Back to DigiConsent

CPRA/CCPA California Compliance Guide – Complete Setup for California Privacy Law

The California Privacy Rights Act (CPRA) and its predecessor, the California Consumer Privacy Act (CCPA), establish comprehensive privacy rights for California residents. Unlike GDPR’s strict opt-in requirements, California law allows opt-out consent models while still providing significant consumer privacy protections. This guide walks you through configuring DigiConsent for full CPRA/CCPA compliance, ensuring California visitors have the privacy rights they’re entitled to while allowing you to maintain analytics and marketing capabilities under this more flexible regulatory framework.

Understanding the differences between CPRA/CCPA and GDPR is crucial for proper implementation. While both protect consumer privacy, their approaches differ significantly, and DigiConsent can accommodate both simultaneously using geolocation targeting.

Understanding CPRA/CCPA Requirements

CPRA vs CCPA: What’s the Difference?

CCPA took effect January 1, 2020. CPRA, which significantly expanded CCPA, took full effect January 1, 2023. CPRA is sometimes called “CCPA 2.0” because it builds on CCPA’s foundation:

  • CCPA (2020): Established basic privacy rights including right to know, delete, and opt-out of sale
  • CPRA (2023): Added right to correct inaccurate data, limit use of sensitive personal information, and stricter enforcement

For practical purposes, complying with CPRA means you’re complying with CCPA, since CPRA is more comprehensive.

Core CPRA Requirements for Websites

  • Notice at Collection: Inform users what personal information you collect and why
  • Privacy Policy: Comprehensive policy listing all data practices
  • Do Not Sell/Share Link: Prominent link allowing users to opt out of data sales/sharing
  • Opt-Out Mechanism: Functional system to honor opt-out requests
  • Sensitive Personal Information: Additional opt-out for sensitive data uses
  • No Discrimination: Can’t penalize users for exercising privacy rights (with limited exceptions)

CPRA vs GDPR: Key Differences

Consent Model:

  • GDPR: Opt-in (no cookies without explicit consent)
  • CPRA: Opt-out (cookies allowed unless user opts out)

Scope:

  • GDPR: Applies to EU data subjects globally
  • CPRA: Applies only to California residents

Cookie Banner:

  • GDPR: Must block cookies until consent obtained
  • CPRA: Can load cookies immediately but must provide clear opt-out

CPRA Compliance Checklist

Step 1: Configure Opt-Out Consent Behavior

CPRA allows cookies by default with clear opt-out mechanism.

  1. Navigate to DigiConsent → Settings → General
  2. Find Consent Behavior setting
  3. Select Opt-out (Allow cookies, user can reject)
  4. Save settings

This allows analytics and marketing cookies to load immediately while still giving users the ability to reject them—compliant with CPRA’s opt-out model.

Step 2: Create California-Specific Banner Text

CPRA requires clear communication about data collection and user rights.

  1. Go to Settings → General → Banner Text
  2. Configure messaging for California visitors

Example CPRA-Compliant Banner Text:

Heading: “Your California Privacy Rights”

Description: “We use cookies and similar technologies to analyze site traffic, personalize content, and show targeted advertisements. As a California resident, you have the right to opt out of the sale or sharing of your personal information. Click ‘Cookie Settings’ to manage your preferences or ‘Do Not Sell My Info’ to opt out of data sharing.”

Step 3: Configure “Do Not Sell” Messaging

CPRA specifically requires clear “Do Not Sell or Share My Personal Information” opt-out.

  1. In banner configuration, customize reject button:
    • Reject Button Text: “Do Not Sell My Info” or “Opt Out”
    • This should be prominent and clear
  2. Ensure reject button is visible (not hidden)
  3. Make it equally accessible as accept button

Legal Requirement: CPRA requires websites that sell or share personal information to provide a “Do Not Sell or Share My Personal Information” link. Your consent banner reject button serves this purpose.

Step 4: Set Up Cookie Categories

Under CPRA opt-out model, categories can be checked by default (unlike GDPR).

  1. Go to Settings → Cookie Categories
  2. Necessary Cookies:
    • Always enabled (user cannot disable)
    • Session, security, shopping cart
  3. Analytics Cookies:
    • Enable category
    • Set Default State: Checked (CPRA allows this)
    • Add analytics scripts (Google Analytics, etc.)
    • Description: “Help us understand site usage and improve our services”
  4. Marketing Cookies:
    • Enable category
    • Set Default State: Checked
    • Add advertising pixels (Facebook, Google Ads)
    • Description: “Used to show relevant advertisements and measure ad campaign effectiveness”
  5. Functional Cookies:
    • Enable if using chat, videos, maps
    • Set Default State: Checked

Important: Under CPRA, cookies can be enabled by default, but users MUST have easy opt-out capability. Don’t confuse this with GDPR’s stricter opt-in requirement.

Step 5: Configure Buttons for Opt-Out Model

  1. Go to Settings → General → Button Configuration
  2. Accept Button: “Accept” or “Continue” (optional, as cookies already enabled)
  3. Reject Button: “Do Not Sell My Info” or “Opt Out” (REQUIRED)
  4. Settings Button: “Cookie Preferences” (allows granular control)
  5. All buttons should be equally visible

Step 6: Link California Privacy Policy

CPRA requires specific disclosures in your privacy policy.

  1. Create or update privacy policy with CPRA requirements (see section below)
  2. In DigiConsent → Settings → General
  3. Select your privacy policy page in Privacy Policy Page dropdown
  4. Set link text: “Privacy Policy” or “California Privacy Rights”

Step 7: Enable Consent Logging

While CPRA doesn’t explicitly require consent logs like GDPR, maintaining records protects you in disputes.

  1. Enable Log Consent Decisions
  2. Set Retention Period: 2+ years recommended
  3. Logs should capture:
    • Timestamp of opt-out
    • Which categories user opted out of
    • User’s choice (opt-in, opt-out, customized)

Step 8: Configure Global Privacy Control (GPC)

CPRA recognizes Global Privacy Control browser signals as valid opt-out requests.

  1. Navigate to Settings → Advanced (if available)
  2. Enable Respect Global Privacy Control Signals
  3. When GPC signal detected:
    • Automatically treat as opt-out
    • Block marketing/analytics cookies
    • Show banner acknowledging GPC preference

GPC is a browser setting (supported by Firefox, Brave, DuckDuckGo browsers) that signals “do not sell my data.” CPRA requires honoring this signal.

Step 9: Test Opt-Out Functionality

Testing Checklist:

  1. Clear cookies and visit site
  2. Verify banner appears with opt-out option
  3. Before clicking anything:
    • Check DevTools: cookies ARE loading (opt-out model allows this)
    • Google Analytics, Facebook Pixel should be active
  4. Click “Do Not Sell My Info”:
    • Banner closes
    • Marketing cookies should be removed/blocked
    • Analytics may continue (unless user also opted out of analytics)
  5. Test granular opt-out:
    • Open settings
    • Uncheck only Marketing
    • Verify marketing cookies blocked, analytics continue
  6. Reload page:
    • Preference remembered
    • Marketing cookies don’t reload

Automated California Compliance with DigiConsent Pro Geolocation

DigiConsent Pro’s geolocation feature allows you to automatically apply CPRA-compliant settings to California visitors while using different approaches for other states or countries.

Why Use Geolocation for CPRA

CPRA only applies to California residents. Visitors from other states may be subject to different laws or no privacy laws at all. Geolocation enables you to:

  • Target California Only: Apply CPRA requirements only to California visitors
  • Combine with GDPR: EU visitors get GDPR opt-in, California gets CPRA opt-out
  • State-by-State Compliance: Different rules for Virginia (VCDPA), Colorado (CPA), etc.
  • No Banner for Other States: States without privacy laws don’t see banner at all

Setting Up California Geolocation Rule

  1. Navigate to DigiConsent Pro → Settings → Geolocation
  2. Enable Geolocation Targeting
  3. Click Add Location Rule
  4. Configure California Rule:
    • Rule Name: “California CPRA Compliance”
    • Target Type: US States
    • State: CA (California)
    • Consent Behavior: Opt-out
    • Banner Text: California-specific messaging with “Do Not Sell” language
    • Cookie Categories: All enabled by default (user can opt out)
    • Reject Button Text: “Do Not Sell My Info”
    • GPC Support: Enabled
  5. Configure other states:
    • Virginia: VCDPA opt-out rule
    • Colorado: CPA opt-out rule
    • Other states: Notice-only or no banner
  6. Configure Fallback (non-US or states without laws):
    • No banner, or simple notice

Multi-State Privacy Compliance

Several US states have comprehensive privacy laws. Use geolocation to comply with each:

California (CPRA): Opt-out with “Do Not Sell” language

Virginia (VCDPA): Opt-out model, effective January 2023

Colorado (CPA): Opt-out model, effective July 2023

Connecticut (CTDPA): Opt-out model, effective July 2023

Utah (UCPA): Opt-out model, effective December 2023

Create separate geolocation rules for each state with state-specific messaging and requirements.

Testing California Geolocation

  1. Use VPN or proxy to appear as California visitor
  2. Clear cookies and visit site
  3. Verify CPRA-compliant banner appears
  4. Switch to different state (e.g., Texas)
  5. Verify different banner or no banner
  6. Test GPC signal if browser supports it

California Privacy Policy Requirements

CPRA requires specific disclosures in your privacy policy beyond what DigiConsent manages.

Required Privacy Policy Sections

  • Categories of Personal Information Collected: List all types (identifiers, commercial info, browsing history, geolocation, etc.)
  • Sources of Personal Information: Directly from users, cookies, third parties, etc.
  • Business/Commercial Purposes: Why you collect each category
  • Categories Sold or Shared: If you sell/share data (ads, analytics typically qualify)
  • Third Parties: List companies you share data with (Google, Facebook, etc.)
  • Retention Periods: How long you keep each category
  • Consumer Rights:
    • Right to know what data is collected
    • Right to delete personal information
    • Right to opt-out of sale/sharing
    • Right to correct inaccurate information
    • Right to limit use of sensitive personal information
    • Right to non-discrimination
  • How to Exercise Rights: Email, phone, or web form
  • Do Not Sell Link: Your consent banner serves this, but mention it

Sensitive Personal Information Notice

CPRA includes special category “Sensitive Personal Information” requiring additional notice:

  • Social security number, driver’s license
  • Financial account login credentials
  • Precise geolocation
  • Racial/ethnic origin, religious beliefs
  • Health information
  • Sexual orientation
  • Citizenship/immigration status

If you collect any sensitive personal information, provide clear notice and opt-out mechanism specifically for sensitive data use.

Common CPRA Mistakes to Avoid

  • No opt-out mechanism: Must provide clear way to opt out of data sales/sharing
  • Hidden opt-out link: “Do Not Sell” must be prominent and accessible
  • Ignoring GPC signals: CPRA requires honoring Global Privacy Control
  • Incomplete privacy policy: Must disclose all required categories and purposes
  • Not honoring opt-outs: Must actually stop sharing data when user opts out
  • Discriminating against opt-out users: Can’t charge more or provide worse service (limited exceptions)
  • Applying GDPR to California: Don’t use opt-in for California (opt-out is compliant and less restrictive)
  • No response mechanism: Must respond to consumer rights requests within 45 days

CPRA vs GDPR: When to Use Which

Use GDPR settings for:

  • EU visitors (27 EU countries)
  • EEA countries (Iceland, Norway, Liechtenstein)
  • UK visitors (UK GDPR post-Brexit)
  • Any visitor from country with GDPR-like opt-in requirements

Use CPRA settings for:

  • California visitors
  • Other US states with opt-out laws (Virginia, Colorado, etc.)

Use notice-only or no banner for:

  • US states without privacy laws
  • Countries without comprehensive privacy regulations

DigiConsent Pro’s geolocation makes it easy to apply the right compliance approach to each visitor automatically.

Enforcement and Penalties

California Privacy Protection Agency (CPPA) enforces CPRA with significant penalties:

  • Civil Penalties: Up to $2,500 per violation
  • Intentional Violations: Up to $7,500 per violation
  • Data Breaches: $100-$750 per consumer per incident in private lawsuits
  • Cure Period: 30 days to fix violations before penalties (for now)

Final CPRA Compliance Checklist

  • ✅ Consent behavior set to Opt-out
  • ✅ “Do Not Sell My Info” button prominently displayed
  • ✅ Global Privacy Control (GPC) signals respected
  • ✅ Cookie categories enabled by default (user can opt out)
  • ✅ California-specific banner text with CPRA language
  • ✅ Privacy policy includes all required CPRA disclosures
  • ✅ Consent logging enabled
  • ✅ Opt-out mechanism functional and tested
  • ✅ Geolocation targeting configured for California (if Pro)
  • ✅ Consumer rights request process established
  • ✅ Third-party data sharing documented
  • ✅ No discrimination against opt-out users

CPRA compliance is more flexible than GDPR but still requires careful implementation. Using DigiConsent’s opt-out mode combined with clear messaging and functional opt-out mechanisms ensures you meet California’s privacy requirements while maintaining the ability to collect valuable analytics and marketing data from consenting users. For multi-region websites, DigiConsent Pro’s geolocation feature is invaluable for applying California-specific rules only where legally required.

Similar Articles

Back to DigiConsent