CCPA and CPRA cookie compliance: what your website needs in 2026

CCPA cookie consent: not the same as GDPR, but still requires strong controls

The CCPA operates differently from the GDPR. Whereas the GDPR is an opt-in regime (no non-essential cookies can be placed until a user actively consents), the CCPA is an opt-out regime. Under the CCPA, cookies can load by default, provided you give users a clear and accessible way to opt out of the sale or sharing of their personal information.

That distinction matters. It means a full opt-in consent banner is not technically required for California residents. But it does not mean businesses can skip consent management.

Here is what the CCPA does require:

• A "Do Not Sell or Share My Personal Information" link, clearly accessible from every page, typically in the footer

• A working opt-out mechanism that actually stops the sale or sharing of personal data when triggered

• A privacy policy that discloses what cookie data is collected, for what purpose, and how users can exercise their rights

• Recognition of browser-based opt-out signals, such as Global Privacy Control (covered in detail below)

The practical implication is this: users need to be able to manage their privacy preferences easily, from anywhere on your website, without having to hunt for a settings link. That requires more than a static footer link. It requires a preference management system that works reliably and updates in real time when a user exercises their rights.

If your website also serves visitors from the EU, you need an opt-in banner for those users running alongside the opt-out mechanism for California residents. Managing both correctly, without showing the wrong experience to the wrong visitor, is exactly where a consent management platform (CMP) becomes essential.

What cookies and tracking technologies are covered under the CCPA?

The CCPA covers any technology that collects personal information from website visitors. This includes:

• First-party cookies: set by your own domain, these cookies track user behaviour and preferences directly and fall under the CCPA when they collect personal information.

• Third-party cookies: set by external services such as Google Analytics or advertising platforms, these cookies are in scope when they collect identifiable data about your visitors.

• Pixels and tracking scripts: Facebook Pixel, Google Tag Manager, and similar tools that execute when a page loads are covered if they collect identifiable data.

• Device fingerprinting: Technologies that identify a user by combining browser settings, screen resolution, and other signals are also in scope.

The key question here is whether the technology collects information that is reasonably linkable to a specific person or household. IP addresses, cookie identifiers, browsing history, and purchase history all qualify. For a detailed look at how different tracking technologies are classified under California law, see our guide on CCPA and online tracking.

Strictly necessary cookies that keep your website functioning can generally be used without requiring consent. Analytics, advertising, and personalisation cookies require disclosure and an accessible opt-out option.

What must your CCPA cookie policy include?

Your cookie policy (often part of your broader CCPA privacy policy) needs to cover the following to support CCPA requirements:

1. Confirmation that your website uses cookies and similar tracking technologies

2. A description of each cookie category (strictly necessary, functional, analytics, advertising, etc.)

3. The names of third-party vendors behind your cookies

4. The purpose of each cookie category and what data it collects

5. Retention periods: how long each cookie stays on a user's device

6. How users can opt out of non-essential cookies or the sale of their data

7. A "Do Not Sell or Share My Personal Information" link or equivalent mechanism

One area that catches businesses off guard: you need to disclose cookies you may not even know are on your website. A single marketing plugin or third-party analytics tag can introduce dozens of cookies.

Running a cookie audit before writing your policy is not optional. It is the only reliable way to know what you actually need to disclose.

CCPA vs. GDPR: key cookie consent differences

Both regulations address how websites handle user data, but they work on different principles. Here is a direct comparison:

The practical implication: if your website serves both US and EU visitors, you need a solution that can apply the right consent experience based on where each visitor is located. A single global opt-in banner handles GDPR but creates unnecessary friction for California residents. A footer opt-out link alone does not meet GDPR at all. Both requirements need to run in parallel, applied to the right audience.

Global Privacy Control: what it is and why it matters for CCPA

Global Privacy Control (GPC) is a browser-based signal that automatically communicates users' opt-out preferences to every website they visit. When a user enables GPC in their browser or a privacy extension, it sends a signal to each website indicating that they do not want their personal information sold or shared.

Under the CCPA and CPRA, businesses are required to recognise and honour GPC signals as a valid opt-out request. This means that if a user has GPC enabled, your website must treat that as equivalent to the user manually clicking your "Do Not Sell or Share My Personal Information" link. The CPPA has confirmed it will enforce this requirement, and ignoring GPC signals is treated as a failure to honour opt-out requests.

Understanding what GPC means for your marketing and analytics stack is important because honouring the signal may affect how data flows to advertising platforms and analytics tools. For more on the practical implications, see what a GPC signal means for marketing and analytics.

In practice, your consent management setup needs to:

• Detect incoming GPC signals automatically

• Stop passing that user's data to third parties that would constitute a sale or share

• Take effect without requiring any additional action from the user

Clym's Global Privacy Control support is designed to help businesses detect and process GPC signals automatically, reducing the manual work involved in honouring browser-level opt-outs at scale.

Steps to support CCPA cookie compliance in 2026

Here is a practical checklist for getting your website's cookie practices in order.

1. Run a cookie audit

Use an automated scanner to identify every cookie and tracking script on your website. Many businesses are surprised by what they find. A single advertising plugin can introduce 30 or more third-party cookies. You cannot disclose what you have not found.

2. Classify your cookies

Sort every cookie you find into categories: strictly necessary, functional, analytics, and advertising. Strictly necessary cookies can generally run without additional controls. Everything else needs to be documented and made opt-out accessible.

3. Update your privacy policy and cookie policy

Your policy needs to reflect what your audit found: every vendor, every purpose, every retention period. The CCPA requires businesses to update their privacy policy at least once a year. Most businesses are behind on this.

4. Add a "Do Not Sell or Share My Personal Information" link

This link must be clearly visible on every page of your website, typically in the footer. When a California resident clicks it, your system needs to stop selling or sharing their data from that point forward. A link that goes nowhere, or that lacks a working backend mechanism, is not sufficient. For a full breakdown of what this requirement covers, see our guide on Do Not Sell or Share requirements under the CCPA.

5. Recognise and honour GPC signals

As described above, the CPRA requires businesses to treat incoming Global Privacy Control signals as valid opt-out requests. Make sure your consent management setup can detect GPC and act on it automatically, without requiring any further action from the user.

6. Build a consent preference centre

Give visitors the ability to manage which non-essential cookie categories they accept, and to update their preferences at any point during their visit. Users should be able to access their preference controls easily from anywhere on your site, not just on first arrival.

7. Configure geo-targeted compliance rules

Apply the correct consent experience based on the visitor's location. EU visitors need opt-in consent under the GDPR. California residents need opt-out access under the CCPA. Other US states have their own requirements that continue to evolve.

Clym's ReadyCompliance^® feature is designed to help businesses deliver region-specific compliance experiences based on visitor location, covering more than 40 data privacy regulations out of the box. Combined with geo-targeting, it can help apply the right consent experience for each visitor automatically, reducing the manual work of maintaining separate implementations for each jurisdiction.

8. Set a review cadence

CCPA requires an annual privacy policy update at a minimum. Realistically, your cookie inventory changes every time a new marketing tool, analytics script, or advertising tag is added. Schedule a quarterly review to catch changes before they create gaps.

Consumer rights and your response timeline under the CCPA

Beyond cookie management, the CCPA gives California residents a specific set of consumer rights regarding their personal information. These include the right to know what data is collected, the right to have it deleted, the right to correct inaccurate information, and the right to opt-out of the sale or sharing of their data.

When a consumer submits a request to exercise one of these rights, your business generally has 45 days to respond. In some circumstances, you can request a 45-day extension, but you must notify the consumer within the initial window that more time is needed. Missing that deadline or responding incompletely creates direct enforcement exposure.

Managing these requests manually becomes difficult as your audience grows. A missed request or a delayed acknowledgment can each contribute to a compliance gap. Clym's Data Subject Request solution is designed to help businesses manage, track, and respond to consumer requests within the required timeframe, with a centralized workflow for intake, verification, and documentation. For a full overview of how to structure these processes, see our guide on CCPA data subject request workflows.

What has changed since 2024: CCPA enforcement updates

The regulatory environment has shifted significantly since 2024, and several changes are now in effect.

CPPA enforcement is active. The California Privacy Protection Agency issued its first enforcement actions in 2024, targeting companies for failing to honour opt-out requests and inadequate privacy notices. Enforcement is no longer theoretical.

Penalty amounts have increased. Effective January 1, 2025, CCPA administrative fines are now $2,663 per unintentional violation and $7,988 per intentional violation, up from $2,500 and $7,500. The revenue threshold that determines whether a business falls under the CCPA also rose from $25,000,000 to $26,625,000 in annual gross revenue. For a full breakdown of how these fines are applied, see our guide on CCPA penalties and fines.

New CPPA regulations took effect on January 1, 2026. A major regulatory package finalised in September 2025 introduced four new obligations: annual cybersecurity audits for businesses meeting certain thresholds, risk assessments before undertaking high-risk data processing, Automated Decision-Making Technology (ADMT) rules requiring pre-use notices and opt-out rights, and general updates to the core CCPA regulations.

More than 20 US states now have comprehensive privacy laws or frameworks. A CCPA-only approach may not be sufficient for businesses operating across multiple states, as requirements vary by jurisdiction.

The DELETE Act's DROP platform is now live. The Delete Request and Opt-out Platform allows consumers to submit deletion requests to all registered data brokers at once, reflecting California's continued push toward stronger data rights.

Third-party cookie changes. Google's removal of third-party cookies from Chrome continues to affect how advertising and analytics tools collect data. For practical guidance, see our guide on configuring Google Analytics for CCPA in 2026.

The bottom line: CCPA cookie compliance is not a one-time project. The rules and the enforcement landscape are both evolving.

Conclusion

CCPA and CPRA cookie compliance in 2026 does not have to be overwhelming, but it does require deliberate action. The most common mistake businesses make is treating cookie management as a one-off task: add a footer link, update the privacy policy, move on. The reality is more dynamic than that.

What the CCPA requires is transparency, accessible opt-out controls, real-time preference management, recognition of GPC signals, and a clear process for responding to consumer rights requests. The CPRA strengthened those requirements and created an enforcement body with real authority to act on them. With more than 20 US states now operating their own privacy frameworks, a patchwork approach that only addresses California is increasingly difficult to sustain.

Start with a cookie audit. Build your policy around what you find. Make opt-out access easy from every page. Honour browser-based signals automatically. Handle data subject requests within the required timeframe. A well-configured consent management platform can help manage much of this without manual effort on your end.