California – SetupAnalytics

// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting California consumers. CCPA/CPRA applies to for-profit businesses meeting threshold tests; sectoral overlays (HIPAA, GLBA, FERPA) are addressed only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

US STATE · 2020-01-01

CCPA/CPRA

California Consumer Privacy Act (2018) as amended by California Privacy Rights Act (2020)

1 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

CCPA

California Consumer Privacy Act of 2018

First-in-nation comprehensive state privacy law. Establishes consumer rights to know / delete / opt-out of sale of personal information for California residents. Default opt-out (no consent required to collect/sell unless minor) — fundamentally different from GDPR opt-in baseline.

§ 1798.100 Right to know — categories and specific pieces of personal information collected
§ 1798.105 Right to delete — verifiable consumer requests, with standard exceptions
§ 1798.120 Right to opt-out of sale — 'Do Not Sell My Personal Information' link required
§ 1798.135 Notice & opt-out mechanism placement — clear, conspicuous link on homepage
§ 1798.140(t) Definition of 'sale' — broadened by Sephora settlement to include sharing for cross-context behavioral advertising

Cal. Civ. Code § 1798.100 et seq. — enacted AB 375 (2018), effective 1 Jan 2020, AG enforcement began 1 Jul 2020.

CPRA

California Privacy Rights Act of 2020

Adds 'sensitive personal information' category with separate opt-out, extends rights to employee/B2B data (sunsetted exemptions), creates the CPPA as a dedicated enforcement agency, introduces 'sharing' (cross-context behavioral advertising) as a parallel concept to 'sale', and mandates honoring opt-out preference signals (GPC).

§ 1798.121 Right to limit use of sensitive PI — precise geolocation, race/ethnicity, religion, biometrics, health, sexuality, etc.
§ 1798.135(b) Opt-out preference signals (GPC) — businesses must honor frictionless browser/device-level signals
§ 1798.185 CPPA rulemaking authority — issued final ADMT, risk-assessment, and cybersecurity-audit regs Oct 2025
§ 1798.199.40 CPPA powers — investigations, audits, administrative orders, civil penalties up to $7,500 per intentional violation

Proposition 24 (Nov 2020); operative 1 Jan 2023; full enforcement from 1 Jul 2023. Amends and extends CCPA.

11 CCR § 7000

California Privacy Protection Agency Regulations

Operationalizes CCPA/CPRA. Detailed rules on consent banners, dark-pattern prohibitions, GPC technical signal, service-provider contracting, sensitive-PI handling, automated decision-making technology (ADMT), risk assessments, and annual cybersecurity audits.

§ 7004 Notice at collection + symmetric-choice + no dark patterns — 'reject' as easy as 'accept'
§ 7025 Opt-out preference signals (GPC) — technical specification + honoring obligation
§ 7050-7053 Service-provider and contractor contracting — prescribed CCPA addendum clauses
§ 7150-7157 Risk assessments — required before high-risk processing (selling/sharing, sensitive PI, ADMT, behavioral advertising on minors)

11 California Code of Regulations § 7000 series. Initial regs effective 29 Mar 2023; ADMT/risk-assessment/cyber-audit final regs adopted Oct 2025, phased in through 2027-2028.

CalOPPA

California Online Privacy Protection Act

Requires every commercial website/app collecting PII from California residents to post a conspicuous privacy policy and disclose its response to Do-Not-Track signals. Originated the practice of 'we honor DNT' boilerplate. Independent of CCPA threshold tests — applies to any operator regardless of size.

§ 22575 Conspicuous privacy policy — required on every commercial website collecting CA PII
§ 22575(b)(5) Do-Not-Track disclosure — must state how the operator responds to DNT signals

Cal. Bus. & Prof. Code § 22575-22579 — enacted 2003, amended 2013 (AB 370, Do-Not-Track disclosure). Historical baseline; largely subsumed by CCPA but still in force.

Regulators

Supervisory authorities that interpret and enforce privacy law here.

State / Land DPAs · 2 authorities

Land / state	Authority	Note
California — CPPA	CPPA	California Privacy Protection Agency — created by CPRA, 5-member board, enforcement began 1 Jul 2023. First major settlement: Honda $632.5K (Mar 2025). Issues regulations, conducts audits, levies administrative fines.	site ↗
California — DOJ	California OAG	California Office of the Attorney General — concurrent jurisdiction with CPPA. Brought first CCPA action (Sephora $1.2M, Aug 2022) and largest to date (Healthline $1.55M, Jul 2025). Pursues civil penalties up to $2,500 per violation / $7,500 per intentional violation in superior court.	site ↗

Notable enforcement

California is the most active US state on analytics-related privacy enforcement. The two-track structure — California Attorney General (civil action in superior court) plus California Privacy Protection Agency (administrative enforcement) — means controllers face both prosecutorial and regulatory pressure. AG actions tend to be larger and headline-grabbing (Sephora, Healthline); CPPA actions are more procedurally detailed (Honda's UX-design and contract-process remediation orders). The Sephora settlement is the canonical analytics case: Sephora's transmission of consumer data to ad-tech partners was deemed a 'sale' because Sephora lacked conforming service-provider contracts and did not honor GPC. This logic was reinforced by Honda (vendor contracting failures) and Healthline (sensitive-data leakage via article titles + non-functional banner). Connected-vehicle data is a 2024-2025 priority area. Children's data triggers parallel COPPA exposure (Tilting Point).

GA4 status

GA4 is legal in California with proper opt-out implementation. Default opt-out baseline (CCPA does not require pre-collection consent for adults), BUT (1) a clear and conspicuous 'Do Not Sell or Share My Personal Information' link is required on the homepage, (2) the GPC browser signal must be honored as an opt-out, (3) a conforming service-provider contract with Google (CCPA addendum) must be in place, and (4) under-16 users require opt-in. The Sephora case is the cautionary anchor: transmitting GA4 data to Google's advertising features without these safeguards = 'sale' under CCPA.

DPA	Stance
CPPA	Active scrutiny of analytics + ad-tech vendor flows. Honda case shows asymmetric opt-out UX and missing service-provider contracts trigger enforcement.
California OAG	Sephora-line: GA4 data transmission to ad-tech features is treated as 'sale' absent service-provider contracts and GPC honoring. Healthline-line: sensitive-context article titles cannot be shared even with opt-out toggled.

Cross-border transfers + Schrems II

Domestic US — no Schrems II issue. Cross-border transfer mechanisms (DPF, SCCs) are not relevant when both controller and California consumer are in the US. Note: CCPA/CPRA still apply to non-US businesses processing California-resident data above the threshold tests, but California does not impose adequacy/transfer-mechanism requirements analogous to GDPR Chapter V.

Not applicable. CPPA does scrutinize vendor data flows under § 1798.140 (service-provider vs. third-party distinction) and § 7051 (prescribed contractual addendum). Failure to execute conforming service-provider contracts converts a 'disclosure' into a 'sale/share' — central holding of Sephora and Honda.

Topic: International transfers

Employee data

Employee + B2B data — CPRA's biggest expansion

Until 31 Dec 2022, CCPA exempted personal information collected in employment and B2B contexts. CPRA sunsetted both exemptions effective 1 Jan 2023. Today, California employees, job applicants, contractors, and business contacts have full CCPA/CPRA rights — including access, deletion, correction, opt-out of sale/share, and the right to limit use of sensitive PI (precise geolocation, race, religion, health, biometrics, sexuality, etc.). When analytics tools can monitor employees (Hotjar on internal dashboards, productivity-tracking pixels, server-side staff-activity logs), Cal. Lab. Code § 1198.5 + AB 2557 (worker-monitoring transparency) apply on top of CPRA. Provide separate notices at collection for the employment context, run a risk assessment under 11 CCR § 7150, and verify works-arrangement contractors are bound by service-provider terms.

Key thresholds

Child consent age

16 years

Article 27 representative

Not required

Marketing consent

Single opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 12 · 8 green · 3 yellow · 1 red

Vendor	Status	Rationale
	GREEN	Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. US baseline more permissive.
	GREEN	EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. US baseline more permissive.
	GREEN	Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII).
	GREEN	Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config.
	GREEN	EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany.
	GREEN	German-hosted, cookieless, GDPR-aligned by design.
	GREEN	EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required.
	GREEN	Open-source, cookieless, fully self-hostable. Default-green when self-hosted.
	YELLOW	CCPA — needs "Do Not Sell" + opt-out signal handling. Default config requires GPC support.
	YELLOW	CCPA opt-out signal must be honored.
	YELLOW	EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
	RED	Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.

Consent management platforms · 5 · 5 green · 0 yellow · 0 red

Vendor	Status	Rationale
	GREEN	Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
	GREEN	Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
	GREEN	Open-source, self-hosted. No managed updates — site owner maintains vendor list.
	GREEN	GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults. US baseline more permissive.
	GREEN	German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.

Tag managers · 1 · 0 green · 1 yellow · 0 red

Vendor	Status	Rationale
	YELLOW	Same as EU — depends on tags. Add CCPA opt-out signal flow.

Session replay · 3 · 0 green · 3 yellow · 0 red

Vendor	Status	Rationale
	YELLOW	—
	YELLOW	Less strict than EU for session replay; still requires disclosure + opt-out.
	YELLOW	—

Ad pixels · 3 · 0 green · 3 yellow · 0 red

Vendor	Status	Rationale
	YELLOW	Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured.
	YELLOW	Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured.
	YELLOW	PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured.

Server-side · 3 · 2 green · 1 yellow · 0 red

Vendor	Status	Rationale
	GREEN	EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
	GREEN	EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
	YELLOW	"EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE

California vs Virginia

COMPARE

California vs Texas

COMPARE

California vs Colorado

Common questions

Is Google Analytics legal in California in 2026?

Yes, with proper safeguards. California uses an opt-out baseline (unlike GDPR opt-in), so GA4 may be deployed without pre-collection consent for adults. However, you must (1) display a clear and conspicuous 'Do Not Sell or Share My Personal Information' link on every page, (2) honor the GPC browser signal as an opt-out request, (3) have a CCPA-conforming service-provider contract with Google (or disable Google Signals + advertising features), and (4) treat under-16 users as opt-in. The Sephora case ($1.2M, Aug 2022) clarified that transmitting analytics data to ad-tech features without these safeguards constitutes a 'sale' under CCPA.

Is a 'Do Not Sell or Share My Personal Information' link required?

Yes, if you sell or share personal information (including via ad-tech cookies/pixels), CCPA § 1798.135 requires a clear and conspicuous link on every page where you collect personal information. CPRA renamed it 'Do Not Sell or Share' to capture cross-context behavioral advertising. The link must lead to a working opt-out flow. Sephora's primary violation was the absence of this link combined with no GPC honoring.

Must I honor the Global Privacy Control (GPC) signal?

Yes, mandatory since CPRA went into force (1 Jan 2023). 11 CCR § 7025 specifies the technical signal: when a browser/extension transmits GPC, the business must treat it as a verified opt-out of sale and sharing — without requiring the user to click the Do-Not-Sell link. The Sephora settlement was driven in large part by GPC non-recognition. Honda was penalized for asymmetric UX even though GPC was nominally honored.

What did the Sephora case actually establish?

Three things. (1) Transmitting consumer data to ad-tech vendors counts as a 'sale' under CCPA absent a conforming service-provider contract — even if no money changes hands. (2) GPC must be honored as a valid opt-out signal. (3) The 30-day cure period (now removed by CPRA) is a real opportunity — Sephora missed it. Every subsequent AG/CPPA case reinforces this template: missing service-provider contracts + non-functional opt-outs = enforcement.

Who enforces CCPA — the AG or the CPPA?

Both, concurrently. The California Attorney General brings civil actions in superior court (up to $2,500 per violation; $7,500 per intentional violation; $7,500 per violation involving a minor). The CPPA — created by CPRA, enforcement effective 1 Jul 2023 — issues administrative orders, audits businesses, and levies the same penalty schedule. They coordinate informally but can act independently. AG actions tend to be larger (Sephora $1.2M, Healthline $1.55M); CPPA actions are more procedurally detailed (Honda's UX-design + contracting remediation).

Does CCPA apply to my employee or B2B data?

Yes, since 1 Jan 2023. CPRA sunsetted the original CCPA exemptions for employee, applicant, contractor, and B2B-contact data. California employees now have full rights to know, delete, correct, opt-out, and limit use of sensitive PI. If you deploy analytics on internal HR dashboards, employee productivity tools, or B2B-customer portals, CCPA applies — provide a separate notice at collection for the employment context and run a risk assessment under 11 CCR § 7150.

What counts as 'sensitive personal information' under CPRA?

Categories enumerated in § 1798.140(ae): government identifiers (SSN, driver's license, passport), account credentials with passwords, precise geolocation, race or ethnic origin, religious beliefs, mail/email/text content (not directed to the business), genetic data, biometric identifiers used for unique identification, health data, and sex-life or sexual-orientation data. Consumers may invoke § 1798.121 to limit use to specified purposes (no profiling, no advertising). The Healthline case ($1.55M) hinged on health-condition leakage via article titles.

Do I meet the CCPA thresholds?

CCPA applies to for-profit businesses doing business in California that meet ANY of: (1) gross annual revenue ≥ $26.625M (inflation-adjusted from $25M baseline, 2025-2026 figure); (2) annually buy/sell/share personal information of ≥ 100,000 California consumers, households, or devices; (3) derive ≥ 50% of annual revenue from selling or sharing personal information. Meeting any one threshold triggers all CCPA obligations. Note: CalOPPA (privacy-policy mandate) applies regardless of size.

Are children's data rules different?

Yes. Under-13: opt-in by parent/guardian (parallels federal COPPA). Ages 13-15: opt-in by the minor themselves before any sale/share. 16+: standard opt-out baseline. Tilting Point Media ($500K, Jun 2024) is the canonical case — mobile game collected under-13 data without verifiable parental consent and shared with ad networks, triggering parallel CCPA + COPPA penalties.

What about the 30-day cure period?

Removed by CPRA effective 1 Jan 2023. CCPA originally gave businesses 30 days to cure violations after AG notice — Sephora's failure to cure was a major driver of the $1.2M settlement. CPRA eliminated automatic cure for most violations; it now exists only at agency discretion. Treat any contact from CPPA or the AG as enforcement, not warning.

// EDITORIAL · NOT LEGAL ADVICE This page summarises California's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.