Understanding California's Privacy Framework

California has led the United States in consumer privacy legislation, and its laws affect websites worldwide. The California Consumer Privacy Act (CCPA), significantly amended by the California Privacy Rights Act (CPRA) effective January 2023, creates obligations for any business that collects personal information from California residents — regardless of where that business is physically located.

For website owners, the practical implications centre on cookies, tracking technologies, and how user data is shared with third parties. While the California model differs fundamentally from Europe's GDPR, it still requires careful attention to consent mechanisms and user rights.

CCPA/CPRA: Who Is Covered?

The law applies to for-profit businesses that meet any one of the following thresholds:

• Annual gross revenue exceeding $25 million.
• Buying, selling, or sharing the personal information of 100,000 or more California residents, households, or devices annually.
• Deriving 50 percent or more of annual revenue from selling or sharing California residents' personal information.

The second threshold is particularly important for websites with advertising. If your site uses third-party cookies for targeted advertising and receives significant California traffic, you may be processing the data of well over 100,000 California users annually through those cookies alone.

Opt-Out vs Opt-In: The Fundamental Difference from GDPR

This is the most critical distinction for website operators to understand. Under GDPR, the default is opt-in: you cannot set non-essential cookies until the user actively consents. Under CCPA/CPRA, the default is opt-out: you may process personal information (including through cookies) until the user tells you to stop.

This means the consent experience for California visitors looks fundamentally different:

• GDPR approach: Block all non-essential cookies. Display a banner. Wait for affirmative consent. Only then set cookies.
• CCPA/CPRA approach: Cookies may be set by default. Provide a clear and conspicuous "Do Not Sell or Share My Personal Information" link. When a user exercises this right, stop sharing their data with third parties.

However, there are important exceptions. For minors under 16, CCPA/CPRA switches to an opt-in model — you must obtain affirmative consent before selling or sharing their personal information. For children under 13, a parent or guardian must provide that consent.

The "Do Not Sell or Share" Requirement

CPRA expanded the original CCPA's "Do Not Sell" right to include "sharing" — which specifically targets the kind of data exchange that happens through third-party advertising cookies. When a user visits your site and your cookies send their browsing data to advertising networks, that constitutes sharing under CPRA, even if no money changes hands directly.

Your obligations include:

• A clear link titled "Do Not Sell or Share My Personal Information" on your homepage and in your privacy policy.
• A mechanism for users to exercise this right easily, without requiring account creation.
• Honouring the request within 15 business days.
• Not discriminating against users who exercise this right (for example, by degrading their experience).

Global Privacy Control (GPC)

The Global Privacy Control is a browser-level signal that users can enable to automatically communicate their opt-out preference to every website they visit. Major browsers including Firefox and Brave support GPC natively, and browser extensions add support to Chrome and others.

Under CPRA regulations, businesses must honour GPC signals as a valid opt-out request. This has significant practical implications:

• Your website must be able to detect the Sec-GPC: 1 HTTP header or the navigator.globalPrivacyControl JavaScript property.
• When detected, you must treat it as equivalent to the user clicking "Do Not Sell or Share."
• Third-party cookies used for advertising must be suppressed for these users.

GPC adoption is growing steadily. Estimates suggest that 5 to 10 percent of web traffic now carries a GPC signal, and this percentage is higher among privacy-conscious users in California.

When Do You Actually Need a Cookie Banner for California?

This is where many businesses get confused. Strictly speaking, CCPA/CPRA does not require a European-style cookie consent banner because of the opt-out model. However, you do need:

• A "Do Not Sell or Share" link that is easily accessible.
• A mechanism to suppress third-party data sharing when a user opts out or sends a GPC signal.
• A privacy policy that discloses the categories of personal information collected, the purposes, and the third parties with whom data is shared.
• For sites that also serve European visitors, a GDPR-compliant consent banner that can coexist with the CCPA opt-out mechanism.

In practice, most websites that serve both European and California audiences implement a unified consent interface that adapts its behaviour based on the visitor's location. This avoids maintaining two completely separate consent systems.

Practical Implementation Considerations

Implementing CCPA/CPRA compliance alongside GDPR compliance creates a dual-mode challenge. Your consent management platform needs to:

1. Detect the visitor's location accurately using IP-based geolocation.
2. Apply the correct legal framework — opt-in for EEA/UK visitors, opt-out for California visitors, and potentially no requirements for visitors from other regions.
3. Manage the "Do Not Sell or Share" link for California visitors, either within the banner or as a standalone page element.
4. Detect and honour GPC signals before any third-party cookies are set.
5. Control cookie behaviour accordingly — blocking third-party advertising cookies for users who have opted out while allowing first-party analytics to continue.

The technical implementation must also account for the distinction between first-party analytics cookies (generally permissible under CCPA/CPRA as a business purpose) and third-party advertising cookies (which constitute sharing and are subject to opt-out).

FlexyConsent Geo-Targeting for California Visitors

FlexyConsent handles the dual-mode challenge through automatic geo-targeting. When a California visitor arrives at your site, FlexyConsent adjusts its behaviour to match CCPA/CPRA requirements:

• Opt-out mode activation: Instead of blocking all cookies upfront, FlexyConsent displays the required "Do Not Sell or Share My Personal Information" option prominently.
• GPC signal detection: FlexyConsent automatically checks for the Global Privacy Control signal and, when present, suppresses third-party data sharing without requiring any user interaction.
• Category-aware blocking: When a California user opts out, FlexyConsent selectively blocks advertising and cross-site tracking cookies while preserving first-party analytics functionality that falls under the business purpose exemption.
• Seamless GDPR coexistence: The same FlexyConsent installation handles both frameworks. European visitors see a GDPR-compliant opt-in banner with granular category controls. California visitors see the appropriate opt-out mechanism. Visitors from unregulated regions receive a minimal notice or no banner at all, depending on your configuration.

As a Google-certified CMP supporting IAB TCF 2.3 and Consent Mode V2, FlexyConsent ensures that consent signals are properly communicated to Google services regardless of which legal framework applies. This means your Google Analytics and Google Ads configurations work correctly for both opted-in European users and non-opted-out California users.

Key takeaway: California's opt-out model may seem less restrictive than GDPR's opt-in approach, but the practical requirements — particularly around GPC signals and the broad definition of "sharing" — mean that most advertising-supported websites need a sophisticated consent management solution. Implementing geo-targeted consent that adapts to both frameworks is far more reliable than trying to apply a single approach globally.