24 (2020), amending the CCPA. CPRA ballot text
• CCPA Regulations: Title 11, Division 6, California Code of Regulations. Final CCPA regulations (California Office of the Attorney General)
• California Privacy Protection Agency (CPPA): Official CPPA website
• FTC Guidance on Online Tracking: Federal Trade Commission - Online Tracking

---

Building your full CCPA compliance program? Our DSAR Compliance Guide covers the complete process for handling consumer requests -- including opt-out requests that connect directly to your cookie and tracking practices. Download it for a practical framework you can implement right away.