CCPA/CPRA Documentation

CCPA/CPRA Compliance

What is CCPA/CPRA?

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give California residents specific rights over their personal information, including:

  • Right to Know: What personal information is collected
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Stop the sale or sharing of personal information
  • Right to Non-Discrimination: Equal service regardless of privacy choices

Global Privacy Control (GPC)

Cookie Handler automatically detects and respects Global Privacy Control (GPC) signals when CCPA is enabled.

ℹī¸

When GPC is detected, Cookie Handler will automatically:

  • Set sale_share_opt_out to true
  • Deny ad_storage and analytics_storage consent
  • Display a confirmation message to users

CCPA Implementation

Enable CCPA Protection

  1. Go to Dashboard → Cookie Config
  2. Select your domain
  3. Enable CCPA in the Consent Log Settings
  4. Set your CCPA URL (typically /privacy-policy#ccpa)

Configure CCPA URL

The CCPA URL should point to a page where users can:

  • Learn about their CCPA rights
  • Toggle their "Do Not Sell or Share" preference
  • Contact you for data requests
💡

We recommend using /privacy-policy#ccpa as your CCPA URL, which links to the CCPA section of your privacy policy with an interactive toggle.

Technical Implementation

When CCPA is enabled, Cookie Handler will:

  1. Check the GPC Signal from the Browser.
  2. Create or update the cookie with new CCPA-specific fields.
  3. Automatically deny advertising consent to vendors that will share or sell your data.

Here is the Javascript implementation 👇

// Check for GPC signal
const gpc = navigator.globalPrivacyControl === true;

// CCPA-specific consent object
const ccpaConsent = {
  sale_share_opt_out: gpc || userOptOut,
  sensitive_limit: gpc || userOptOut,
  source: gpc ? 'gpc' : 'user'
};

// Automatically deny advertising consent when GPC detected
if (gpc) {
  consent.ad_storage = 'denied';
  consent.analytics_storage = 'denied';
}

Best Practices

Clear Communication

  • Use plain language to explain data collection
  • Provide easy access to privacy controls
  • Respect user choices immediately

Technical Requirements

  • Detect and honor GPC signals automatically
  • Provide persistent access to privacy controls
  • Log consent changes for compliance auditing

User Experience

  • Show clear confirmation when GPC is detected
  • Make opt-out as easy as opt-in
  • Provide immediate feedback on privacy changes
🚨

CCPA compliance requires ongoing monitoring and updates. Consult with legal counsel for specific compliance requirements in your jurisdiction.