What Are the CCPA/CPRA Cookie Consent Requirements?

Everything you need to know about CCPA/CPRA cookie consent compliance in 2026. Complete guide covering opt-out requirements, cookie banner elements, consent records, and technical implementation for United States - California.

Opt-out GPC Required Translation Required Children's Privacy Rules

Summary

This guide provides comprehensive technical implementation requirements for California (CPRA/CCPA Regs). Covers 'sharing' for cross-context behavioral advertising.

This jurisdiction follows an opt-out consent model, meaning websites can place certain cookies initially but must provide clear mechanisms for users to opt-out of non-essential tracking. Users must be informed about cookies and given easy options to refuse them.

Additional requirements for this jurisdiction include: recognition and automatic honoring of Global Privacy Control (GPC) signals sent by users' browsers, providing consent banners and privacy information in all required languages, and special protections and consent mechanisms for children's personal data.

Website owners and operators subject to these regulations must implement compliant cookie consent banners, maintain proper consent records, and ensure their tracking technologies respect user privacy choices. This guide outlines all technical requirements needed to achieve compliance.

Key Requirements Overview

Consent Model

Opt-out

Default State

Mixed

Cookie Walls

Discouraged

Technical Requirements

Prior consent for non-essential cookies

Purpose granularity required

Equal prominence for accept/reject buttons

No pre-checked boxes allowed

Dark patterns prohibited

Proof of consent required

Local storage covered by regulation

Implementation Guidance

California requires businesses that 'sell' or 'share' personal information (which includes most advertising and many analytics cookies used for cross-context behavioral advertising) to automatically honor opt-out preference signals such as Global Privacy Control (GPC). This is mandatory under Cal. Code Regs. tit. 11 § 7025 — not optional. Provide a 'Do Not Sell or Share My Personal Information' link and, where sensitive personal information is used beyond the purposes permitted by § 7027, a 'Limit the Use of My Sensitive Personal Information' link; these may be combined into a single 'Your Privacy Choices' link with the opt-out icon. A notice at collection must be presented at or before the point of collection. Opt-out methods must be symmetrical and free of dark patterns — opting out must be at least as easy as opting in. The CPPA and California Attorney General actively enforce: the Sephora settlement ($1.2M, 2022) penalized failure to honor GPC and to disclose sales, and 2025 CPPA enforcement actions targeted non-compliant opt-out flows and excessive data collection in opt-out webforms.

Special Protections

Children's Privacy

California Age-Appropriate Design Code Act (2024) requires businesses with online services likely accessed by children to: configure privacy settings to highest level by default for child users, provide prominent privacy information, and not use personal information for purposes that present heightened risk without safeguards. Includes restrictions on profiling and behavioral advertising to minors.

Sensitive Data

Right to limit use/disclosure of sensitive PI.

Record Keeping Requirements

Required Consent Record Fields

For each consent action, you must maintain records containing:

Timestamp ISO
Opt Out Status
Policy Version
Jurisdiction Detected
Gpc Signal Status

Re-consent Trigger: Not Required Generally

CookieChimp handles all of this automatically. Our platform maintains comprehensive consent records including all required fields, timestamps, consent strings, IP addresses, user agents, and more. Records are securely stored and easily exportable for compliance audits. Learn more about our consent management

Legal References & Resources

Official legal documents and regulatory guidance for this jurisdiction:

Cal. Code Regs. tit. 11 § 7025

https://cppa.ca.gov/regulations/

California CPPA Regulations

https://cppa.ca.gov/regulations/

Frequently Asked Questions About CCPA/CPRA Cookie Consent

California (CPRA/CCPA Regs) is a privacy regulation applicable in United States - California. Covers 'sharing' for cross-context behavioral advertising. It requires websites to provide clear mechanisms for users to refuse non-essential cookies (opt-out model).

Yes. Under CCPA/CPRA, websites must display a cookie consent banner that includes: notice of collection link, link do not sell share, link limit use sensitive pi if applicable, manage preferences button. The banner must be shown to inform users about cookie usage and provide opt-out options.

CCPA/CPRA follows an opt-out consent model. This means websites may place certain cookies but must provide clear and easy ways for users to opt out of non-essential tracking.

Yes. CCPA/CPRA requires websites to recognize and automatically honor Global Privacy Control (GPC) signals sent by users' browsers as a valid opt-out request.

CCPA/CPRA requires maintaining consent records that include: timestamp iso, opt out status, policy version, jurisdiction detected, gpc signal status.

Legal Disclaimer: For engineering implementation guidance only. Not legal advice. This guide provides technical implementation guidance only and should not be considered legal advice. Privacy laws are complex and frequently updated. We recommend consulting with qualified legal counsel to ensure full compliance with applicable regulations.

Found an issue or have feedback on this page?