The California Consumer Privacy Act and its 2023 amendment affect millions of websites — including most eCommerce sites running Google Analytics, Meta Pixel, or any analytics tool. Here is everything you need to know, in plain English.
Updated June 2026
12 min read
Includes 2026 dark pattern rules
Does CCPA apply to you?
1
Revenue over $25M annually — any business with gross annual revenue exceeding $25 million.
2
100,000+ consumers — buys, sells, receives, or shares personal info of 100,000+ California consumers or households per year.
3
50% of revenue from selling data — derives 50% or more of annual revenue from selling or sharing consumers' personal information.
⚠️ Most analytics tools count. If you use Google Analytics, Meta Pixel, or similar tools and have visitors from California, you are likely sharing personal information of 100,000+ consumers per year — triggering Threshold 2.
Background
What is the CCPA — and what is CPRA?
The California Consumer Privacy Act (CCPA) came into force January 1, 2020. It gave California residents new rights over their personal information — the right to know what data is collected, the right to delete it, and the right to opt out of its sale. At the time it was the most comprehensive consumer privacy law in the United States.
In November 2020, California voters passed Proposition 24, creating the California Privacy Rights Act (CPRA). CPRA amended and substantially expanded CCPA. It took full effect January 1, 2023 and introduced:
CCPA (original — 2020)
Right to know what personal information is collected
Right to delete personal information
Right to opt out of sale of personal information
Right to non-discrimination for exercising rights
Privacy policy disclosure requirements
CPRA additions (2023+)
Right to correct inaccurate personal information
Right to limit use of sensitive personal information
Right to opt out of sharing (not just selling) for cross-context advertising
CPPA enforcement agency created — dedicated regulator
Dark pattern prohibitions (fully in effect January 2026)
💡
What to call it in 2026
When people refer to "CCPA compliance" in 2026, they generally mean compliance with both CCPA and CPRA together. The two laws are now inseparable in practice. This guide covers both.
Applicability
Who does CCPA apply to?
CCPA applies to for-profit businesses that do business in California and meet at least one of the three thresholds shown in the quick-reference card above. You do not need to be based in California — if you have California customers, you are likely covered.
The threshold that catches most websites
Threshold 2 — buying, selling, receiving, or sharing personal information of 100,000+ consumers or households per year — is the one that catches most eCommerce and content sites that do not think of themselves as "data companies."
⚠️
Standard analytics tools count
Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Hotjar, FullStory, and similar tools all involve the collection and sharing of personal information — including IP addresses, device identifiers, and browsing behaviour. If you have meaningful California traffic and use any of these tools, you are almost certainly sharing personal information of more than 100,000 consumers annually. That triggers CCPA.
What is excluded
CCPA does not apply to: non-profit organisations, businesses that do not do business in California, and businesses that fall below all three thresholds. Employees' data collected in an employment context is largely exempt. B2B data (businesses as data subjects, not individuals) has a partial exemption.
Requirements
What does CCPA require your website to do?
CCPA compliance has five main obligations for website operators. Each one requires both a privacy policy disclosure and an operational process to handle consumer requests.
📋
Privacy policy disclosures
Your privacy policy must disclose: categories of personal information collected, purposes for collection, categories of third parties data is shared with, consumer rights and how to exercise them, and whether you sell or share personal information.
🚫
Opt-out mechanism
If you sell or share personal information (including with ad networks and analytics tools), you must provide a clear "Do Not Sell or Share My Personal Information" link — typically in your footer or privacy settings. This must be honoured immediately.
📬
Consumer request handling
You must respond to consumer requests to know, delete, or correct their personal information within 45 days (extendable to 90 with notice). You need a designated method for submitting requests — typically a form or email address.
🔒
Sensitive personal information
CPRA created a special category for sensitive personal information — government IDs, financial data, health data, biometric data, precise geolocation, sexual orientation, and more. Consumers have the right to limit your use of this data beyond what is necessary for the service.
⚖️
Non-discrimination
You cannot deny services, charge different prices, or provide a lesser quality of service to consumers who exercise their CCPA rights. You can offer financial incentives for data sharing, but they must be clearly disclosed.
📜
Data minimisation (CPRA)
CPRA introduced a data minimisation principle — you should only collect, use, retain, and share personal information that is reasonably necessary and proportionate to the purpose for which it was collected. Collecting data "just in case" is no longer safe.
Consumer rights
The full list of CCPA / CPRA consumer rights
Consumers have the following rights under the combined CCPA/CPRA framework. Businesses must honour all of them within the prescribed timelines.
Right
What it means
Response time
Source
Right to know
Consumer can request what personal information you have collected about them and why
45 days (extendable to 90)
CCPA
Right to delete
Consumer can request deletion of their personal information, subject to certain exceptions
45 days
CCPA
Right to opt out
Consumer can opt out of the sale or sharing of their personal information
Immediate
CCPA
Right to non-discrimination
Cannot be denied service or treated differently for exercising rights
Ongoing
CCPA
Right to correct
Consumer can request correction of inaccurate personal information
45 days
CPRA
Right to limit
Consumer can limit use of sensitive personal information beyond the necessary purpose
15 business days
CPRA
Right to portability
Consumer can receive their data in a usable format to transfer elsewhere
45 days
CPRA
2026 Update
The 2026 dark pattern rules — what changed
The California Privacy Protection Agency's (CPPA) dark pattern regulations took full effect January 1, 2026. These are the most significant update to CCPA enforcement since the law passed — and they directly affect how consent banners must look and function.
🚨
If your banner was designed to make "Accept" easy and "Decline" hard, it is now non-compliant
The CPPA explicitly prohibits consent interfaces that use visual design to nudge users toward less privacy-protective choices. A bright "Accept All" button next to a greyed-out or hard-to-find "Decline" or "Manage" option is a dark pattern under the 2026 rules.
What is now explicitly prohibited
The regulations prohibit interface design that:
✕ Makes "Accept" visually prominent compared to "Decline" or "Opt Out" options
✕ Requires more steps to decline than to accept
✕ Uses language that confuses consumers about what they are consenting to
✕ Buries the "Do Not Sell or Share" link in a way that makes it hard to find
✕ Uses repeated requests to override a consumer's opt-out decision
✅
What compliant looks like
Accept and decline options must be presented with equal visual weight. The path to opting out must be no more steps than the path to accepting. ConsentPixel — Privacy · Verified banners are built to meet the 2026 dark pattern rules by default — symmetric button design, equal prominence, single-click decline.
Penalties
What are the CCPA penalties?
CCPA enforcement is handled by both the California AG's office and the California Privacy Protection Agency (CPPA), which was created by CPRA. Penalties can be significant — and the CPPA is actively investigating and issuing enforcement actions.
$2,500
per unintentional violation — civil penalty
$7,500
per intentional violation — civil penalty
$750
per consumer per incident — private right of action for data breaches
⚠️
Violations multiply fast
Each affected consumer can be a separate violation. A data breach or non-compliant consent practice affecting 10,000 California consumers could result in penalties of $25 million (unintentional) to $75 million (intentional). The CPPA has brought enforcement actions against companies for exactly these types of violations.
Recent enforcement examples
The CPPA issued its first enforcement action in August 2024 against a connected vehicle manufacturer for selling consumer location data without proper notice. Several major companies have faced investigations for dark pattern violations in their consent interfaces since the 2026 rules took effect. The AG's office has been active on data broker and analytics-sharing cases throughout 2025 and 2026.
Free tool
Scan your site for CCPA compliance issues
Our free scanner checks your homepage for the most common CCPA compliance gaps — trackers firing without consent, missing opt-out mechanisms, and consent banners that may not meet the 2026 dark pattern standards. Takes 30 seconds, no account needed.
Free CCPA Compliance Scanner
Enter your website URL — results in 30 seconds. No account or installation required.
🛡 We scan your homepage only. No data stored. GDPR compliant scanner.
Action plan
How to make your website CCPA compliant
CCPA compliance for a website covers five operational areas. The steps below are ordered by urgency — the consent mechanism and opt-out are most likely to generate enforcement risk if missing.
1
Install a compliant consent management platform
A CMP handles the consent banner, logs consent decisions in an audit trail, and ensures tracking tools do not fire until consent is given (or fires them only in ways permitted for opted-out users). In 2026, your CMP banner must meet the dark pattern rules — equal prominence for accept and decline. ConsentPixel — Privacy · Verified installs with one script tag and is built to meet the 2026 CCPA/CPRA dark pattern requirements by default.
2
Add "Do Not Sell or Share My Personal Information" to your footer
This link is required if you sell or share personal information (which includes most analytics tools and ad pixels). It must be in a location that is easy to find — typically the website footer. The link should lead to a mechanism where consumers can make the request and confirm their opt-out.
3
Update your privacy policy
Your privacy policy must disclose: what categories of personal information you collect, why you collect it, which third parties you share it with, and how consumers can exercise their rights. It must be updated whenever your data practices change. ConsentPixel auto-generates a CCPA-compliant privacy policy as part of the setup.
4
Set up a consumer request process (DSAR)
You need a way for consumers to submit requests to know, delete, correct, or opt out. This is called a Data Subject Access Request (DSAR) process. At minimum, a form or designated email address. Responses are required within 45 days. ConsentPixel includes an embeddable DSAR form that handles submission logging and response tracking.
5
Audit your third-party tools and data flows
Review every analytics tool, ad pixel, and CRM integration on your site. For each one: does it collect personal information? Is it disclosed in your privacy policy? Is it blocked until consent is given? Run the free scanner above to get a starting audit of what is currently firing on your homepage.
Compliance checklist
CCPA/CPRA compliance checklist for 2026
Use this checklist to assess your current compliance posture. Click each item to mark it done.
Consent management platform installed — banners fire before any tracking tool loads
Consent banner meets 2026 dark pattern rules — accept and decline options have equal visual weight
"Do Not Sell or Share My Personal Information" link in website footer
Privacy policy updated with all CCPA/CPRA required disclosures
Privacy policy includes a list of categories of personal information collected
Privacy policy identifies third parties personal information is shared with
Consumer request process (DSAR) in place — form or designated email
Process to respond to access/deletion/correction requests within 45 days
All analytics and ad tracking tools disclosed in privacy policy
Google Consent Mode v2 configured for all Google tags
Sensitive personal information identified — use limited to necessary purposes
Consent decisions logged in an audit trail for legal defence
Common questions
CCPA/CPRA frequently asked questions
CCPA applies if your business meets at least one of three thresholds: annual gross revenue over $25 million, buying/selling/receiving/sharing personal information of 100,000+ consumers or households per year, or deriving 50% or more of annual revenue from selling personal information. Most eCommerce sites that use Google Analytics or Meta Pixel and have California visitors are likely collecting data on 100,000+ consumers annually — triggering threshold 2.
CPRA is an amendment and expansion of CCPA that took full effect January 1, 2023. CPRA added new consumer rights (right to correct, right to limit sensitive personal information use), created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, and introduced stricter requirements. When people say "CCPA compliance" in 2026, they generally mean compliance with both CCPA and CPRA together.
CCPA does not technically require a cookie consent banner the way GDPR does. However, CPRA's dark pattern rules (fully in effect January 2026) explicitly prohibit consent interfaces that nudge consumers toward less privacy-protective choices. If you use tracking technologies that qualify as selling or sharing personal information, you must provide a clear opt-out mechanism. In practice, a compliant CMP banner is the simplest way to meet all these requirements simultaneously.
The California AG and CPPA can impose civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. For data breaches involving non-encrypted personal information, consumers can bring private lawsuits for $100–$750 per consumer per incident. Violations can multiply quickly — each affected consumer is a separate potential violation.
The CPPA's dark pattern rules took full effect January 1, 2026. These rules explicitly prohibit consent interfaces that use asymmetric design — making "accept" visually prominent and "opt-out" hard to find or buried in menus. Any business using a consent banner designed to nudge users toward accepting is now potentially non-compliant. The rules require that opting out be as easy as opting in.
CCPA primarily protects California consumers — individual people, not businesses. B2B data (where the data subject is acting in a business capacity) has a partial exemption under CPRA. However, this exemption only covers data collected in a business context. If you collect data about California residents as individuals (even B2B contacts browsing your website), those individuals still have CCPA rights.
Get CCPA compliant in 5 minutes
ConsentPixel — Privacy · Verified handles your consent banner, opt-out mechanism, DSAR process, privacy policy, and consent audit trail — all from one script tag. Built to meet the 2026 CCPA dark pattern rules by default.