CPRA Compliance Guide
opt-out-strict — opt-out for sale/sharing; opt-in required for sensitive data. GPC triggers both Do Not Sell and Do Not Share. Use compliance: { type: 'opt-out-strict' } in your ConsentiSetup config.The California Privacy Rights Act (CPRA) superseded CCPA on 1 January 2023. It is enforced by the California Privacy Protection Agency (CPPA) — a dedicated regulatory body, not just the Attorney General.
Official references
- California Privacy Protection Agency (CPPA) — the regulatory body that enforces CPRA
- CPPA — CPRA regulations (Title 11, Division 22)
- Cal. Civ. Code § 1798.100 et seq — CPRA statute text
- Global Privacy Control (GPC) specification — required signal under CPRA
CCPA vs. CPRA
| CCPA (2020) | CPRA (Jan 2023) | |
|---|---|---|
| Enforcer | Attorney General | CPPA (dedicated agency) |
| GPC obligation | Required | Required |
| Do Not Sell | Yes | Yes |
| Do Not Share (cross-context behavioural advertising) | No | Yes |
| Sensitive personal data opt-in | No | Yes |
| Data minimisation | No | Yes |
| Correction right | No | Yes |
Enabling CPRA mode
new ConsentiSetup({
core: {
regulation: 'cpra',
autoHonorGPC: true, // required — GPC denies sale and sharing cookies automatically
},
})Per-cookie category
In the dashboard Cookie Template Editor, enable the CPRA Category column and assign each data-selling or sharing cookie a category:
| Value | Meaning | GPC effect | First-visit default |
|---|---|---|---|
sale | Personal data sold to third parties | Always denied on GPC | Denied |
sharing | Cross-context behavioural advertising | Always denied on GPC | Denied |
sensitive | Sensitive personal data (health, race, religion, precise geo…) | Always opt-in regardless of GPC | Denied |
| (unset) | Standard cookie | Standard GPC behaviour | Granted |
GPC — Global Privacy Control
When the GPC signal (navigator.globalPrivacyControl === true) is detected under CPRA, Consenti automatically:
- Denies all cookies with
cpraCategory: 'sale' - Denies all cookies with
cpraCategory: 'sharing' - Leaves other cookies at their submitted value
- Stores
gpc_detected: trueon the consent record
cpraCategory: 'sensitive' always require an explicit opt-in — GPC is not required for this, it is mandatory under CPRA Section 1798.121.Server-side enforcement
The backend re-applies CPRA rules on every POST /consent and PUT /consent/:idregardless of what the client sends, so a compromised widget cannot bypass the rules:
// consent.service.ts — enforced server-side on every write
if (gpcDetected && regulation === 'cpra') {
if (cookie.cpraCategory === 'sale' || cookie.cpraCategory === 'sharing') {
effectiveConsent[cookie.id] = 'denied'
}
}Do Not Sell / Do Not Share button
Add a visible opt-out link on your site (required by CPRA for businesses that sell or share data). Use the '!' action to deny all non-mandatory cookies:
{
"text": "Do Not Sell or Share My Personal Information",
"type": "reject",
"cookies": "!"
}Migration from CCPA
Change regulation: 'ccpa' to regulation: 'cpra' and add cpraCategory to cookies that involve selling or sharing. Existing consent records remain valid — no forced re-consent unless your cookie categories change.
- regulation: 'ccpa'
+ regulation: 'cpra'