CCPA / US State Privacy Laws Guide
ℹ️Compliance group:
opt-out — consent written silently; no banner unless the user visits a "Do Not Sell" page. Use compliance: { type: 'opt-out' } in your ConsentiSetup config.Consenti supports opt-out consent models required by CCPA, VCDPA, CPA, CTDPA, TDPSA, and similar US state laws.
⚠️CCPA was superseded by CPRA on 1 January 2023. If you operate in California, see the CPRA guidefor the current requirements, including the new "Do Not Share" obligation and sensitive data categories.
Official references
- California Attorney General — CCPA page
- Cal. Civ. Code § 1798.100 — CCPA statute text
- Global Privacy Control (GPC) specification
Opt-out model vs. GDPR opt-in
| GDPR | CCPA / US States | |
|---|---|---|
| Default | All non-mandatory cookies denied | All non-mandatory cookies granted |
| Trigger | Banner on first visit | Silent auto-consent; provide opt-out UI |
| GPC | Optional honour | Required to honour |
Enabling CCPA mode
ts
createConsenti({
compliance: { ccpa: true, gpc: true },
})In your frontend widget:
ts
new ConsentiSetup({
core: {
profileId: 'my-profile',
regulation: 'ccpa', // sets all cookies to 'granted' on first load
autoHonorGPC: true, // required for CCPA compliance
},
})GPC — Global Privacy Control
The GPC signal (navigator.globalPrivacyControl === true) is treated as an opt-out under CCPA (required by California AG guidance). When autoHonorGPC: 'strict' is set:
- Widget detects GPC signal
- Automatically denies all
listenGpc: truecookies - Writes consent record immediately without showing banner
gpc_detected: trueis stored on the consent record
"Do Not Sell" / Opt-out button
Add a '!' button to let users opt out at any time:
json
{
"text": "Do Not Sell My Data",
"type": "reject",
"cookies": "!"
}The '!' action sets all non-mandatory cookies to 'denied' and writes the consent record.
State-by-state coverage
| Law | Jurisdiction | Opt-out mechanism |
|---|---|---|
| CCPA / CPRA | California | GPC + '!' button |
| VCDPA | Virginia | Same as CCPA |
| CPA | Colorado | GPC required + opt-out UI |
| CTDPA | Connecticut | Same as CCPA |
| TDPSA | Texas | Same as CCPA |
| MHMDA | Washington (health data) | Requires explicit consent for health data |
ℹ️All of these use the same consent record structure. No additional backend configuration is required beyond
regulation: 'ccpa' in the frontend widget.