Consenti

CPRA Compliance Guide

ℹ️Compliance group: opt-out-strict — opt-out for sale/sharing; opt-in required for sensitive data. GPC triggers both Do Not Sell and Do Not Share. Use compliance: { type: 'opt-out-strict' } in your ConsentiSetup config.

The California Privacy Rights Act (CPRA) superseded CCPA on 1 January 2023. It is enforced by the California Privacy Protection Agency (CPPA) — a dedicated regulatory body, not just the Attorney General.

Official references

CCPA vs. CPRA

CCPA (2020)CPRA (Jan 2023)
EnforcerAttorney GeneralCPPA (dedicated agency)
GPC obligationRequiredRequired
Do Not SellYesYes
Do Not Share (cross-context behavioural advertising)NoYes
Sensitive personal data opt-inNoYes
Data minimisationNoYes
Correction rightNoYes

Enabling CPRA mode

ts
new ConsentiSetup({
  core: {
    regulation: 'cpra',
    autoHonorGPC: true,  // required — GPC denies sale and sharing cookies automatically
  },
})

Per-cookie category

In the dashboard Cookie Template Editor, enable the CPRA Category column and assign each data-selling or sharing cookie a category:

ValueMeaningGPC effectFirst-visit default
salePersonal data sold to third partiesAlways denied on GPCDenied
sharingCross-context behavioural advertisingAlways denied on GPCDenied
sensitiveSensitive personal data (health, race, religion, precise geo…)Always opt-in regardless of GPCDenied
(unset)Standard cookieStandard GPC behaviourGranted

GPC — Global Privacy Control

When the GPC signal (navigator.globalPrivacyControl === true) is detected under CPRA, Consenti automatically:

  1. Denies all cookies with cpraCategory: 'sale'
  2. Denies all cookies with cpraCategory: 'sharing'
  3. Leaves other cookies at their submitted value
  4. Stores gpc_detected: true on the consent record
ℹ️Cookies with cpraCategory: 'sensitive' always require an explicit opt-in — GPC is not required for this, it is mandatory under CPRA Section 1798.121.

Server-side enforcement

The backend re-applies CPRA rules on every POST /consent and PUT /consent/:idregardless of what the client sends, so a compromised widget cannot bypass the rules:

ts
// consent.service.ts — enforced server-side on every write
if (gpcDetected && regulation === 'cpra') {
  if (cookie.cpraCategory === 'sale' || cookie.cpraCategory === 'sharing') {
    effectiveConsent[cookie.id] = 'denied'
  }
}

Do Not Sell / Do Not Share button

Add a visible opt-out link on your site (required by CPRA for businesses that sell or share data). Use the '!' action to deny all non-mandatory cookies:

json
{
  "text": "Do Not Sell or Share My Personal Information",
  "type": "reject",
  "cookies": "!"
}

Migration from CCPA

Change regulation: 'ccpa' to regulation: 'cpra' and add cpraCategory to cookies that involve selling or sharing. Existing consent records remain valid — no forced re-consent unless your cookie categories change.

diff
- regulation: 'ccpa'
+ regulation: 'cpra'