CCPA/CPRA compliance goes beyond a cookie banner. It requires validating what actually stops at the network layer.
The California Consumer Privacy Act, as expanded by the California Privacy Rights Act, gives California residents the right to opt out of the sale and sharing of their personal information for cross-context behavioral advertising. For most commercial websites, that obligation applies to advertising pixels, analytics integrations, and data broker scripts. A "Do Not Sell or Share" link and a cookie banner are the start, not the end, of compliance.
Full Name
California Consumer Privacy Act / California Privacy Rights Act
Jurisdiction
California
Penalties
The California Attorney General can impose civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation. The California Privacy Protection Agency (CPPA), created by the CPRA, has independent enforcement authority and has begun issuing enforcement actions. The CCPA also provides consumers with a limited private right of action for data breaches involving certain categories of personal information.
What It Is
Overview of CCPA/CPRA
The CCPA (Cal. Civ. Code § 1798.100 et seq.) as amended by the CPRA requires businesses that collect personal information about California consumers to, among other obligations, honor requests to opt out of the sale or sharing of personal information. "Sharing" under the CPRA specifically covers disclosing personal information to third parties for cross-context behavioral advertising, which captures most ad pixel and retargeting data flows. The CPRA also requires businesses to recognize the Global Privacy Control (GPC) browser signal as a valid opt-out request.
Who It Covers
Scope and private right of action
Businesses that collect personal information of California consumers and meet one of three thresholds: annual gross revenue over $25 million, buy/sell/share personal information of 100,000+ consumers annually, or derive 50%+ of annual revenue from selling personal information. This scope covers most mid-size and large commercial websites with a California audience.
Exposure Triggers
What triggers CCPA/CPRA enforcement risk for websites
CCPA/CPRA enforcement focuses on whether businesses honor opt-out requests, whether GPC signals are respected, and whether "Do Not Sell or Share" mechanisms are technically effective, not just visually present.
Ad pixels firing after opt-out
If a visitor clicks "Do Not Sell or Share My Information" but ad pixels like Meta Pixel or Google Ads continue to fire and transmit behavioral data, the opt-out is not technically honored. This is a direct CCPA/CPRA violation.
Global Privacy Control not recognized
The CPRA requires businesses to treat GPC as a valid opt-out of sale and sharing request. Many sites have a "Do Not Sell" link but do not honor the GPC browser signal, which is a separate and required compliance obligation.
Data broker and audience enrichment scripts
Scripts from companies like Demandbase, Clearbit (now HubSpot Breeze Intelligence), and similar B2B data platforms collect visitor behavioral data and enrich it with firmographic or demographic profiles. That data is then available to the vendor for their own commercial purposes, which may constitute "sale" or "sharing" under CCPA/CPRA.
Demand Letter Response
CCPA enforcement investigations and complaints
CCPA enforcement begins with complaints to the California AG or CPPA, or with CPPA-initiated investigations. The AG's office has also sent pre-enforcement notices identifying specific compliance gaps. If your organization receives a notice or complaint, the AG's office typically provides a 30-day cure period for unintentional violations before imposing penalties. Demonstrating that you have conducted a technical audit of your third-party data flows, identified gaps, and implemented remediation shows good faith compliance effort. Lokker provides the technical documentation of your consent state behavior, GPC handling, and third-party data flows that supports this showing.
Evidence Support
CCPA/CPRA technical compliance documentation
Demonstrating CCPA/CPRA compliance requires evidence that opt-out mechanisms are technically effective, that GPC signals are honored, and that consent states produce the correct network behavior.
Opt-out and GPC state testing
Consent Validator runs automated browser sessions in opt-out and GPC states and documents whether ad pixels and data broker scripts are blocked, providing technical evidence of your opt-out mechanism's effectiveness.
Third-party data flow inventory
Privacy Edge identifies every third-party script on your California-facing pages and classifies each by data-sale and data-sharing risk, so you know which vendors are subject to the CCPA/CPRA opt-out obligation.
Guardian runtime enforcement
Guardian enforces blocking at the network layer when a visitor signals opt-out or GPC, providing technical controls that go beyond CMP-configured blocking.
Frequently Asked Questions
Common questions about CCPA/CPRA
Is a "Do Not Sell" link sufficient for CCPA compliance?
No. The link is the disclosure mechanism. Compliance requires that the opt-out request is technically honored, meaning that the data flows that constitute "selling" or "sharing" actually stop when the link is activated. A link that records the preference but does not block pixel and analytics data transmission does not satisfy CCPA.
Does the CPRA require consent for analytics?
The CPRA does not generally require opt-in consent for analytics (unlike GDPR in European jurisdictions). However, if analytics data is shared with third parties for cross-context behavioral advertising purposes, the opt-out of sharing obligation applies. The distinction between analytics and advertising data flows matters.
Is GPC support legally required?
Yes, under CPRA and regulations adopted by the California Privacy Protection Agency, businesses must treat a valid GPC signal as a consumer's opt-out of sale and sharing of personal information. Technical implementation that recognizes the GPC browser header and applies the opt-out accordingly is required.
Defense Counsel Network
Received a CCPA/CPRA demand letter or are under investigation?
Lokker works alongside defense counsel who handle CCPA/CPRA-related website privacy cases. We provide the technical evidence documentation your attorneys need and can make the right introduction to law firms that specialize in this area. Contact us now.