Skip to main content

Zest

Cookie consent

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Regulations

CCPA — California's Privacy Law, Explained

What the California Consumer Privacy Act means for your website, your cookies, and your consent strategy.

The California Consumer Privacy Act (CCPA) was the first comprehensive privacy law in the United States. It took effect January 1, 2020, and was substantially expanded by the California Privacy Rights Act (CPRA) in 2023.

If you do business in California, or have visitors from California, this law applies to you. And California doesn’t mess around.

CCPA vs CPRA: what’s the difference

Think of CPRA as CCPA 2.0. It didn’t replace CCPA; it strengthened it. Key additions:

  • Created the California Privacy Protection Agency (CPPA), the first dedicated privacy enforcement agency in the US
  • Added the right to correct inaccurate data
  • Added the right to limit use of sensitive personal information
  • Expanded the definition of “sensitive” data
  • Required data protection assessments for high-risk processing

Who must comply

You need to comply if you’re a for-profit business that does business in California AND meets at least one of these thresholds:

  1. Buy, sell, or share personal info of 100,000+ consumers or households per year
  2. Gross annual revenue over $26.6 million
  3. Derive 50% or more of annual revenue from selling personal information

Here’s the catch: if your website uses common ad tech (Google Analytics, Meta Pixel, ad networks), that “sale or share” threshold can be met by a modest blog.

What’s personal info under CCPA

Extremely broad. Includes:

  • Names, emails, addresses, phone numbers
  • IP addresses, cookie IDs, device fingerprints
  • Browsing history, search history
  • Precise geolocation (within 1,850 feet)
  • Biometric data, inferred preferences, behavioral profiles

If a tracker on your site can identify someone, it’s collecting CCPA-regulated data.

Consumer rights

Californians have the right to:

  1. Know what you collect and who you share it with
  2. Delete their data (with some exceptions)
  3. Opt out of the sale or sharing of their data
  4. Correct inaccurate information
  5. Limit use of sensitive personal information
  6. Non-discrimination: you can’t punish people for exercising rights

What this means for cookies

Under CCPA/CPRA, cookies and tracking technologies are personal information. Third-party cookies from ad networks and analytics services trigger “sale” or “share” obligations.

You need:

  • A “Do Not Sell Or Share My Personal Information” link
  • A privacy policy listing categories of data collected, sold, and shared
  • Respect for Global Privacy Control (GPC) browser signals

Opt-out model (mostly)

Unlike GDPR, CCPA uses an opt-out model for adults. You don’t need prior consent before collecting data (except for minors under 16). You do need to give people a clear way to say “stop selling my data.”

But here’s the practical reality: if you also have EU visitors, you need GDPR-level consent anyway. Most sites standardize on the higher bar, and a head-to-head GDPR vs CCPA vs ePrivacy breakdown shows why. California sets the pattern, but other US states are passing their own laws, and Virginia’s VCDPA follows a similar opt-out model with narrower scope.

How Zest handles it

Zest gives you a CCPA-compliant banner with a clear opt-out mechanism, GPC signal detection, and the ability to serve different compliance modes by geography. One script. No subscription.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.

Try it free