California Consumer Privacy Act (CCPA/CPRA) Guide
An in-depth guide to CCPA/CPRA rights, notices, opt-outs, and implementation with examples and checklists.
The CCPA, amended by the CPRA, sets baseline privacy rights for California residents. This guide delivers a complete 2,000+ word walkthrough with H2/H3 sections, tables, step-by-step actions, common mistakes, and enforcement examples. Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator to keep your policy stack aligned.
Core requirements
Notice at collection
Disclose categories, purposes, retention, and sharing/selling at or before collection. Provide links to opt-outs when applicable.
Rights and timelines
Support access, deletion, correction, portability, and opt-out of sale/share. Respond within 45 days (with a possible 45-day extension) and verify identity.
Sale/share and opt-outs
What counts as sale/share
Cross-context behavioral advertising often counts as sharing. Selling includes exchanging data for value. If uncertain, treat advertising cookies as sale/share and provide opt-outs.
Implementing opt-outs
Add a Do Not Sell/Share link and honor Global Privacy Control signals. Reflect the controls in your Cookie Policy and banner.
Step-by-step compliance plan
- Map data categories, purposes, recipients, and retention.
- Update your Privacy Policy with CCPA/CPRA disclosures and retention schedules.
- Add a Do Not Sell/Share link and preference center; test GPC.
- Update the Cookie Policy to classify cookies and explain opt-outs.
- Implement rights request intake, verification, and tracking.
- Execute service provider/contractor agreements with CPRA-required clauses.
- Review sensitive personal information uses and offer limitation mechanisms where required.
- Add CTA banners after the intro and before the conclusion.
- Capture screenshots of banners, preference center, and opt-out pages.
- Review quarterly or after product/vendor changes.
Rights and handling table
| Right | Timeline | Verification | Notes |
|---|---|---|---|
| Access/Deletion | 45 days (extendable) | ID/email checks | Provide categories and specific data if requested |
| Correction | 45 days | ID/email checks | Apply across systems |
| Opt-out sale/share | Immediate | No undue friction | Honor GPC signals |
| Limit sensitive data | Promptly | Minimal friction | Offer toggle and describe effect |
| No retaliation | Ongoing | Monitor offers/pricing | Document exceptions if allowed |
Common mistakes to avoid
- Hiding or omitting Do Not Sell/Share links.
- Ignoring GPC signals.
- Missing retention details in privacy notices.
- Treating ad tech as service providers without proper contracts.
- Providing only one channel for rights requests.
- Not logging requests and outcomes.
Enforcement examples and lessons
Sephora CPRA settlement (2022)
The California AG’s 1.2 million USD settlement, outlined in the press release, shows the risk of ignoring GPC and opaque tracking.
FTC dark pattern actions
The FTC has targeted deceptive opt-outs. Make opt-out flows clear and balanced with no hidden steps.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowMeta GDPR fine (2023)
While EU-focused, the 1.2 billion EUR fine reported by Reuters underscores scrutiny on transparency and transfers, relevant if you handle both California and EU users.
Operational playbook
Quarterly tasks
- Test Do Not Sell/Share and GPC flows.
- Refresh data inventories and retention schedules.
- Re-scan cookies/SDKs and update the Cookie Policy.
- Audit vendor contracts for CPRA terms.
- Update privacy policy categories and purposes as needed.
Change management
- Add a privacy checkpoint to product launches involving tracking or new data uses.
- Keep a changelog of notice updates with dates and approvers.
- Notify users of material changes and provide easy access to updated policies.
Accessibility and localization
- Keep links prominent and readable on mobile.
- Use plain language to describe rights and opt-outs.
- Provide accessible forms and support channels for requests.
- Offer translated notices if you serve multilingual audiences.
Audit and evidence kit
| Artifact | Purpose | Storage |
|---|---|---|
| Policy versions with timestamps | Prove disclosures | Policy archive |
| Opt-out/GPC logs | Prove honoring signals | CMP/consent platform |
| Rights request logs | Show SLA compliance | Ticketing/CRM |
| Vendor contracts | Prove service provider terms | Legal/procurement |
| Screenshots of banners/links | Show placement | Compliance folder |
Metrics to monitor
- Opt-out and GPC signals processed vs. failed.
- Rights request volumes and resolution times.
- Vendor contract coverage and review cadence.
- Bounce/exit rates on opt-out pages; reduce friction if high.
- Time from product change to policy and banner updates.
Additional notice templates
Footer snippet
Do Not Sell or Share My Personal Information | Privacy Policy | Cookie Policy | Manage Preferences
Email footer reminder
Californians: You can opt out of sale/share and manage cookies anytime via our preference center. We honor Global Privacy Control signals.
Testing matrix
| Scenario | What to test | Evidence |
|---|---|---|
| New visitor (CA) | Do Not Sell link visible; banner shows correct text | Screenshot, consent log |
| GPC enabled | Ads/analytics blocked or limited; opt-out recorded | CMP log, tag manager screenshot |
| Opt-out toggle | Tags disabled after toggle; persists across sessions | Before/after network logs |
| Rights request form | Works on mobile/desktop; accessible | Form submission logs |
Support and training
- Provide macros for explaining sale/share, GPC, and Do Not Sell links.
- Train marketing to avoid ambiguous language like “we never share data” if ad tech is in use.
- Give support a clear escalation path for rights requests and complaints.
- Keep a playbook for verifying identity securely.
Contracting tips
- Label vendors correctly as service providers/contractors when possible.
- Include CPRA clauses: limited use, assistance with rights, delete/return data, subprocessor notice.
- Track renewal dates and review periods for data processing terms.
- Keep a live vendor list to update your privacy notice quickly.
Incident response for opt-outs
- If opt-outs fail or tags fire incorrectly, pause affected tags, fix the banner/preference center, and document the incident.
- Notify impacted users when appropriate and outline steps taken.
- Re-test after fixes and store evidence.
DPIA/PIA considerations
- For new ad tech or data combinations, run a privacy impact assessment.
- Evaluate whether sale/share thresholds are triggered by new data uses.
- Update retention and sensitive data limitation language if scope changes.
Real-world examples to emulate
- Retailer with ad tags: Clear footer Do Not Sell/Share link, preference center with advertising toggle, banner explaining sale/share and GPC handling, updated privacy policy with retention by category.
- SaaS with analytics only: Declare analytics in privacy and cookie policies, honor GPC, and explain that data is used as a service provider where possible.
- Publisher with affiliates: Disclose affiliate tracking and ad sharing; provide an opt-out that disables affiliate pixels and honors GPC.
Governance and ownership
- Assign owners for policy updates, banner configuration, vendor contracts, and rights requests.
- Keep an approval log for policy edits and banner changes.
- Set KPIs for request SLAs, opt-out success rates, and contract coverage.
- Run quarterly reviews with marketing, legal, and engineering to keep alignment.
Extended notice content (privacy policy)
- Categories and examples of data.
- Purposes mapped to each category.
- Whether sale/share applies and how to opt out.
- Retention periods or criteria.
- Sensitive data handling and limitation options.
- Contact methods and appeal steps.
Consumer education ideas
- Add a short explainer video or FAQ in the preference center.
- Provide tooltips next to toggles describing what changes when off/on.
- Send a welcome email to California users summarizing rights and linking to policies.
- Offer a “What does Do Not Sell/Share mean?” article linked from the banner and footer.
Testing cadence
- Weekly: spot-check banners and Do Not Sell links on mobile and desktop.
- Monthly: GPC tests from multiple browsers; confirm opt-outs propagate to ad platforms.
- Quarterly: full cookie/SDK scan, policy refresh, contract audit.
- After product changes: immediate banner and policy validation.
Vendor and data map example
| Category | Vendors | Sale/share? | Notes |
|---|---|---|---|
| Analytics | GA4, CDP | Likely share | Document opt-out handling |
| Ads/retargeting | Ad platforms, DSP | Sale/share | Honor GPC, provide toggles |
| Payments | Payment processor | Service provider | No sale/share; list in privacy policy |
| Support | Help desk, chat | Service provider | Ensure contracts limit use |
Risk register items
- GPC not honored in certain browsers.
- Do Not Sell link missing on mobile.
- Vendor contract missing CPRA clauses.
- Retention schedule not implemented for specific data sets.
- Sensitive data used for ads without limitation toggle.
Sprint-ready action list
- Add Do Not Sell/Share link to header and footer; verify mobile.
- Update privacy policy with retention by category.
- Re-scan cookies and update vendor list.
- Test GPC and document results.
- Train support/marketing on new language; update macros.
Records to maintain
- Copies of notices at collection with dates.
- Versions of privacy/cookie policies with timestamps.
- Opt-out and GPC logs with evidence of propagation to vendors.
- Rights request tickets with verification steps.
- Contract repository showing CPRA clauses and renewal dates.
30-day action plan
- Week 1: Update notices and Do Not Sell/Share links; test banner and GPC.
- Week 2: Refresh privacy and cookie policies with retention details; capture screenshots.
- Week 3: Review vendor contracts for CPRA terms; update preference center.
- Week 4: Train support/marketing, finalize logs, and schedule the next quarterly review.
Key takeaways
- Make Do Not Sell/Share links and GPC handling visible and testable.
- Keep privacy and cookie policies updated with categories, purposes, and retention.
- Classify vendors correctly and maintain CPRA contract language.
- Log rights requests, opt-outs, and policy versions for evidence.
- Review quarterly and train teams so messaging and flows stay aligned.
Conclusion and next steps
CCPA/CPRA compliance requires clear notices, reliable opt-outs, and disciplined request handling. Use the Privacy Policy Generator and Cookie Policy Generator to align disclosures, link them from your terms, and keep logs for audits. Review quarterly to stay ahead of enforcement and maintain user trust.
Publication checklist
- Privacy policy updated with CPRA content.
- Do Not Sell/Share link and preference center live.
- Cookie banner and policy aligned with opt-outs.
- CTA banners placed; FAQ schema enabled.
- Screenshots and changelog captured.
Conclusion and next steps
CCPA/CPRA compliance requires clear notices, reliable opt-outs, and disciplined request handling. Use the Privacy Policy Generator and Cookie Policy Generator to align disclosures, link them from your terms, and keep logs for audits. Review quarterly to stay ahead of enforcement and maintain user trust.