CCPA / CPRA · California Consumer Privacy Act

Most sites still ignore Global Privacy Control. Under CPRA, that's an automatic violation.

CPRA (2023) expanded "Do Not Sell" to also cover "sharing" for behavioral advertising — and made honoring the Global Privacy Control browser signal legally required. The California Privacy Protection Agency actively enforces both. Free scan finds the gaps.

Which law do you want to check?

Need help fixing the issues?

Book a 20-min call with our compliance team to walk through your results.

Book a call →

About CCPA / CPRA

CCPA (California Consumer Privacy Act) gave consumers the right to opt out of the sale of their personal information and to know, delete, and correct it. CPRA (California Privacy Rights Act, in effect January 2023) made three significant additions that most sites have not caught up with. First, "Do Not Sell" was extended to "Do Not Sell or Share" — sharing personal data for cross-context behavioral advertising (even without payment) now triggers the same opt-out requirement. Second, Global Privacy Control (GPC) — a browser-level opt-out signal — became a legally required opt-out mechanism. A site that loads ad trackers when GPC is active is in automatic violation. Sephora paid $1.2M in the CA AG's first major CCPA action, with GPC non-compliance cited as a core violation. Third, California now has a dedicated enforcement body — the California Privacy Protection Agency (CPPA) — separate from the AG, creating two enforcement channels. Penalties: $2,500 per unintentional violation, $7,500 per intentional violation.

Also check

The scan above evaluates all four regimes at once. Switch the framing for a different audience: