CPRA

California Consumer Privacy Act / California Privacy Rights Act

Flag of US
California, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2023
Enacted
November 3, 2020
Enforcing Authority
California Privacy Protection Agency (CPPA); California Attorney General
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
For-profit businesses: >$26.6M annual revenue OR 100,000+ CA consumers OR 50%+ revenue from selling/sharing PI

Overview

The CPRA (California Privacy Rights Act) is the most comprehensive US state privacy law and the only one with a dedicated enforcement agency — the California Privacy Protection Agency (CPPA). It defines cross-context behavioral advertising via cookies as "sharing" personal information, making cookie-based ad tracking subject to opt-out requirements.

What This Means for Your Website

  • A "Do Not Sell or Share My Personal Information" link must be prominently displayed
  • You must honor Global Privacy Control (GPC) signals as valid opt-out requests
  • Cross-context behavioral advertising via cookies triggers opt-out obligations
  • Consumers have rights to know, delete, correct, and port their personal information
  • Sensitive data requires opt-in consent or the right to limit use and disclosure
  • Under 16: opt-in consent required for sale/sharing. Under 13: verifiable parental consent
  • Data minimization limits collection to disclosed purposes

Key Requirements

The CPPA and California AG enforce the CPRA with penalties of $2,500 per unintentional and $7,500 per intentional violation. Consumer requests must be fulfilled within 45 days. There is no mandatory cure period. A limited private right of action exists for data breaches involving unencrypted PI ($100-$750 per consumer). Privacy risk assessments are required for high-risk processing.

How ConsentStack Handles This

ConsentStack automatically detects California visitors and shows a CPRA-compliant opt-out banner with a Do Not Sell or Share link. GPC signals are honored automatically, and consent preferences are recorded for audit compliance.

Penalties

$2,500 per unintentional violation / $7,500 per intentional violation.

Maximum Fine
USD7,500 per violation

Key Requirements

  • Do Not Sell or Share My Personal Information link required
  • Honor Global Privacy Control (GPC) signals
  • Right to know, delete, correct, and port personal information
  • Data minimization — collection limited to disclosed purposes
  • Privacy risk assessments for high-risk processing
  • Service provider and contractor contractual requirements

Notable Provisions

  • Dedicated agency (CPPA) — unique among US states
  • Cross-context behavioral advertising via cookies equals sharing
  • First US state law to require honoring GPC signals

Data Subject Rights

Know what data is collected45 days

Right to know what personal information is collected, used, shared, or sold

Delete your data45 days

Right to request deletion of personal information collected from the consumer

Correct your data45 days

Right to request correction of inaccurate personal information

Opt out of sale or sharing

Right to opt out of the sale or sharing of personal information

Limit sensitive data use

Right to limit the use and disclosure of sensitive personal information

Non-discrimination

Right not to be discriminated against for exercising privacy rights

US State Specifics

Private Right of Action
Yes
Global Opt-out Required
Yes
Sensitive Data Opt-in
Yes
Children Provisions
Under 16: opt-in required for sale/sharing. Under 13: verifiable parental consent required.

Other North America Regulations

PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
CTDPAConnecticut, United States
Connecticut's CTDPA features a unique consent revocation mechanism for sensitive data and some of the strongest children's data protections. The cure period was eliminated January 2025. The 2025 amendments prohibit sale of children's data or use for targeted advertising even with consent.

Frequently Asked Questions

Does CPRA require a cookie consent banner?

CPRA requires a Do Not Sell or Share My Personal Information link and honoring of GPC signals. ConsentStack implements both automatically for California visitors.

What is the CPPA?

The California Privacy Protection Agency is the dedicated enforcement agency for the CPRA — the only US state with its own privacy agency.

Must websites honor GPC signals under CPRA?

Yes. CPRA was the first US state law to require honoring Global Privacy Control signals as valid opt-out requests. ConsentStack detects and honors GPC automatically.

What are the CPRA penalties?

$2,500 per unintentional violation and $7,500 per intentional violation. There is no mandatory cure period.

Stay compliant with CPRA

ConsentStack helps you implement Opt-out consent for California, United States automatically.

Get started free