CCPA Website Compliance Checklist: What Your Site Must Have in 2024
CCPA compliance is the California Consumer Privacy Act requirement that applies to any website collecting personal information from California residents above certain thresholds. Amended and strengthened by the California Privacy Rights Act (CPRA) in 2023, the law now imposes specific website requirements: mandatory opt-out links, updated privacy policy sections, consumer request mechanisms, and data practice disclosures.
If your site serves California residents and meets the threshold criteria, the CCPA/CPRA is not optional — and the California Privacy Protection Agency (CPPA) has demonstrated it will enforce.
Check your compliance posture: Free ZeriFlow security scan →
Do You Need CCPA Compliance? The Threshold Test
The CCPA (as amended by CPRA) applies to for-profit businesses that collect personal information from California consumers and meet at least one of:
- 1Annual gross revenues over $25 million (determined January 1 of each calendar year)
- 2Buy, sell, receive, or share for commercial purposes the personal information of 100,000 or more consumers or households per year
- 3Derive 50% or more of annual revenues from selling or sharing consumers' personal information
If you meet none of these thresholds, CCPA does not apply. However, even non-covered businesses often implement CCPA-aligned privacy practices because: (a) thresholds can be crossed without realizing it, (b) other US state privacy laws (VCDPA, CPA, CTDPA, etc.) have their own thresholds, and (c) enterprise customers ask about CCPA compliance in vendor questionnaires regardless of your size.
The Core CCPA Rights You Must Support
CCPA/CPRA grants California consumers five core rights that your website must be able to operationalize:
1. Right to Know — Consumers can request disclosure of what personal information you have collected about them, the sources, the purposes, and the third parties with whom you have shared it.
2. Right to Delete — Consumers can request deletion of personal information you have collected. Some exceptions apply (completing transactions, security purposes, legal obligations).
3. Right to Opt-Out of Sale/Sharing — Consumers can opt out of the sale or sharing of their personal information. "Sharing" under CPRA includes sharing for cross-context behavioral advertising (serving targeted ads), regardless of whether money changes hands.
4. Right to Correct — Added by CPRA. Consumers can request correction of inaccurate personal information.
5. Right to Limit Use of Sensitive Personal Information — Also added by CPRA. Consumers can limit the use and disclosure of sensitive personal information (SSN, financial account data, precise geolocation, health information, etc.) to only what is necessary to provide the service.
Required Website Elements: The CCPA Checklist
Privacy Policy Requirements
Your privacy policy must be updated at least once every 12 months and must include:
- Categories of personal information collected in the past 12 months
- Categories of sources from which personal information is collected
- Business or commercial purpose for collecting or sharing personal information
- Categories of third parties with whom personal information is shared
- Consumer rights and how to exercise them
- How you will respond to consumer requests
- If you sell or share personal information: the categories sold/shared and the categories of third parties
- If you use sensitive personal information: whether you use or disclose it for purposes beyond providing the service
"Do Not Sell or Share My Personal Information" Link
If you sell or share personal information (including for behavioral advertising), you must display a clear and conspicuous link titled "Do Not Sell or Share My Personal Information" on your homepage and in your privacy policy. The link must lead to a page where consumers can opt out.
"Limit the Use of My Sensitive Personal Information" Link
If you use or disclose sensitive personal information for purposes beyond those strictly necessary to provide the service, you must provide a separate link allowing consumers to limit such use.
Global Privacy Control (GPC) Support
Under CPRA regulations, businesses that sell or share personal information must recognize and honor the Global Privacy Control signal — a browser-level opt-out that users can enable. If a user visits your site with GPC enabled, your site must treat it as an opt-out of sale/sharing and must not override or suppress the signal.
Consumer Request Mechanism
You must provide at least two methods for consumers to submit CCPA requests: typically a web form and a toll-free phone number. For businesses with a primary online presence, an email address may substitute for the phone number. Requests must be acknowledged within 10 business days and fulfilled within 45 calendar days (extendable by another 45 with notice).
Cookie Consent and Data Mapping
CCPA does not require a cookie banner in the same way GDPR does — it is an opt-out law, not an opt-in law. However, CPRA's requirement to honor the Global Privacy Control and the practical mechanics of opt-out create cookie management requirements:
Cookie audit — You must know what cookies your site sets, what data they collect, and whether any of that data is sold or shared with third parties. Third-party advertising and analytics cookies are the most likely to constitute "sharing" under CPRA.
Cookie management platform — A consent management platform (OneTrust, Cookiebot, Osano) can automate GPC signal detection, maintain opt-out preferences per user, and suppress third-party tracking for opted-out users.
Data mapping — CCPA's right-to-know requirements mean you must be able to answer: "What data do I have about this person?" For this to be operationally feasible, you need a data inventory that maps data types to collection points, storage locations, and sharing relationships.
CCPA vs. GDPR: Key Differences for Website Implementation
Many teams that have implemented GDPR compliance assume CCPA is covered. The frameworks overlap but diverge in important ways:
| Dimension | GDPR | CCPA/CPRA |
|---|---|---|
| Legal basis | Requires positive legal basis for processing (consent, legitimate interest, etc.) | No equivalent requirement; opt-out rather than opt-in |
| Cookie consent | Opt-in required for non-essential cookies (ePrivacy Directive) | Opt-out required for sale/sharing; GPC must be honored |
| Geographic scope | Any processing of EU resident data, regardless of business location | California residents; threshold requirements apply |
| Sensitive data | Special categories with explicit consent requirement | Right to limit; stricter rules but no prior consent required |
| Data breach notification | 72 hours to supervisory authority | Required if non-encrypted personal information is breached |
| Children's data | Under 16 (under 13 in some cases) requires guardian consent | Under 16: opt-in required for sale/sharing; under 13: COPPA applies |
For practical website implementation, the most important difference is the consent model: GDPR requires opt-in for non-essential cookies; CCPA requires opt-out for sale/sharing. A site with a GDPR cookie banner that blocks all third-party tracking until consent is given will often be CCPA-compliant for opted-out users by default — but you must still have the "Do Not Sell or Share" link and honor GPC.
Technical Data Security Requirements
CCPA/CPRA section 1798.150 creates a private right of action for consumers whose non-encrypted, non-redacted personal information is subject to unauthorized access due to the business's failure to implement and maintain reasonable security procedures.
"Reasonable security" is not defined in the statute. California courts have looked to the CIS Controls and the NIST Cybersecurity Framework as reference points. At the web layer, this means:
- HTTPS enforced with valid TLS configuration — Unencrypted transmission of personal information is the clearest possible failure of reasonable security.
- Security headers deployed — CSP, HSTS, and related headers are part of a demonstrably reasonable security posture.
- Access controls — Personal information should be accessible only to users and systems with a business need.
- Vulnerability management — Known vulnerabilities in your web stack that expose personal information, left unpatched, could support a "failure to implement reasonable security" argument.
ZeriFlow checks the technical security controls that CCPA's "reasonable security" standard requires at the web layer — TLS configuration, security headers, cookie attributes, DNS security, and more — giving you a documented, auditable view of your technical posture.
FAQ
Q: Does CCPA apply to B2B businesses that only have business contacts in their database?
A: CPRA removed the B2B exemption that existed in the original CCPA. As of January 1, 2023, business contacts (employees, contractors, job applicants, and B2B contacts) are covered by CCPA/CPRA. If you have a form that captures business email addresses or contact information from California-based individuals, they have CCPA rights over that information.
Q: What is the penalty for CCPA non-compliance?
A: The California Privacy Protection Agency can impose fines of up to $2,500 per unintentional violation and up to $7,500 per intentional violation. Each individual consumer whose rights are violated can constitute a separate violation. For a large-scale data sale or a missing "Do Not Sell" link affecting millions of consumers, penalties can reach into the millions. Additionally, the private right of action for data breaches allows statutory damages of $100–$750 per consumer per incident.
Q: Do I need a "Do Not Sell" link if I use Google Analytics?
A: Possibly. Under CPRA, "sharing" includes sharing personal information for cross-context behavioral advertising, which can include how Google uses analytics data for ad targeting. The CPPA's enforcement guidance and several settlements suggest that sharing data with advertising platforms via cookies requires the "Do Not Sell or Share" link and GPC support. The safer approach: implement a CMP that handles GPC, add the required link, and configure Google Analytics in privacy-preserving mode (IP anonymization, no advertising features) or switch to a non-advertising analytics solution.
Q: Can I use a pop-up to get CCPA compliance?
A: CCPA does not require a consent pop-up. It requires an opt-out mechanism, not prior consent. A pop-up informing users about your data practices and offering an opt-out is fine, but you cannot use dark patterns that make opting out difficult. The CPPA has specifically called out designs that require consumers to click through multiple screens to opt out, or that present opt-out options in smaller, less prominent text than opt-in options.
Q: What other US state privacy laws follow the CCPA model?
A: As of 2024, comprehensive state privacy laws are in effect in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Florida (FDBR), Montana, Oregon, and others. Most follow an opt-out model similar to CCPA, though California's CPRA is the most stringent. A CCPA-compliant website with GPC support is typically well-positioned for compliance with most other US state privacy laws.
Conclusion
CCPA compliance for your website is a combination of UI elements (Do Not Sell link, privacy policy updates, consumer request mechanism), technical implementation (GPC signal support, cookie management), and operational practices (data mapping, request fulfillment within 45 days).
The technical security baseline — HTTPS enforced, reasonable security controls in place — is also CCPA-relevant: California's private right of action for data breaches makes your web security configuration part of your legal risk exposure.