Jurisdiction Β· STATE Β· US-CA
πΊπΈ California
CCPA (2020) as amended by CPRA (2023). CPPA enforcement agency. "Sale" and "sharing" definitions trigger opt-out (not opt-in baseline like EU).
What a typical site must do
| Requirement | Value | Confidence | Reviewed |
|---|---|---|---|
| analytics_exempt_cookieless | yes | high | 2026-05-04 |
| banner_required | no | high | 2026-05-04 |
| breach_notification_hours | asap | high | 2026-05-04 |
| consent_mode_v2_relevant | yes | high | 2026-05-04 |
| consent_model | opt_out | high | 2026-05-04 |
| cookie_policy_required | yes | high | 2026-05-04 |
| dpf_transfers_acceptable | yes | high | 2026-05-04 |
| dpo_required | not_required | high | 2026-05-04 |
| dsr_response_days | 45 | high | 2026-05-04 |
| enforcement_strictness | moderate | high | 2026-05-04 |
| iab_tcf_required | not_applicable | high | 2026-05-04 |
| language_required | english | high | 2026-05-04 |
| pre_consent_pings_allowed | yes | high | 2026-05-04 |
| privacy_policy_required | yes | high | 2026-05-04 |
| reject_layer1 | not_required | high | 2026-05-04 |
| ropa_required | not_required | high | 2026-05-04 |
Editorial notes
Tool compliance matrix
Default-config verdict per analytics/CMP tool against this jurisdiction.
| Vendor | Status | Rationale |
|---|---|---|
| Addingwell | green | EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic. |
| Adobe Analytics | green | Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. US baseline more permissive. |
| Amplitude | green | EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. US baseline more permissive. |
| Cookiebot | green | Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent β verify your manual scripts also gate. |
| Fathom | green | Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII). |
| Iubenda | green | Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan. |
| Klaro | green | Open-source, self-hosted. No managed updates β site owner maintains vendor list. |
| Matomo (self-hosted) | green | Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config. |
| Matomo Cloud | green | EU-hosted with cookieless mode available. With cookies disabled qualifies for Β§25(2) exception in Germany. |
| OneTrust | green | GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch β verify per-region defaults. US baseline more permissive. |
| Pirsch | green | German-hosted, cookieless, GDPR-aligned by design. |
| Plausible | green | EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required. |
| Stape | green | EU server containers handle the routing β but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings. |
| Umami | green | Open-source, cookieless, fully self-hostable. Default-green when self-hosted. |
| Usercentrics | green | German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites. |
| FullStory | yellow | |
| Google Analytics 4 | yellow | CCPA β needs "Do Not Sell" + opt-out signal handling. Default config requires GPC support. |
| Google Tag Manager | yellow | Same as EU β depends on tags. Add CCPA opt-out signal flow. |
| Hotjar | yellow | Less strict than EU for session replay; still requires disclosure + opt-out. |
| LinkedIn Insight Tag | yellow | Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured. |
| Meta Pixel | yellow | Schrems II concerns persist; advanced matching hashes PII but does not fix EUβUS transfer problem. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured. |
| Microsoft Clarity | yellow | |
| Mixpanel | yellow | CCPA opt-out signal must be honored. |
| PostHog | yellow | EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green. |
| Server-side GTM (Google Cloud) | yellow | "EU server" β EU data β clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing. |
| TikTok Pixel | yellow | PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured. |
| Heap | red | Auto-capture grabs every click and form value β broad PII risk under GDPR Art 5(1)(c) data minimization. |
Templates for California
BANNER
Do Not Sell or Share My Personal Information Β· CCPA/CPRA link
DSR_REPLY
DSR reply template Β· CCPA/CPRA consumer request