The California Consumer Privacy Act (CCPA), effective January 1, 2020, and significantly expanded by the California Privacy Rights Act (CPRA) in 2023, is one of the most comprehensive state-level privacy laws in the United States. While the GDPR focuses on European residents, the CCPA/CPRA empowers California consumers by granting them extensive rights over their personal information and imposes strict obligations on businesses that collect and process it.

What is the CCPA/CPRA?

The CCPA (and its successor, the CPRA) is a landmark privacy law that grants California residents (consumers) new rights regarding their personal information. Unlike GDPR, which focuses on the lawful basis for processing, CCPA/CPRA is more about consumer control and transparency regarding how businesses handle their data.

It generally applies to for-profit businesses that collect personal information from California residents and meet one or more of the following thresholds:

• Has annual gross revenues over $25 million.
• Buys, receives, or sells the personal information of 100,000 or more California consumers or households.
• Derives 50% or more of its annual revenues from selling or sharing California consumers’ personal information.

“Personal Information” under CCPA/CPRA is broadly defined to include anything that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Key Consumer Rights under CCPA/CPRA

The CCPA/CPRA grants California consumers several powerful rights:

1. Right to Know: Consumers have the right to request that a business disclose the categories and specific pieces of personal information it has collected, the categories of sources from which the personal information is collected, the purposes for collecting or selling personal information, and the categories of third parties with whom the business shares personal information.
2. Right to Delete: Consumers have the right to request the deletion of personal information collected by the business.
3. Right to Opt-Out of Sale/Sharing: This is a cornerstone of the CCPA/CPRA. Consumers have the right to direct a business that sells or “shares” (for cross-context behavioral advertising) personal information to third parties not to sell or share their personal information. Businesses must provide a clear “Do Not Sell or Share My Personal Information” link on their homepage.
4. Right to Correct: Consumers can request that businesses correct inaccurate personal information.
5. Right to Limit Use and Disclosure of Sensitive Personal Information: Consumers can direct businesses to limit the use and disclosure of their “sensitive personal information” (e.g., precise geolocation, racial or ethnic origin, health data) to only what is necessary to perform the services or provide the goods requested.
6. Right to Non-Retaliation: Businesses cannot discriminate against a consumer for exercising their CCPA/CPRA rights.

Implications for Businesses

Compliance with CCPA/CPRA requires a significant shift in data handling practices for many businesses. Key requirements include:

• Providing clear and prominent privacy notices detailing data collection and processing.
• Implementing mechanisms for consumers to submit data subject access requests (DSARs) for their rights.
• Recognizing and honoring global privacy control signals, like the Global Privacy Control (GPC) browser signal.
• Ensuring third-party service providers and contractors also comply with CCPA/CPRA rules when handling consumer data on behalf of the business.

Non-compliance can lead to significant penalties, including statutory damages of $100 to $750 per consumer per incident for intentional violations or for failing to cure violations after notice, as well as actual damages for consumers. Enforcement is carried out by the California Privacy Protection Agency (CPPA) and the California Attorney General.

---

The Critical Role of Consent and Opt-Out Tools in Modern CCPA/CPRA Compliance

Navigating CCPA/CPRA compliance, especially while maintaining effective digital marketing and analytics, requires the seamless integration of specialized tools: a robust Consent Management Platform (CMP) and compliance with signals from major advertising platforms.

1. The Consent Management Platform (CMP) – e.g., FitConsent

A CMP like FitConsent is essential for implementing the consumer rights mandated by CCPA/CPRA. Its primary functions include:

• Facilitating Opt-Outs: A CMP helps businesses display the mandatory “Do Not Sell or Share My Personal Information” link and manages the underlying mechanisms to honor these requests, ensuring that data is not sold or shared after an opt-out.
• Managing User Preferences: Beyond simple opt-outs, a CMP allows for more granular control, especially for limiting the use of sensitive personal information, aligning with the expanded CPRA requirements.
• Responding to DSARs: While not directly executing deletion, a CMP can streamline the process of receiving and managing Data Subject Access Requests (DSARs), providing the necessary audit trails and helping businesses locate relevant data for deletion or access requests.
• Honoring GPC Signals: Modern CMPs are designed to detect and automatically honor Global Privacy Control (GPC) signals sent by users’ browsers, which CCPA/CPRA mandates as a valid opt-out request.

2. Google Consent Mode V2

While the CCPA/CPRA is primarily an “opt-out” rather than “opt-in” regime for many data uses (unlike GDPR’s strong emphasis on consent), Google Consent Mode V2 still plays a crucial role for businesses operating globally or those with mixed compliance needs:

• Global Compliance Framework: For businesses serving both California and EU residents, a CMP integrated with Google Consent Mode V2 provides a unified approach. Even in an opt-out context, it can help manage signals to Google services, ensuring that analytics and advertising tags behave appropriately based on user preferences (whether “opt-in” for GDPR or “opt-out” for CCPA).
• Adapting Tag Behavior: Google Consent Mode V2 can still modify the behavior of Google tags based on the explicit choices or implicit opt-out signals received, limiting data collection for advertising if required, thereby supporting CCPA/CPRA objectives where applicable.

3. Microsoft UET Consent Mode

Similarly, for businesses using Microsoft Advertising (Bing Ads) and serving California residents:

• Respecting Opt-Outs: Microsoft UET Consent Mode allows for the Universal Event Tracking (UET) tag to adapt its data collection practices based on user preferences or opt-out signals. This ensures that personal information is not “sold” or “shared” via the UET tag in a way that violates CCPA/CPRA if a consumer has opted out.
• Maintaining Limited Functionality: By adjusting tag behavior, UET Consent Mode enables basic conversion tracking and ad performance measurement to continue in a privacy-preserving manner, even when full tracking is not permitted due to consumer choices.

Conclusion on Tools:

For businesses operating under the shadow of CCPA/CPRA, the integration of a specialized CMP like FitConsent with the flexible signaling provided by Google Consent Mode V2 and Microsoft UET Consent Mode is vital. These tools ensure not only legal compliance with consumer rights but also enable the continuation of essential marketing and analytics activities in a privacy-respecting and data-informed manner.