A Practical Guide to CCPA and Data Protection

This guide explains CCPA and Data Protection in practical terms, with a focus on privacy-first analytics decisions.

The California Consumer Privacy Act is not a "cookie law" in the European sense. It does not say every analytics cookie needs opt-in consent. But it absolutely affects cookies, pixels, advertising tags, and analytics vendors because it gives Californians rights over the sale and sharing of personal information.

For marketing teams, the practical question is not "do we use cookies?" It is "are we disclosing, selling, sharing, or enabling cross-context behavioral advertising with personal information?"

Why Analytics Data Can Be Personal Information

California defines personal information broadly. The law covers information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a consumer or household. The California Attorney General's CCPA materials include online identifiers and IP addresses within this broad framing.

This matters because many routine web tools collect identifiers even when the site owner never sees a name. A third-party analytics or ad platform may receive:

• cookie IDs
• IP-derived location
• device and browser information
• page URLs
• referrer data
• ad click identifiers
• conversion events
• hashed emails or customer IDs, in some setups

If that data is used for cross-context behavioral advertising, measurement across clients, audience building, or platform enrichment, CCPA obligations may apply.

Sale, Sharing, and the Sephora Lesson

The Sephora enforcement action is the case every marketing team should know. In 2022, the California Attorney General announced a USD 1.2 million settlement with Sephora alleging that Sephora failed to disclose that it was selling personal information, failed to process opt-out requests sent through Global Privacy Control, and failed to cure the alleged violations.

The important detail is that the case involved common online tracking practices. The California AG described third-party companies receiving information about consumers, including through analytics and advertising technologies. That means a company does not need to sell a spreadsheet to a data broker to create CCPA risk. Allowing third-party trackers to collect personal information on your site can be enough.

Since the CPRA amendments, "sharing" is especially important. It covers disclosures for cross-context behavioral advertising, even where money does not change hands.

Global Privacy Control Is Not Optional

California's Attorney General states that businesses covered by the CCPA must honor a user-enabled Global Privacy Control as a valid request to opt out of sale or sharing. The California Privacy Protection Agency also describes opt-out preference signals as browser or extension settings that automatically send a user's opt-out choice.

In practice, this means your site needs to detect and act on GPC where applicable. A privacy banner that ignores the browser signal is not enough. If a visitor has GPC enabled, do not load sale/share-related advertising pixels and do not send data to vendors for cross-context behavioral advertising unless you have a legally valid reason to do so.

What This Means for Cookies

Under CCPA, cookies fall into several buckets:

Cookie or tag type	Typical CCPA concern
Strictly necessary cookies	usually low, but disclose in privacy policy
First-party aggregate analytics	lower risk if not shared or used for ads
Third-party analytics	review vendor use, contracts, and disclosures
Retargeting pixels	high risk for sale/share and opt-out
Ad conversion tags	depends on data sent and vendor use
Data clean room or enhanced conversion tags	high risk if customer data is uploaded

The safest analytics architecture is first-party, minimal, and purpose-limited. If your analytics provider does not use visitor data across customers, does not build ad profiles, does not set tracking cookies, and does not sell or share personal information, compliance becomes simpler.

A CCPA Checklist for Marketing Analytics

1. Map every third-party tag. Include Google Analytics, Google Tag Manager, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, chat tools, heatmaps, affiliate scripts, and A/B testing tools.

2. Read vendor terms. Determine whether each vendor acts as a service provider/contractor or uses data for its own purposes. Contract labels matter less than actual data use.

Classify data flows. Note whether the tag receives identifiers, page URLs, event names, email hashes, IP addresses, or transaction details.

Update notices. Your privacy policy should explain categories of personal information collected, purposes, categories of recipients, retention, and opt-out rights.

Implement opt-out controls. Provide a "Do Not Sell or Share My Personal Information" mechanism where required and honor GPC.

Gate high-risk tags. Retargeting and cross-context advertising tags should not fire for users who opt out.

Minimize event payloads. Do not send names, emails, account IDs, health data, financial details, or free-form form fields to analytics.

Keep evidence. Document configuration, vendor decisions, consent/opt-out behavior, and test results.

CCPA vs GDPR: Do Not Mix the Rules

GDPR and the ePrivacy Directive often require prior consent for non-essential cookies and similar technologies in Europe. CCPA generally focuses on notice, access, deletion, correction, and opt-out rights, especially around sale/share. A setup can be acceptable under one regime and not the other.

For a US-focused website, the biggest CCPA risk is often uncontrolled third-party marketing tags. For an EU-facing website, the same tags may also require opt-in consent before they load.

The Privacy-First Path

A practical privacy-first analytics stack for CCPA compliance should:

• avoid third-party advertising identifiers by default
• avoid using analytics data for cross-context behavioral advertising
• collect only aggregate metrics needed for site improvement
• honor GPC where required
• keep campaign attribution in UTM parameters, not user profiles
• separate analytics from ad platform enrichment

CCPA compliance is easier when analytics is not part of an advertising surveillance pipeline. Measure what helps you improve the site. Do not collect data simply because a tag manager makes it easy.

Marketing Tag Controls

Separate collection from sale and sharing. A cookie banner can manage some collection choices, but a CCPA opt-out must also address whether personal information is sold or shared for cross-context behavioral advertising. Do not let retargeting tags, server-side conversion APIs, or audience syncs fire after an applicable opt-out or valid GPC signal.

Keep a tag register with owner, purpose, data fields, vendor role, consent category, GPC behavior, firing rule, and deletion path. Review it whenever marketing adds a platform or changes campaign measurement.