What is ConsentPixel — Privacy · Verified?

ConsentPixel is a universal consent management platform delivered as a single JavaScript pixel. Paste one script tag into your site's head and it automatically blocks unauthorised trackers, shows a compliant consent banner, and logs every visitor consent decision. It covers CIPA, GDPR, CCPA, and all major US state privacy laws from a single install.

What is CIPA and why does my website need to worry about it?

The California Invasion of Privacy Act (CIPA) is a 1967 wiretapping statute courts now apply to website tracking tools. If your site runs Hotjar, FullStory, or Microsoft Clarity without consent, you face $5,000 in statutory damages per violation with no proof of harm required. Plaintiff law firms actively scan websites for these tools. ConsentPixel blocks them before consent fires, eliminating the violation.

Does it work on WordPress, Shopify, and Webflow?

Yes. ConsentPixel works on any platform that allows a script tag in your head: WordPress, Shopify, Webflow, Squarespace, Wix, Next.js, or raw HTML. No plugins, no app store approvals, no developer required. One script tag, one time.

How long does installation take?

About 10 minutes. Copy your pixel snippet from the portal, paste it as the first item in your site head tag, configure your banner in the visual builder, and publish. The banner goes live within 60 seconds of publishing. Your portal automatically detects the pixel within 2 to 5 minutes.

Is there a free trial?

Yes — 14 days free, no credit card required. All Starter plan features are accessible from day one. You can scan your site, publish a consent banner, and start logging consent decisions without entering any payment details.

What makes ConsentPixel different from Cookiebot or CookieYes?

ConsentPixel was built CIPA-first — it includes a named blocklist of the specific session replay tools (Hotjar, FullStory, Clarity) that plaintiff firms scan for, and blocks them at the browser level. It also includes an active Playwright scanner that visits your site the way Kind Law does — fresh session, no cookies — and alerts you before they find something.

Does ConsentPixel collect or sell visitor data?

Never. Under our Trust Charter, we will never sell, share, or monetise visitor consent data. Consent logs exist solely to give you a legally defensible audit trail. Visitor identifiers are SHA-256 hashed — raw IP addresses are never stored.

What regulations does ConsentPixel cover?

GDPR for EU/EEA/UK visitors, CCPA/CPRA 2026 for California, CIPA sections 631 and 638.51, VCDPA for Virginia, CPA for Colorado, TDPSA for Texas, FDBR for Florida, and IAB TCF 2.2. The pixel detects each visitor's jurisdiction automatically and serves the correct banner — no manual configuration per country required.

CCPA Compliance Checklist for Small Businesses in 2026 — Plain English Guide

Q: What is the difference between CCPA and CPRA?

CPRA (California Privacy Rights Act) is an amendment to and expansion of CCPA that came into full effect on January 1, 2023. Key differences include: a new category of 'sensitive personal information' with additional rights; a right to correct inaccurate data; the creation of the California Privacy Protection Agency (CPPA) as a dedicated enforcement body; limits on data retention; and new rules around automated decision-making. In practice, CCPA and CPRA are now one combined law — compliance means meeting CPRA's updated requirements.

Q: What counts as 'selling' personal information under CCPA?

Under CCPA, 'selling' is defined broadly as sharing personal information for monetary or other valuable consideration. This includes sharing data with advertising networks, data brokers, and analytics platforms in exchange for free services. CPRA added a separate category of 'sharing' specifically to cover behavioural advertising even when no money changes hands. This means if you use Facebook Pixel, Google Ads remarketing, or similar tools, you may be 'selling' or 'sharing' under CCPA — even if you have never been paid for data directly.

You have California visitors. Your website uses analytics, ad pixels, or session-replay tools. Here is exactly what the CCPA and its 2023 CPRA amendments require of your business — explained without the legal jargon, with a printable checklist at the end.

The California Consumer Privacy Act — now amended and strengthened by the California Privacy Rights Act (CPRA) — is the strictest consumer data-privacy law in the United States. If your business has any California customers, you almost certainly need to understand it. And if you use advertising pixels, analytics tools, or session-replay software on your website, there is a good chance you are already sharing personal data under the law's definition — even if you have never knowingly "sold" data to anyone.

This guide is for small and medium-sized business owners, not lawyers. We walk through every requirement in plain language, explain what actually matters in practice, and give you a concrete checklist you can act on today.

Step 1 — Does CCPA Actually Apply to You?

CCPA only applies to for-profit businesses. Non-profits, government agencies, and B2B-only companies with no California consumer data are generally outside its scope. But "doing business in California" is intentionally broad — it does not require a physical presence. If you have a website that California residents can access and buy from, you likely qualify as doing business there.

To trigger CCPA compliance obligations, your business must meet at least one of the following three thresholds:

$25M+

Gross annual revenue

Worldwide, not just California

100K+

Consumers or households whose data you buy, sell, or share per year

CPRA lowered this from 50K

50%+

Of annual revenue from selling or sharing consumers' personal information

Including advertising revenue

⚠️

The 100,000 record threshold is easier to hit than you think. If you run Google Analytics or Meta Pixel on a website with moderate traffic, you may already be sharing identifying information (IP addresses, device IDs, browsing behaviour) on more than 100,000 California visitors per year. Analytics platforms count every unique user, not just paying customers.

If you do not meet any threshold, CCPA does not legally require action. However, California regulations evolve quickly, and building privacy-first practices now costs far less than retrofitting them after a complaint or breach.

Step 2 — Understand the 8 Consumer Rights You Must Honour

CCPA (as amended by CPRA) grants California consumers eight distinct rights. Your business must have a process to handle each one. Here is what each right actually means in practice:

Right	What the consumer can ask	Your response window
Right to Know	What categories and specific pieces of personal information you collect, use, disclose, and sell	45 days (extendable to 90)
Right to Delete	Erasure of their personal information you hold (with exceptions for legal obligations, fraud prevention, etc.)	45 days (extendable to 90)
Right to Correct	Correction of inaccurate personal information (added by CPRA)	45 days (extendable to 90)
Right to Opt-Out	Stop the sale or sharing of their personal information — must be done promptly	15 business days
Right to Opt-In (Minors)	Under-16s must affirmatively opt-in before you sell their data; under-13s require parent consent	Ongoing obligation
Right to Limit Sensitive Data Use	Limit how you use or disclose their sensitive personal information (added by CPRA)	15 business days
Right to Non-Discrimination	Not to be denied goods or services, charged different prices, or given a worse experience for exercising CCPA rights	Ongoing obligation
Right to Data Portability	Receive their data in a portable, readily usable format	45 days (extendable to 90)

💡

What counts as "sensitive personal information" under CPRA? Social Security numbers, financial account credentials, precise geolocation, health information, racial or ethnic origin, religious beliefs, union membership, private communications, and certain biometric data. Sensitive PI has its own opt-out right separate from the general right to opt-out of sale or sharing.

Step 3 — Audit Your Privacy Policy

Your privacy policy is the foundation of CCPA compliance. Under the law, it must be updated at least once every 12 months and must contain specific disclosures that most generic privacy-policy templates miss entirely.

What your CCPA-compliant privacy policy must include

Categories of personal information collected

List every category using CCPA's defined taxonomy: identifiers (name, IP, email), commercial information (purchase history), internet activity (browsing, cookies), geolocation, audio/visual data, professional information, inferences drawn about consumers, and sensitive personal information. A vague "we collect certain information" does not comply.

Business or commercial purpose for collection

For each category, explain why you collect it. "To improve our services" is too vague. Be specific: "To deliver purchased products," "To serve interest-based advertising via Meta Pixel," "To analyse user behaviour via session-replay tools."

Categories of third parties with whom data is shared

Name the categories of recipients — advertising networks, analytics providers, payment processors, cloud hosting providers, data brokers. CPRA requires disclosing whether data is sold, shared for cross-context behavioural advertising, or disclosed for another business purpose.

Retention periods for each data category

Added by CPRA: you must now state how long you retain each category of personal information, or the criteria used to determine retention periods. "We keep data as long as necessary" is not compliant on its own.

How to submit a consumer rights request

Provide at minimum two methods: a toll-free phone number OR a web form or email address. Businesses operating exclusively online can provide just an email address. Include instructions for the verification process you use.

Is your website sharing data without you knowing?

ConsentPixel — Privacy · Verified scans your site for trackers, session-replay tools, and ad pixels — and shows you exactly what data is being shared and with whom.

Run Free Site Scan →

Step 4 — Add the "Do Not Sell or Share My Personal Information" Link

If your business sells or shares personal information as defined under CCPA, you must display a "Do Not Sell or Share My Personal Information" link prominently on your homepage and at every point where you collect personal data. This is one of the most visible compliance requirements — and one of the most commonly done wrong.

When does the link apply to you?

"Selling" under CCPA is not just direct monetisation of data. Sharing data with advertising networks that provide free services in return — such as Google Ads or Meta Pixel — qualifies as "selling" or "sharing" under the law. Installing a Facebook Pixel, using Google's ad network, or allowing session-replay software to transmit session data to a third party almost certainly triggers this requirement.

🚫

The link must actually work. Displaying the link but not honouring requests is an intentional violation and carries the $7,500 per-violation penalty. Clicking the link must trigger a process that actually stops the sale or sharing of the consumer's data — not just send them an email that disappears into a queue.

Global Privacy Control (GPC) — a legal obligation, not optional

The California Privacy Protection Agency (CPPA) has confirmed that businesses must honour the Global Privacy Control browser signal as a valid opt-out of sale and sharing. GPC is a browser-level setting (supported in Firefox, Brave, and via extensions in Chrome) that automatically signals a user's opt-out preference. If a consumer has GPC enabled and visits your site, your consent management platform must recognise the signal and stop all sale and sharing immediately — without requiring the consumer to manually click a link.

Step 5 — Build a Data Inventory

You cannot disclose what you collect if you do not know what you collect. A data inventory — sometimes called a Record of Processing Activities (ROPA) — is the internal document that maps every piece of personal information your business touches. Under CPRA, maintaining this record is a compliance best practice that also protects you in an audit.

Your data inventory should document, for each category of personal information:

What data is collected and from which source (website forms, cookies, purchase transactions, third-party data providers)
The business purpose for collection
Which systems store it and where (US-based servers, EU-based cloud, third-party SaaS)
Which vendors or service providers receive access to the data
How long it is retained and the deletion process
Whether it is "sold" or "shared" under CCPA definitions

📋

Start with your website's tech stack. The easiest place to begin a data inventory is your website. Use a scanner tool to identify every third-party script, pixel, and cookie your site loads — including ones your developers or marketing team may have added over the years without documentation. You may discover trackers you did not intentionally install.

Step 6 — Review Vendor and Service-Provider Contracts

Under CCPA, a "service provider" is a company that receives personal information from you under a contract that restricts it from using the data for purposes outside the service it provides. If a third party uses your customers' data for its own purposes — such as building advertising profiles — they are not a service provider under CCPA; they are a third party receiving a "sale" or "share" of the data.

This distinction matters enormously. When you share data with a true service provider (one that contractually agrees to only use data to perform services for you), you are generally not considered to have "sold" the data. But when you share with an entity that uses the data for its own commercial purposes, you have sold it — even if you received no money.

What your service-provider contracts must include

A prohibition on the service provider selling or sharing the personal information it receives
A prohibition on using the data for any purpose other than performing the specified service
Confirmation that the service provider understands CCPA obligations and will help you respond to consumer rights requests
A requirement for the service provider to notify you if it determines it can no longer comply with CCPA

Review contracts with your email service provider, CRM platform, analytics vendor, payment processor, customer support software, and any cloud storage provider that handles personal data. If any of these contracts do not contain CCPA-specific language, request a Data Processing Addendum (DPA) or updated contract terms from the vendor. Most major SaaS companies have CCPA DPAs available on request or on their legal/privacy documentation pages.

Step 7 — Set Up a Consumer Request Process

Accepting and responding to consumer rights requests is not optional — and doing it ad hoc is a compliance risk. You need a documented, repeatable process before the first request arrives. Under CCPA, you must provide at least two methods for submitting requests, including a toll-free phone number (unless you operate exclusively online).

Designate a privacy point of contact

Assign responsibility for handling requests. This can be an existing employee, a privacy officer, or a legal advisor — but there must be a named owner who monitors the intake channel and tracks response deadlines.

Build your intake channels

At minimum, a web form or dedicated email address (e.g., privacy@yourdomain.com) plus a toll-free number. Both must be listed in your privacy policy. The web form should ask for the consumer's name, email, and the type of request — but no more than is reasonably necessary to verify the request.

Define your verification process

You must verify the identity of the consumer making the request before disclosing or deleting data — but you cannot require a consumer to create an account to do so. For most small businesses, email verification (asking the consumer to confirm from the email associated with their account) is proportionate and sufficient.

Track and log all requests

Keep a record of every request received, the date received, what type of request it was, your verification steps, the response sent, and the date responded. If you ever face an audit or enforcement action, this log demonstrates good-faith compliance.

Test your process before you need it

Submit a test request yourself and see how long it actually takes to complete. A process that looks simple on paper often reveals gaps — data you cannot locate, a third-party vendor that does not have a deletion workflow, or an email address that bounces.

CCPA does not require opt-in consent for data collection in the same way GDPR does. However, it does require clear disclosure at or before the point of collection — and it absolutely requires opt-out mechanisms for any sale or sharing of data. A consent management platform (CMP) solves both problems simultaneously.

A well-configured CMP on your website will:

Inform visitors about the categories of data collected and the purposes at first visit
Provide a clear, functioning opt-out from sale and sharing of personal information
Detect and respect the Global Privacy Control (GPC) browser signal automatically
Block third-party tracking scripts (ad pixels, analytics, session-replay tools) until the appropriate consent or opt-out status is established
Log consent decisions with a timestamp for your audit records
Maintain a consent record linked to each user's session for verification

⚠️

A banner alone is not compliance. Displaying a notice without blocking the underlying trackers is cosmetic compliance. If a third-party script fires before — or regardless of — the consent state, you are still sharing data without a valid opt-out mechanism in place. Your CMP must technically block script execution, not just display a pop-up.

Printable CCPA Compliance Checklist for Small Businesses (2026)

Use this checklist to track your compliance progress. Click each item to mark it complete.

📋 Section A — Applicability & Thresholds

4 items

Confirm whether CCPA thresholds applyRevenue over $25M, 100K+ consumer records, or 50%+ revenue from data sale/share

Identify all California consumer touchpointsWebsite, mobile app, in-store, phone — anywhere California residents interact with your business

Determine if any data qualifies as "sensitive personal information" under CPRASSN, precise geolocation, health data, biometrics, financial credentials, private communications

Confirm whether you sell or share personal information under CCPA definitionsIncludes sharing with ad networks and analytics platforms even without direct payment

📋 Section B — Privacy Policy

6 items

List all categories of personal information collectedUse CCPA's defined taxonomy: identifiers, internet activity, commercial info, geolocation, etc.

State the business purpose for each data categoryBe specific — "to serve interest-based ads via Meta Pixel" not "to improve our services"

Disclose categories of third parties who receive dataIncluding advertising networks, analytics providers, and payment processors

Include data retention periods for each categoryCPRA requirement — specific timeframes or criteria for deletion

Provide two methods for submitting consumer rights requestsWeb form/email + toll-free phone number (unless online-only business)

Update privacy policy at least once every 12 monthsDate-stamp updates and note what changed

📋 Section C — Opt-Out & Consent

5 items

Display "Do Not Sell or Share My Personal Information" linkProminent link on homepage and at all data-collection points

Ensure the opt-out link is technically functionalClicking it must actually block data sharing — not just log a request

Implement Global Privacy Control (GPC) signal recognitionRequired by CPPA — your CMP must automatically honour GPC browser signals

Add "Limit the Use of My Sensitive Personal Information" link (if applicable)Required if you collect or use sensitive PI for purposes beyond those listed in CPRA

Deploy a consent management platform (CMP) that blocks trackers by consent stateCosmetic banners that do not block script execution are not compliant

📋 Section D — Consumer Rights Process

5 items

Designate a privacy point of contactNamed individual or team responsible for receiving and responding to requests

Set up intake channels (web form / email / phone)Must respond within 45 days; may extend to 90 days with notice to consumer

Document your identity-verification processMust verify requestors without requiring account creation

Build a request logTrack every request, response date, actions taken, and outcome

Ensure no discriminatory treatment for rights exercisesCannot deny service, charge more, or provide worse experience to consumers who opt out

📋 Section E — Data Inventory & Vendor Contracts

4 items

Conduct a website tracker auditIdentify all third-party scripts, pixels, and cookies installed on your site

Build a data inventory mapping every data category to its source, purpose, storage, and deletion scheduleMaintained and reviewed at least annually

Review all vendor contracts for CCPA service-provider languageMust prohibit vendors from selling/sharing data or using it for their own purposes

Request Data Processing Addenda (DPAs) from vendors that handle personal dataMost major SaaS platforms offer CCPA DPAs — request them if not already in place

Frequently Asked Questions

Does CCPA apply to my small business?

CCPA (now amended by CPRA) applies to for-profit businesses that do business in California and meet at least one of three thresholds: gross annual revenue over $25 million; buying, selling, or sharing personal information of 100,000 or more consumers or households per year; or deriving 50% or more of annual revenue from selling consumers' personal information. If you do not meet any of these thresholds, CCPA does not legally require compliance — though following its principles remains good practice as regulations continue to tighten.

What is the difference between CCPA and CPRA?

CPRA is an amendment to CCPA that came into full enforcement on July 1, 2023. Key additions include a new "sensitive personal information" category with its own opt-out right; a right to correct inaccurate data; mandatory data retention disclosures; the creation of the California Privacy Protection Agency as a dedicated enforcement body; and new rules on automated decision-making. In practice, the two laws are now a single combined framework — compliance means meeting CPRA's updated requirements.

What counts as "selling" personal information under CCPA?

"Selling" is defined broadly as sharing personal information for monetary or other valuable consideration. This includes sharing data with advertising networks that provide free services in return. CPRA added a separate category of "sharing" specifically to cover behavioural advertising even when no money changes hands. This means if you use Facebook Pixel, Google Ads remarketing, or similar tools, you may be "selling" or "sharing" under CCPA — even if you have never been paid for data directly.

What is the CCPA penalty for non-compliance?

The California Attorney General can impose civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. There is also a private right of action for data breaches: consumers can sue for $100–$750 per consumer per incident, or actual damages if higher. The California Privacy Protection Agency (CPPA) has had independent enforcement authority since 2023 and has already initiated formal enforcement proceedings against several companies.

Do I need a "Do Not Sell or Share My Personal Information" link?

Yes — if your business sells or shares personal information as defined by CCPA/CPRA, you must provide a clear and conspicuous link on your homepage and at all data-collection points. The link must be functional, meaning clicking it must actually stop the sale or sharing promptly. You must also honour the Global Privacy Control (GPC) browser signal as an equivalent automatic opt-out — this is a binding requirement confirmed by the CPPA.

How long do I have to respond to a CCPA consumer rights request?

Under CCPA and CPRA, you have 45 days to respond to a verifiable consumer request. You may extend this by an additional 45 days (90 days total) if you notify the consumer of the extension within the original 45-day window and explain why. You may not charge a fee for responding in most circumstances, and you must respond to requests from the same consumer no more than twice in any 12-month period.

The bottom line: CCPA compliance is not a one-time project

CCPA and CPRA compliance is an ongoing operational practice. The law requires annual privacy-policy updates, a functioning consumer request process, up-to-date vendor contracts, and a consent mechanism that actually blocks data sharing — not just displays a notice. California's Privacy Protection Agency is actively enforcing, and the threshold to trigger obligations is lower than most small business owners realise.

The best place to start today is your website: understand every tracker and pixel firing on your pages, ensure your consent banner technically blocks them by consent state, and add a functioning "Do Not Sell or Share" link. Everything else builds on that foundation.

Scan Your Site for Free — Instant Results

ConsentPixel Research Team

Privacy Compliance & Legal Research

The ConsentPixel — Privacy · Verified research team monitors CCPA, CPRA, CIPA, and GDPR developments to help website owners stay ahead of enforcement. All articles are reviewed for legal accuracy and updated as regulations evolve. This article is informational and does not constitute legal advice.