In this article

Sign up for our newsletter

You can manage your privacy choices or opt-out at any time. For additional information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review the Osano Privacy Policy
Share this article

The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), is one of the most stringent privacy regulations in the United States. It’s designed to protect personal information belonging to consumers who are residents of the state. 

One of its requirements is giving consumers ownership and control over their personal information, ensuring data protection. Since cookies can collect information and might be considered “unique identifiers,” their use can be regulated by this law. 

If you’re not sure whether you’re compliant with the CCPA cookie consent requirements—or even if you need to be—this article is for you. In this guide, we’ll address everything you need to know, from the CCPA’s requirements to people's misconceptions about it, including the importance of user consent.  

This question brings us to one of the popular misconceptions people have about the CCPA. It might surprise you to know that acquiring cookie consent is not a requirement for all businesses under the CCPA. You only need cookie consent as part of CCPA compliance if: 

  • Your business qualifies under the CCPA, and, 
  • The cookies you use collect the personal information of minors or collect personal information that will be sold to or shared with third parties. 

Who Qualifies Under the CCPA? 

A business has to comply with the CCPA if it’s a for-profit organization operating in California and meets at least one of the following criteria: 

  • Earns a gross annual revenue of more than $25 million; 
  • Buys, sells, or shares personal information of 100,000 or more California residents or households; or, 
  • Acquires 50% or more of its revenue through selling the personal information of California residents. 

As you can see, the law only covers California residents and not visitors to the state. The CCPA also doesn’t cover not-for-profit businesses or government bodies, impacting their compliance with data privacy law. 

That means your business must meet these requirements before it is required to be CCPA compliant. Of course, we’d encourage you to aim for compliance even if you aren’t required to—your situation may change in the future, you may be subject to similar privacy laws, or you might simply want to secure consumers’ trust.  

However, if you don’t qualify under the CCPA, you are not required to get cookie consent. That brings us to the second part of the requirements; the types of cookies you need consent for. 

Types of Cookies 

Cookies are small files websites use to deliver certain functionalities to users. These are installed on the user’s browser or device either by the website or by its partners, often through a cookie consent banner.  

Let’s say the website has a feature that’s actually a service provided by someone else. For example, you’ve likely seen websites set space aside to show advertisements. These advertisements could be powered by a third-party ad-tech network. Similarly, a live chat feature added through a plugin is also quite common. These third parties might install cookies to deliver their service. 

In the case of third-party ads, businesses allow ad-tech networks to use third-party cookies to collect user data, track preferences, and target ads on their own and other websites that participate in the ad network. This particular use case for third-party cookies has drawn criticism, as many users don’t want their browsing behavior to follow them around on the internet. 

There are two types of cookies based on who set them: 

  • First-party: Set by the website 
  • Third-party: Set by an external partner 

You can also classify cookies based on their function: 

  • Essential: These cookies are necessary for the proper functioning of the site and might collect personal information necessary for the services offered by the website. Such cookies are exempt from opt-out and disclosure requirements, as long as the information is processed internally for operational uses only. 
  • Preference or personalization: These save the likes and dislikes of a consumer, like their language preference, custom view of the website, etc. 
  • Advertising: These trackers follow users across websites to gather data which is then used to determine the ads they should be shown. 

Another fact that might surprise you is that the CCPA does not require explicit opt-in cookie consent for data collection. This is the biggest difference between the GDPR, the European data privacy regulation, and the CCPA—the former requires opt-in consent, while the latter follows the opt-out model 

What does that mean? 

The opt-in model of the GDPR means that you must have the consumer’s explicit permission before you can collect their personal data. If they refuse, you have to respect their decision. 

Under the CCPA, however, a business does not need the consumer’s opt-in consent to collect information about them. The only exception is when the consumers are minors. In that case, the business has to ask users between the ages of 13 and 16 (or their parents or guardians, if they are under 13) to opt in for the sale of their personal information.  

Of course, you can’t always know if a visitor to your site is a child; that’s why the CCPA applies this standard to businesses that have “actual knowledge” that a user is a child. This could be the case, for example, if you provide a service marketed to children. 

Otherwise, the business is allowed to collect personal information using cookies—no consent required—with certain caveats.  

Transparency 

A business must provide consumers with detailed information about what categories of data it collects through cookies and how it uses that information.  

It must disclose if it has third-party cookies on its website. Again, their purpose and use have to be specified, whether it’s for analytics, advertising, or another purpose. It must also disclose whether the data collected by third parties is sold or shared and if the business itself shares or sells their data.  

Opting Out of the Sale or Sharing of Data 

Users must be given a clear and easy way of opting out of the sale or sharing of their personal information. This is usually in the form of a “Do Not Sell or Share My Information” link 

Under the CPRA amendment, businesses also need to provide a “Limit the Use of My Sensitive Personal Information” link. This indicates that users don’t want their sensitive personal information to be sold or shared.  

As soon as a user opts out, the business must immediately stop any transfers of their personal data. This can be difficult since transfer mechanisms tend to be automatic; that’s why it’s important to use a consent management platform to operationalize users’ opt-out requests. 

If a user exercises their right to opt out, the business must respect that decision without penalizing or discriminating against them. 

They must also give the user at least 12 months before asking them if they’d like to opt in again. 

At this point, it’s important to understand that the right to opt out only applies to the sale or sharing of personal information with third parties. It doesn’t mean the business has to stop the collection of data. It can still collect and process information for use internally.  

Furthermore, businesses can still transfer consumers’ personal information to service providers or contractors. Even though one might think of these partners as third parties, the CCPA has specific definitions for “third parties,” “service providers,” and “contractors.”  

Service providers and contractors must have specific contractual requirements in place that limit how they can use personal information, so transfers to these entities are exempt from users’ opt-out requests. You can learn more about the definitions and requirements for third parties, service providers, and contractors under the CCPA in What Is 'Do Not Sell My Personal Information' & How Can You Comply? 

The language for opting out was also been made more specific under the CPRA. Instead of saying “do not sell,” it is now “do not sell or share” to cover cross-context behavioral advertising. This change was made specifically to include any forms of non-monetary gains for a business, not just direct financial benefits. 

Consumer Rights Requests 

Under the CCPA, consumers have the right to ask a business to disclose the categories and specific pieces of personal information it has collected from them. This can be done through an online form, a toll-free number, or another designated means made available to users. 

The consumers also have the right to: 

  • Opt out of the sale of their data: As described above, the consumer can revoke permission to sell or share their personal data at any time. 
  • Request corrections: Under the CPRA amendment, consumers can ask the business to rectify inaccuracies in their personal information. 
  • Request deletion: The consumer can ask the business to delete any of their personal information, with certain exceptions. For example, a consumer can’t ask a credit card company to delete their information and have their debt vanish. They can’t ask you to delete any personal information if it prevents you from delivering your service or completing a transaction they requested. You can deny the request for deletion if you need their information to comply with legal obligations. The request can also be denied if the information is needed to detect or prevent fraud, security incidents, or other illegal activities. 

It’s also important to note that a consumer can legally ask for this information twice in a 12-month period. You also can’t charge them for it unless the requests are excessive, repetitive, or unfounded. Even then, the amount you charge should be reasonable.  

You can also deny requests that are “manifestly unfounded or excessive,” but the burden of proving that a request is unfounded or excessive falls on you. If you choose to deny a request under this basis, you’ll want to gather plenty of documentation that demonstrates how you reached your conclusion.  

Universal Opt-Out Mechanisms 

The Global Privacy Control (GPC) initiative aims to create a global browser setting that users can use for their online privacy. This technology is known as a universal opt-out preference signal or universal opt-out mechanism (UOOM) because it allows users to set their preferences once and then applies it to all websites they visit.  

Under the CCPA (as amended by the CPRA), if a user opts out by using a UOOM, you are legally obliged to honor that request even if they did not interact with your “Do Not Sell or Share My Personal Information” link. 

Generally, you'll need some sort of solution to enable your website to ingest and act on UOOM signals. Take a look at Osano's documentation to see how we do it.

Okay, That Was a Lot 

Let’s quickly sum up the CCPA’s cookie requirements. 

You only need to comply with the CCPA and its cookie regulations if: 

  • Your business qualifies under the CCPA, and, 
  • You use first- or third-party cookies that collect personal information 

You don’t need users’ opt-in consent to collect personal information for sharing or selling (unless they are a minor), but you do have to: 

  • Be transparent about the use of personal information collected from cookies 
  • Give users the ability to opt out of the sale or sharing of their personal and sensitive personal data 
  • Provide them access to their personal information 
  • Respect GPC/UOOM signals 

Under the CCPA, cookie banners are not a requirement. To be clear, a cookie banner is the popup notification you get when you visit a website for the first time. It might contain information about what cookies the site uses and their purpose. It might also ask you to give—or deny—consent for data collection and sharing. The user has to interact with it in some way to close or remove it. 

The CCPA, however, does not require a cookie banner. It only requires you to “provide a clear and conspicuous link on the business’s internet homepages, titled “Do Not Sell or Share My Personal Information,” to an internet web page that enables a consumer […] to opt-out of the sale or sharing of the consumer’s personal information. 

It also expects you to “provide a clear and conspicuous link on the business’s internet homepages, titled “Limit the Use of My Sensitive Personal Information,” that enables a consumer [...] to limit the use or disclosure of the consumer’s sensitive personal information. 

If you did have a cookie banner on your website, it could just inform the users about the cookies you use and contain a link to your cookie policy. That would be enough for CCPA cookie compliance. 

You could also use a cookie notice, which is a static section of a website, like the footer or privacy policy page. This would contain a brief overview of the types of cookies you use on the website. It might also explain how you process and use that information.  

Like a cookie banner, cookie notices should link to your privacy policy page, which has all the information about your website’s use of cookies and other data processing practices in greater detail. A cookie notice should also explain consumers' rights regarding deletion, access to their information, opting out, and the right not to be discriminated against. 

It may also have the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links. 

The important components of the cookie notice, according to the CCPA, are: 

  • The types of cookies you use 
  • The data collected by these cookies and how you use it, including whether you share or sell it 
  • The retention period of the cookies on the user’s device or browser 
  • A means of opting out of the sale or sharing of personal information 
  • A means of limiting the use of sensitive personal information 
  • An overview of their rights as a consumer under the CCPA 

(Have you ever seen a more alliterative heading?) 

Use this checklist to stay compliant with the CCPA and protect user privacy.

1. Confirm CCPA Applicability

Your business must comply with the CCPA if: 

You have annual gross revenue exceeding $25 million; 

You handle the personal information of 100,000+ California residents, households, or devices annually; or, 

You derive 50% or more revenue from selling personal information.

2. Assess Your Cookie Practices

  • Identify the cookies on your website: essential, analytics, advertising, and preference cookies. 
  • Check if cookies collect personal information, such as IP addresses, geolocation, or browsing history.

3. Ensure Transparency

  • Update your privacy policy to disclose: 
  • Categories of personal information collected via cookies 
  • Purposes of cookie usage (e.g., analytics or advertising) 
  • Use of third-party cookies and their purposes 
  • Provide users with a “Do Not Sell or Share My Personal Information” link

4. Respect Opt-Out and UOOM Requests

  • Allow users to opt out of data sale or sharing via a clearly visible link. 
  • Honor GPC or other UOOM signals as valid opt-out requests. 

5. Manage Cookie Preferences


  • Offer a cookie banner with options to accept all, reject all, or customize preferences. 
  • Include a “Cookie Preferences” link for ongoing user control. 

6. Comply with Minors’ Data Requirements

  • Obtain opt-in consent to sell or share data from users aged 13–16. 
  • Obtain parental or guardian consent for users under 13. 

7. Limit Sensitive Personal Information


  • Include a “Limit the Use of My Sensitive Personal Information” link if sensitive data is collected (e.g., geolocation or biometric data). 

8. Support Consumer Rights


  • Provide tools for users to access, delete, or correct their personal information collected via cookies or other means. 

Cookie consent management might seem straightforward, but it encompasses several processes that have to be carried out promptly and automatically. If someone clicks on the opt-out button, you must immediately stop sharing and selling their personal information. 

If you get a data subject access request for their information collected through cookies, you should get back to them within a reasonable amount of time. Similarly, if they want their data deleted, you need to do that as soon as possible. 

Automation just makes these processes easier.  

Plus, you also need to consider the fact that a website could have visitors from all over the world. If you collect information from someone in the EU, their information is protected by the GDPR, which requires opt-in cookie consent.  

With a cookie consent and privacy management platform like Osano, staying compliant becomes easy. It’s easy to implement and keeps you compliant with the privacy laws of over 50 countries. It takes very little time to configure it and create customized cookie banners. 

Find out how it can keep you compliant with CCPA cookie consent requirements. 
Schedule a demo of Osano today

CPRA Survival Guide

Need to get up to date on all things CCPA/CPRA? Our survival guide gives you a handy reference on all its rules and regulations, plus tips on staying compliant.

Download Now
CPRA Survival Guide Cover Image-1

Osano Staff

Osano Staff

Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.

Share this article