CCPA Cookie Consent: What You Need to Know in 2025

If your website collects personal data from California residents, you’re likely subject to the CCPA (California Consumer Privacy Act) and its expanded sibling, the CPRA (California Privacy Rights Act). 

While these laws don’t work exactly like GDPR, they still come with strict rules about data transparency, user rights, and cookies.

Let’s have a look at what “CCPA cookie consent” really means in practice. We’ll cover banner requirements, opt-out rules, technical setup tips, and examples of what compliance looks like in 2025.

First, let’s get clear on how the laws work.

CCPA vs. CPRA: The basics

The CCPA grants California consumers certain rights over their personal data, including the right to…

• Know what data is collected and why
• Access, delete, or correct their data
• Opt out of the “sale” or “sharing” of their data
• Limit the use of sensitive personal information
  

The CPRA expands on the CCPA by introducing new terms (like “sharing”), creating a dedicated enforcement agency (CPPA), and requiring businesses to honor opt-out signals like the Global Privacy Control (GPC).

Cookies count as personal data

Cookies that track users across sites (like analytics, ad tech, or personalization cookies) often fall under “personal information” in California. If your site sells or shares this data with third parties, you need to offer a way for users to opt out.

Unlike GDPR, the CCPA does not require prior consent before setting cookies. But it does require you to:

• Tell users what cookies you use and why
• Let them opt out of sales or sharing
• Respect GPC signals
• Avoid “dark patterns” that make opt-out confusing
  

Next, let’s look at whether you actually need a cookie banner and when.

Do you need a cookie banner under CCPA?

Short answer: not always. However, if your site sells or shares personal information through cookies, then yes, you need a clear, user-friendly way for California residents to opt out. 

That’s when a banner or link is needed.

CCPA vs. GDPR: Consent vs. opt-out

One big difference between CCPA and GDPR is timing. Under GDPR, you need explicit consent before setting non-essential cookies. 

Under CCPA, you can set cookies right away, but users must be able to opt out of data sales or sharing.

So instead of a “click to accept” banner, most CCPA-compliant banners focus on transparency and control, offering:

• A link to the full privacy policy
• A clear way to opt out of sales or sharing
• A mechanism for honoring user rights
  

If your cookies are limited to essential site functionality (like session management), a banner might not be necessary. But most businesses use analytics, personalization tools, or ad platforms, so an opt-out mechanism is typically required.

When is a banner (or link) required?

Under CCPA and CPRA, you must include a “Do Not Sell or Share My Personal Information” link if:

• You collect personal information through your website (including via cookies)
• You sell or share that information with third parties (for ads, analytics, etc.)
• You meet one of these business thresholds:
  
  
  • $25 million+ in gross annual revenue
  • 100,000+ California users annually
  • 50%+ of revenue from selling/sharing data
    

You don’t necessarily need a full banner, but you do need a visible, persistent opt-out link. That could be in your site footer, cookie banner, or privacy settings page.

What about the Global Privacy Control (GPC)?

Under CPRA, businesses must also honor opt-out signals sent through the browser, like the Global Privacy Control (GPC). This is a browser-level setting that tells websites “don’t sell or share my data.”

If your site receives a GPC signal from a California user, you need to treat it like an opt-out request even if the user doesn’t click your banner or link.

CCPA cookie requirements explained

While CCPA (and its amendment, CPRA) doesn’t require a cookie banner by default, it does lay out several clear obligations for how you collect and manage user data via cookies.

1. Notice at collection

You must inform users at or before the point of data collection:

• What categories of personal information you collect
• The purposes for which you collect it
• Whether you sell or share that information (and how to opt out)
  

This notice often appears in a cookie banner, pop-up, or as part of a privacy policy.

2. Opt-out mechanism

If your cookies sell or share user data (for example, via ad tech platforms) you must:

• Provide a “Do Not Sell or Share My Personal Information” link
• Honor GPC signals as valid opt-out requests
• Make opting out just as easy as opting in (no dark patterns)
  

3. Cookie categorization

Cookies should be grouped and labeled clearly in your banner or preference center. Common categories include:

• Strictly necessary (essential for site functionality)
• Functional (enhances features like live chat)
• Performance/Analytics (tracks usage, like through Google Analytics)
• Advertising/Targeting (shares data with third parties)
  

Note: As you’ve likely noticed in your time online, only strictly necessary cookies can be exempted from opt-out controls.

4. Dark pattern prohibition

CPRA expands on CCPA by banning “dark patterns”, which are tricky or manipulative UI practices that make opting out harder than opting in. Examples include:

• Hidden opt-out links
• Low-contrast buttons
• Pre-selected consent toggles

5. Data retention and access rights

You must let users:

• Access any personal information you’ve collected in the last 12 months
• Request deletion or correction
• Know how long you retain different categories of data
  

These rights apply to cookie-collected data as well, especially when paired with other identifiers (like IP addresses).

UX best practices for a CCPA-compliant cookie banner

Even though CCPA doesn’t require explicit consent like GDPR, your opt-out mechanism still has to be clear, accessible, and easy to use. 

A poorly designed banner or hidden link can result in complaints or even fines.

Here’s how to do it right:

1. Prioritize clarity over cleverness

Under the CCPA and CPRA, your cookie banner needs to be usable rather than just hanging out at the bottom of the screen. 

That starts with clear, direct language that tells users three things up front: what personal data is being collected, whether that data is being sold or shared, and how they can opt out.

Skip the jargon or generic phrasing. Instead of hiding options behind vague labels like “Learn More” or “Cookie Settings,” make your intent obvious. Strong examples are…

• Do Not Sell or Share My Personal Information
• Customize Settings
• Manage My Data Preferences
  

As in marketing, keep your CTAs (Calls to Action) action-driven and transparent. The goal is to help users make informed choices without having to hunt for the opt-out.

2. Avoid dark patterns

As we touched on earlier, The CPRA bans dark patterns, deceptive design tricks that make opting out harder than it should be. 

That means your cookie banner must avoid things like buried opt-out links, low-contrast buttons that blend into the background, or toggles that are pre-selected to assume consent. 

The rule of thumb? Opt-out options should be just as visible and easy to use as any “Accept” or “Continue” button. 

If users can’t find or understand how to exercise their rights, your design is out of bounds.

3. Use a fixed banner or notice

A persistent footer or bottom-of-page banner is ideal. It:

• Doesn’t interfere with content
• Stays visible until the user interacts
• Provides an easy path to opt out
  

Avoid banners that auto-close or disappear before the user has a chance to read or act.

4. Keep accessibility in mind

Cookie consent banners must be accessible, not just compliant. That means users should be able to navigate your banner using a keyboard, understand it through a screen reader, and clearly see each option thanks to high-contrast design. 

Accessibility isn’t just a best practice, it’s also a legal requirement under U.S. and California law. If your banner excludes users with disabilities, it could open you up to risk.

How to implement CCPA cookie consent

Designing a clear, user-friendly banner is only half the battle. Behind the scenes, you need to detect eligible users, trigger the right notices, and store preferences correctly to remain compliant with the CCPA and CPRA.

We’ll walk you through it.

1. Detect California visitors (geo-targeting)

The CCPA only applies to California residents, so your cookie banner or opt-out mechanism doesn't need to show to everyone.

Use IP-based geolocation to trigger your banner only for users in California. This avoids unnecessary friction for visitors in other regions and keeps your UX clean.

2. Add a “Do Not Sell or Share My Personal Information” link

This opt-out link must be:

• Clearly visible and labeled
• Accessible from every page (typically in the footer)
• Linked to a page or preference center where users can opt out of data sales or sharing
  

If you “sell” or “share” personal data (including via behavioral ads or retargeting), this is non-negotiable.

3. Support the Global Privacy Control (GPC) signal

If a visitor arrives with GPC enabled, you're required to treat it as a valid opt-out. That means no additional clicks, no banner prompts, and no delay. The signal must be detected and applied automatically in the background.

You don’t need to show a banner in these cases, but you do need technical infrastructure that can:

• Detect the GPC signal
• Apply the opt-out immediately
• Log and store the preference for compliance
  

This backend capability is an important piece of CCPA/CPRA compliance, especially as GPC adoption continues to grow.

4. Store and honor preferences

Once a user opts out, whether through a banner, link, or Global Privacy Control signal, you’re legally required to stop selling or sharing their personal data both during that session and on future visits. 

You must also store that opt-out preference for at least 12 months, and where technically feasible, honor it across devices. 

This usually involves using cookies, local storage, or server-side tracking to remember the user’s choice and apply it automatically whenever they return. Consistency and persistence are key to maintaining compliance.

5. CMP vs. custom setup: What’s better?

Consent Management Platforms (CMPs) can streamline this entire process, especially if you’re managing multiple regions or regulations.

If you want to keep full control while minimizing complexity, lightweight tools like Geo Consent by Geo Targetly offer a middle ground – geo-triggered banners without the bloat.

Try 14 days free

Real-world examples and enforcement cases

If you think cookie compliance is just a box-ticking exercise, the California Attorney General would disagree. Several high-profile enforcement actions have shown that improper or incomplete consent mechanisms can lead to major fines.

Let’s look at two standout cases.

Sephora (2022): A $1.2 million wake-up call

In 2022, Sephora became the target of the first major CCPA enforcement action, resulting in a $1.2 million fine. The California Attorney General found that Sephora had failed to:

• Disclose the “sale” of personal information to consumers (sharing data with third-party trackers for analytics/ads).
  
  
• Honor opt-out requests – specifically, Sephora did not properly process “Do Not Sell My Personal Information” signals, including those sent via GPC.
  
  
• Cure these violations within 30 days after being notified, as required under the CCPA’s cure period (Sephora didn’t fix the issues in time).
  

So, what triggered the investigation? An enforcement sweep revealed that Sephora’s cookie consent tools weren’t functioning properly. 

According to the AG’s complaint, activating the GPC opt-out signal “had no effect” on Sephora’s website. User data continued to flow to third-party advertising and analytics companies even after an opt-out was signaled. 

In other words, users couldn’t effectively opt out of their data being shared, despite any cookie banner or “Do Not Sell” link.

It’s not enough to simply display a cookie banner or offer an opt-out link, you must ensure those choices are actionable.

If a user opts out, your system needs to actually stop the data flow to third parties. Sephora’s case shows that regulators will penalize companies if the opt-out mechanisms don’t work in practice, not just on paper.

Honda (2023): Consent fatigue isn’t a defense

In 2023, the CPPA cited Honda for using dark patterns (California Privacy Protection Agency) in its cookie notice and consent process. The CPPA’s complaint highlighted that Honda’s cookie consent and privacy request interface was designed in a way that undermined user choice.

• Opt-out links were buried behind extra steps. For example, Honda’s cookie banner (powered by OneTrust) required consumers to click through two steps to opt out of advertising cookies, whereas opting-in was a single click (“Allow All”). This lopsided design made opting out much harder than opting in.
  
  
• Consent was implied rather than explicitly obtained. The interface’s design nudged users toward acceptance; “Accept All” was a bright, prominent single button, while “Reject All” was hidden or required multiple interactions. This effectively subverted user consent: many users would simply give up, meaning consent was assumed by default (a practice the law forbids).
  
  
• Users weren’t given clear control over their data choices. Honda’s tool failed the “symmetry of choice” requirement under CPRA regulations. Privacy options were not presented in a neutral, balanced way, and the choices were unequal and confusing, making it difficult for users to exercise their rights freely. Honda even demanded excessive personal information and confirmations for users to submit opt-out requests or use authorized agents, adding more fuel to the fire.
  

The result? Honda settled the case by agreeing to pay a $632,500 fine. Moreover, the CPPA’s order required a mandated redesign of Honda’s cookie consent UX. 

Honda had to implement a more user-friendly, compliant consent mechanism, including adding an easy-to-find “Reject All” button and ensuring that opting out is just as effortless as opting in. Honda also was ordered to simplify its privacy request forms and involve UX experts to fix the design shortcomings.

California’s CPRA rules explicitly ban dark patterns in consent workflows. Regulators have made it clear that making it hard for users to opt out is a fast track to non-compliance and fines. 

How Geo Consent by Geo Targetly helps you stay compliant

CCPA and CPRA compliance goes beyond legal requirements. Clear consent flows improve user experience, reduce risk, and simplify internal processes.

Our Geo Consent feature gives you everything you need to meet CCPA cookie requirements without the need for bulky consent management platforms or constant dev support.

• Location-based display: Show cookie banners only to California visitors, so the rest of your users don’t see irrelevant notices
  
  
• Auto-trigger Do Not Sell/Share banners based on geolocation or GPC signals
  
  
• Easy integrations: Works with all major CMSs and tag managers (like WordPress, Shopify, Webflow, GTM, and more)
  
  
• Customizable design: Match your brand and messaging while keeping UX compliant
  
  
• One dashboard for everything: No multi-tool setup. No manual geofencing logic.
  

For companies looking to dynamically trigger cookie banners only in California and meet evolving compliance needs, Geo Consent provides a lightweight and reliable solution.

Try 14 days free

Implementation checklist: CCPA cookie consent in 2025

Not sure where to start? Use this checklist to stay on track with CCPA (and CPRA) cookie compliance:

1. Audit your cookies and data flows

• Identify all third-party cookies, tracking scripts, and data-sharing tools
• Map what personal information is being collected, how it’s used, and who it’s shared with
  

2. Determine if your business “sells” or “shares” data

• Review CCPA/CPRA definitions carefully. Sharing with ad networks or analytics platforms may count
• If yes, you’ll need a “Do Not Sell or Share My Personal Information” link
  

3. Add a persistent opt-out link

• Include the opt-out link in the footer of every page
• Make sure it leads to a clear, accessible preference center or opt-out mechanism
  

4. Recognize and respect GPC signals

• Your website should honor browser-based GPC signals from California users
• This serves as a valid opt-out request under CPRA
  

5. Display a cookie banner (only where required)

• Use geo-targeting to display banners only to California residents
• Avoid banner fatigue and simplify UX for non-California visitors
  

6. Store and retain user preferences

• Log opt-out choices for at least 12 months
• Allow users to return and update their preferences anytime

Final thoughts: CCPA cookie compliance doesn’t have to be complicated

Between evolving privacy laws, enforcement trends, and user expectations, staying compliant with the CCPA and CPRA can feel overwhelming, but it doesn’t have to be!

The key is to understand what’s actually required:

• You don’t need prior consent, but you do need a clear opt-out
• You must honor “Do Not Sell or Share” requests and GPC signals
• You should only show cookie banners to California visitors
  

With the right tools and strategy, you can meet legal requirements, build trust with users, and avoid costly mistakes without slowing down your site or relying on developers.

Remember, Geo Consent by Geo Targetly makes it easy to stay compliant by dynamically triggering banners based on visitor location and streamlining your opt-out setup across platforms.

Want to see Geo Consent in action? Start your free trial or request a personalized demo today.

Try 14 days free

FAQs

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a state law that gives California residents more control over how their personal data is collected, used, and shared. It requires businesses to provide transparency and offer a way to opt out of the “sale” or “sharing” of personal information.

What’s the difference between CCPA and CPRA?

The CPRA (California Privacy Rights Act) expands and amends the CCPA. It introduces new consumer rights (like correcting data), defines “sharing” separately from “selling,” and requires businesses to honor Global Privacy Control (GPC) signals. It also adds stricter rules on dark patterns and user-friendly opt-outs.

Do I need a cookie banner for CCPA?

Not always. CCPA doesn’t require prior consent like GDPR, but if your cookies “sell” or “share” personal data (like for advertising or analytics), you must provide a clear opt-out mechanism, such as a banner or “Do Not Sell or Share” link. Many businesses use banners to notify users and present opt-out options clearly.

What does “Do Not Sell or Share My Personal Information” mean?

This is a required link or button under CCPA/CPRA if your business “sells” or “shares” personal information. That includes things like cross-site tracking for ads or disclosing data to third parties. The link must be clearly visible, not buried in your privacy policy.

Is consent required under CCPA?

No. CCPA is opt-out based, unlike GDPR which is opt-in. You can collect data by default, but must offer a way for users to say no. However, under CPRA, that opt-out mechanism must be easy to use and respect GPC signals.

Do I need to block cookies under CCPA?

No, cookie blocking is not required, but you must give users a way to opt out of tracking that qualifies as a sale or share. You’ll need to stop passing data to third parties for advertising if a user opts out.

Is Global Privacy Control (GPC) mandatory?

Yes, under CPRA, if your business must comply with CCPA, you are required to honor GPC signals as a valid request to opt out of the sale or sharing of personal data. GPC is a browser-based signal that users can activate.

Do I need a cookie banner if I only use Google Analytics?

It depends. Basic Google Analytics (without advertising features) may not qualify as a “sale” or “share,” but if you're using Google Signals, Ad personalization, or sharing with third parties, then yes, an opt-out banner and “Do Not Sell or Share” link are recommended.

‍