Key Takeaways
- CCPA requires a Do Not Sell or Share My Personal Information link, not a cookie banner
- The CPRA amendment expanded CCPA to cover sharing data for cross-context behavioral advertising
- Global Privacy Control (GPC) browser signals must be honored as valid opt-out requests
- Businesses must respond to opt-out requests within 15 business days
- Fines reach $2,500 per unintentional violation and $7,500 per intentional violation
CCPA vs. CPRA: What Changed
The CPRA amended and strengthened the CCPA, with enforcement beginning July 1, 2023. Treat them as a single law. Three changes matter most for cookie consent:
New enforcement body: the CPPA. The first US agency dedicated exclusively to privacy enforcement. Their first non-data-broker action (Honda) specifically named the CMP vendor as the cause. Regulators are now auditing the tools themselves.
"Sharing" added to "selling." The CPRA expanded coverage to include making personal information available to third parties for cross-context behavioral advertising. Sending data to Meta via the Meta Pixel is "sharing" regardless of whether money changes hands. The same applies to Google Analytics data used for advertising, TikTok Pixel, LinkedIn Insight Tags, and any tracking that enables cross-context behavioral advertising.
Data minimization. CPRA added requirements that data collection be "reasonably necessary and proportionate." If a regulator asks why you load 15 advertising pixels, "our marketing team wanted them" is not a sufficient answer.
Learn about dark patterns in cookie banners
The Opt-Out Model: How CCPA Differs from GDPR
This is the fundamental difference. GDPR blocks everything until the user opts in. CCPA allows data collection by default and requires an opt-out mechanism.
Under CCPA/CPRA, you must: (1) disclose what personal information you collect, (2) provide an opt-out mechanism for the sale or sharing of personal information, (3) honor opt-out requests by actually stopping, and (4) recognize Global Privacy Control (GPC) signals as valid opt-out requests.
If you apply one consent model to all visitors, you are either over-compliant for California (losing data unnecessarily) or violating GDPR for EU visitors. The correct approach: geo-detect and apply the appropriate model automatically.
CCPA vs. GDPR Comparison
| Requirement | GDPR (EU) | CCPA/CPRA (California) |
|---|---|---|
| Default state | Opt-in: everything blocked | Opt-out: everything allowed |
| Banner requirement | Consent banner before any non-essential cookies | "Do Not Sell or Share" link required |
| Script blocking before interaction | Required | Not required |
| Global privacy signal | Not specifically required | GPC must be honored (legally mandated) |
| Cookie categories | Granular per-category consent required | Opt-out must cover sale/sharing |
| Enforcement body | National DPAs (CNIL, ICO, etc.) | CPPA and California AG |
| Maximum fines | Up to 4% of global revenue or $22M | $2,500/unintentional, $7,500/intentional (per consumer) |
| Private right of action | Limited | Yes, for data breaches with unencrypted data |
GDPR cookie consent requirements
"Do Not Sell or Share": The Core Requirement
Every business subject to CCPA/CPRA must provide a clear and conspicuous link on its homepage titled "Do Not Sell or Share My Personal Information." The CPRA also allows a single "Your Privacy Choices" link with the opt-out preference signal icon.
In practice, these implementations constitute selling or sharing: Meta Pixel, Google Analytics with advertising features, TikTok Pixel, LinkedIn Insight Tag, retargeting platforms, and any third-party tracking enabling cross-context behavioral advertising.
When a consumer opts out, you must: stop all sale/sharing scripts, persist the choice across sessions, not require account creation, and not use dark patterns to dissuade the opt-out. Sephora's $1.2 million fine was directly tied to this missing link.
Global Privacy Control: The Technical Opt-Out
GPC is a browser-level signal (Sec-GPC: 1 header, navigator.globalPrivacyControl === true) with legal backing in California. Browsers supporting GPC include Firefox, Brave, DuckDuckGo, and Privacy Badger.
Under CPRA regulations, businesses must treat GPC as a valid opt-out. No additional confirmation steps. No pop-up asking the user to verify. Sephora was cited specifically for failing to honor GPC.
if (navigator.globalPrivacyControl === true) {
// Block all sale/sharing scripts immediately
// Do not prompt for confirmation
}GPC applies before any banner interaction. If a visitor has GPC enabled, suppress sale/sharing scripts immediately, without waiting for UI interaction. A properly configured CMP detects GPC during initialization and applies the opt-out before any third-party scripts load. Learn how ConsentStack handles GPC
Enforcement: What California Regulators Actually Pursue
Sephora ($1.2 million, 2022). The AG's first public CCPA action. Failed to disclose data selling, no DNSS link, and failed to honor GPC. This case established that sharing data through tracking pixels constitutes a "sale" and that GPC is legally valid.
Honda ($632,000, 2025). The CPPA's first non-data-broker action. OneTrust was named specifically as the misconfigured CMP. Configuration, not just presence, was the issue.
Enforcement Trends
GPC enforcement is a priority for both the AG and CPPA. CMP audits are happening (Honda proved regulators test whether opt-outs actually work). Sweep investigations precede formal actions. Missing DNSS links remain the most common violation. Per-consumer penalties ($2,500-$7,500) create massive exposure at scale.
See how ConsentStack ensures compliance
19 US State Privacy Laws: The Expanding Landscape
As of 2026, 19 US states have comprehensive privacy laws. Key states beyond California:
| State | Law | Effective | Notable Requirement |
|---|---|---|---|
| Colorado | CPA | Jul 2023 | GPC mandated |
| Connecticut | CTDPA | Jul 2023 | Health data as sensitive (opt-in) |
| Texas | TDPSA | Jul 2024 | No revenue threshold |
| Oregon | OCPA | Jul 2024 | Covers nonprofits |
| Montana | MCDPA | Oct 2024 | Low threshold (50,000 consumers) |
| Delaware | DPDPA | Jan 2025 | Low threshold (35,000 consumers) |
| Minnesota | MCDPA | Jul 2025 | Right to question automated decisions |
Plus Virginia, Utah, Iowa, Indiana, Tennessee, Kentucky, Nebraska, New Hampshire, New Jersey, Rhode Island, and Maryland.
Universal opt-out (GPC) is now required in over a dozen states, not just California. Building consent logic for 19 laws is a substantial engineering burden. A CMP with built-in US state coverage handles this automatically. US state privacy laws: the full breakdown
Common Mistakes That Get You Fined
1. No "Do Not Sell or Share" link. Sephora paid $1.2 million. Add it. Make it visible. Test that it works.
2. Ignoring GPC signals. Both the AG and CPPA require it. Check navigator.globalPrivacyControl and act on it.
3. Misconfigured CMP. Honda's $632,000 fine. Having a CMP is not compliance. Having a correctly configured one is. Test your opt-out flow.
4. Not treating advertising pixels as "sharing." Meta Pixel, Google Ads, TikTok: all constitute "sharing" under CPRA.
5. Applying GDPR consent to California visitors. Not illegal, but a business mistake. You lose analytics and advertising data unnecessarily.
6. Not testing end to end. The most common failure: opt-out is stored, but advertising scripts continue firing in the current session. Check your Network tab after opting out. How script blocking works under the hood
Frequently Asked Questions
No, not like GDPR. CCPA requires a "Do Not Sell or Share" link and functional opt-out, not a pre-interaction consent banner. However, if your site also serves EU visitors, you still need a GDPR banner for them. Most sites use a CMP that shows the appropriate experience per jurisdiction.
GPC is a browser signal that communicates opt-out preference. Under CPRA, California businesses must treat it as a valid opt-out. Colorado, Connecticut, Texas, Montana, Oregon, Minnesota, and Delaware also require honoring it. If your site serves visitors from any of these states, you must detect and honor GPC.
GDPR requires opt-in (block everything until the user agrees). CCPA uses opt-out (allow everything, provide mechanism to opt out of sale/sharing). Your implementation must detect visitor location and apply the correct model automatically.
$2,500 per unintentional violation, $7,500 per intentional violation, per consumer. Sephora paid $1.2 million, Honda paid $632,000. Per-consumer calculation means violations affecting millions of consumers create enormous total penalties.
If you meet any threshold (over $25M revenue, buy/sell/share data of 100,000+ CA consumers, or derive 50%+ revenue from selling CA consumer data) and collect data from California consumers, CCPA applies regardless of location.
Same CMP, different experience. A GDPR banner blocks scripts and presents opt-in choices. CCPA allows scripts by default with a "Do Not Sell" opt-out link. Showing opt-in to California visitors wastes data. Showing opt-out to EU visitors violates GDPR. Use geo-detection. ConsentStack detects location via Cloudflare headers and applies the right model automatically. ---
Conclusion
CCPA cookie consent is a fundamentally different model from GDPR, requiring different implementation. The opt-out framework, DNSS link, GPC recognition, and 19-state patchwork all demand a consent implementation that adapts to the visitor's jurisdiction.
Sephora paid $1.2 million. Honda paid $632,000. The CPPA names CMPs by name. GPC is becoming the national standard with legal backing in over a dozen states.
ConsentStack handles all of it. Automatic geo-detection across 19 US states and 32 regulations. GPC detection built in. Parse-time script blocking that honors opt-outs. Dual consent models applied automatically. 6 platform adapters. <10KB SDK. $29/month Pro pricing.
Try it free. One script tag. Minutes to compliant. Get started free