Consenti

CCPA / US State Privacy Laws Guide

ℹ️Compliance group: opt-out — consent written silently; no banner unless the user visits a "Do Not Sell" page. Use compliance: { type: 'opt-out' } in your ConsentiSetup config.

Consenti supports opt-out consent models required by CCPA, VCDPA, CPA, CTDPA, TDPSA, and similar US state laws.

⚠️CCPA was superseded by CPRA on 1 January 2023. If you operate in California, see the CPRA guidefor the current requirements, including the new "Do Not Share" obligation and sensitive data categories.

Official references

Opt-out model vs. GDPR opt-in

GDPRCCPA / US States
DefaultAll non-mandatory cookies deniedAll non-mandatory cookies granted
TriggerBanner on first visitSilent auto-consent; provide opt-out UI
GPCOptional honourRequired to honour

Enabling CCPA mode

ts
createConsenti({
  compliance: { ccpa: true, gpc: true },
})

In your frontend widget:

ts
new ConsentiSetup({
  core: {
    profileId: 'my-profile',
    regulation: 'ccpa',  // sets all cookies to 'granted' on first load
    autoHonorGPC: true,  // required for CCPA compliance
  },
})

GPC — Global Privacy Control

The GPC signal (navigator.globalPrivacyControl === true) is treated as an opt-out under CCPA (required by California AG guidance). When autoHonorGPC: 'strict' is set:

  1. Widget detects GPC signal
  2. Automatically denies all listenGpc: true cookies
  3. Writes consent record immediately without showing banner
  4. gpc_detected: true is stored on the consent record

"Do Not Sell" / Opt-out button

Add a '!' button to let users opt out at any time:

json
{
  "text": "Do Not Sell My Data",
  "type": "reject",
  "cookies": "!"
}

The '!' action sets all non-mandatory cookies to 'denied' and writes the consent record.

State-by-state coverage

LawJurisdictionOpt-out mechanism
CCPA / CPRACaliforniaGPC + '!' button
VCDPAVirginiaSame as CCPA
CPAColoradoGPC required + opt-out UI
CTDPAConnecticutSame as CCPA
TDPSATexasSame as CCPA
MHMDAWashington (health data)Requires explicit consent for health data
ℹ️All of these use the same consent record structure. No additional backend configuration is required beyond regulation: 'ccpa' in the frontend widget.