CCPA & CPRA compliance

The legal requirements

CCPA/CPRA gives California consumers the right to opt out of the sale or sharing of their personal information. Unlike GDPR's opt-in model, CCPA uses an opt-out model — businesses may collect data by default but must provide a clear mechanism for consumers to say no.

Businesses must display a "Do Not Sell or Share My Personal Information" link on their website that is easy to find and use. They must also honor the Global Privacy Control (GPC) browser signal, log opt-out requests, and apply different rules based on whether a visitor is a California resident.

How CookieBoss helps

• Opt-out mechanism

  CookieBoss provides a fully compliant opt-out flow for California visitors. Marketing and analytics cookies load by default, but consumers can opt out at any time with a single click.

• "Do Not Sell or Share" link

  A configurable "Do Not Sell or Share My Personal Information" link that you can place anywhere on your site. Opens the CookieBoss preference center with opt-out options pre-highlighted.

• Geo-targeting for California visitors

  Show the CCPA opt-out experience only to California visitors while applying GDPR opt-in for EU users and simplified banners elsewhere. No code changes needed — configure rules in the dashboard.

• Consent logging

  Every opt-out decision is recorded with a timestamp, visitor ID, and categories affected. Exportable logs demonstrate compliance to the California Attorney General or the California Privacy Protection Agency.

• Global Privacy Control (GPC) support

  CookieBoss detects the GPC browser signal and automatically treats it as a valid opt-out request, as required by CPRA. No additional configuration needed.

• US state-level geo rules with 8 presets

  Pre-built rule sets for California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa, Indiana, and Tennessee. Apply the right consent model per state without manual configuration.

Opt-out vs. opt-in

GDPR requires opt-in — no cookies until the visitor says yes. CCPA uses opt-out — cookies can load by default, but visitors must be able to stop the sale or sharing of their data at any time.

CookieBoss handles both models with a single script. Geo-targeting rules automatically switch between opt-in and opt-out based on visitor location, so your site is compliant for EU and US visitors simultaneously.

Who needs to comply

CCPA/CPRA applies to for-profit businesses that collect personal information from California residents and meet any of these thresholds: annual gross revenue over $25 million, buying/selling/sharing personal information of 100,000+ consumers or households, or deriving 50%+ of annual revenue from selling or sharing personal information.

Even if you're not based in California, if you serve California visitors and meet any threshold, you need to comply. CookieBoss geo-targeting ensures you only show the CCPA experience to visitors who need it.