--- title: "CPRA Cookie Consent Requirements: How to Comply in 2026" subtitle: "Learn how to achieve CPRA cookie consent compliance in 2026. Discover key requirements, best practices, and tools to enhance trust, transparency, and user experience." source: "https://www.cookieyes.com?utm_source=cy_llm_widget&utm_medium=cy_llm_widget&utm_campaign=cy_llm_widget" --- # CPRA Cookie Consent Requirements: How to Comply in 2026 The CPRA requires businesses to let California residents opt out of the sale or sharing of their personal information, including data collected through cookies. In practice, this means adding a “Do Not Sell or Share My Personal Information” link to your site and honouring Global Privacy Control (GPC) signals from browsers. The CPRA does not require opt-in consent for cookies the way GDPR does. It works on a notice-and-opt-out basis instead. This guide is your roadmap to mastering CPRA cookie consent requirements, including how to create a CPRA cookie consent banner. ## What is CPRA and how does it impact cookie consent? The [CPRA](https://www.cookieyes.com/blog/cpra-compliance-checklist/), which amends and expands the California Consumer Privacy Act (CCPA), strengthens privacy protections for California residents. Among its many provisions, it introduces stricter requirements for consent, granting consumers more control over how their personal information is used online. Unlike data privacy laws such as the General Data Protection Regulation (GDPR), you typically do not need consent to use consumers’ personal information, except in specific situations. Instead, you must offer opt-out options allowing them to request you to not sell or share their personal information.  ![CPRA opt-out banner as seen on AudioEye ](https://www.cookieyes.com/wp-content/uploads/2025/02/CPRA-opt-out-banner-1024x545.png) *caption: CPRA opt-out banner as seen on AudioEye * Therefore, it is important to include a cookie opt-out banner that enables users to decline non-essential cookies that share or sell information, like those used for cross-context behavioural advertising. ### 85% of Websites Use Cookie Banners-Do You? Become CPRA-compliant with CookieYes CMP [Create a cookie banner for free](https://app.cookieyes.com/trial?plan=pro-monthly&ref=SFB_3022025) 14-day free trialCancel anytime Related read [Difference between opt-in and opt-out consent model](https://www.cookieyes.com/blog/opt-in-opt-out/) ## CCPA vs CPRA: Key changes in cookie consent under CPRA The CPRA has introduced new rules regarding consent, highlighting the importance of user control and transparency. Below, we outline some key changes and their implications for your business. ### Expansion of opt-out rights Before the CPRA amendments, consumers had the right to opt out of the sale of personal information. The CPRA expanded the right to the sharing of information by businesses for advertising purposes, which is often based on profiles generated from users’ online activity. For online platforms, this means providing users with opt-out banners for third-party cookies. These controls must ensure consumers can easily exercise their right to prevent data sharing for targeted advertising or other purposes. ### Opt-in consent for minors One of the most notable consent requirements under CCPA/CPRA is the introduction of opt-in requirements for minors’ data (children below 16 years). CCPA introduced stricter rules for sharing or selling the personal information of minors. If your business caters to minors, you should obtain consent through an affirmative action indicating consent to sell or share their personal information. This extends to third-party cookies used for behavioural monitoring or advertising purposes.  Subsequently, the CPRA strengthened the regulation by mandating businesses to wait a minimum of 12 months before requesting users to opt in again. Additionally, it raised the fine for violations of children’s privacy to $7,500 per occurrence. Children between the ages of 13 and 16 can opt in themselves. However, for children under 13 years, the consent of the parent or legal guardian is necessary. ![Image o fLego’s website with an opt-in cookie banner that requires affirmative consent for non-necessary cookies like marketing cookies ](https://www.cookieyes.com/wp-content/uploads/2025/02/Opt-in-cookie-banner-1024x550.png) *caption: Lego’s website has an opt-in cookie banner that requires affirmative consent for non-necessary cookies like marketing cookies * ### Sensitive personal information CPRA introduces a new category of personal data known as sensitive personal information based on the heightened risks if its privacy is compromised. Examples include: - Social security numbers - Driver’s license numbers - Financial account details - Precise geolocation - Racial or ethnic origin - Religious beliefs - Biometric information Consumers have the right to limit the use of sensitive personal information. Therefore, companies that collect sensitive data should offer a clear and accessible “Limit the use of my sensitive personal information” link on their websites. ## Why is CPRA cookie consent compliance important for businesses? ### Enhance customer trust By prioritising privacy, you show users their data is safe, fostering loyalty and improving your brand image. ### Drive business growth A transparent approach to data handling can differentiate you from competitors, attracting privacy-conscious consumers. ### Future-proof your operations Staying compliant with CPRA is more than a legal requirement. It is a proactive investment. As privacy regulations expand and evolve, implementing scalable, compliance-ready processes ensures your business is prepared to adapt seamlessly. This forward-thinking approach minimises disruption, reduces risk, and keeps your focus on growth and innovation. By aligning with CPRA requirements, your business not only avoids penalties but also leads the way in building a privacy-first, consumer-focused future. ## How to implement CPRA-compliant cookie consent Follow these 5 steps to implement CPRA-compliant cookie consent efficiently.  ### #1 Audit your cookies Conducting a comprehensive cookie audit is the first step in achieving CPRA compliance. Take a look at the steps involved in the auditing process. Identify cookies Identify all the cookies that your website uses. You can simplify the process by utilising cookie audit tools to scan your website for all cookies being used. Categories The next step is to categorise the identified cookies. Common categories include: - Necessary cookies These are first-party cookies essential for website functionality. For example, session cookies are temporary cookies that store users’ activities as they navigate through different pages.  - Functional cookies Functional cookies enhance the user experience by remembering preferences such as login information and language settings for seamless browsing. - Analytics cookies Analytics cookies are often used to track user behaviour on websites for purposes like website optimisation or saving language preferences. - Advertising cookies They track user behaviour and preferences across platforms to display personalised ads.  Documenting Cookie Purposes Clearly outline what each cookie does, its category, why it is needed, and how long it will be retained. This documentation will serve as a reference when updating your privacy/cookie policy and informing users about data collection practices. You can simplify this by running a cookie scan. CookieYes automatically detects and categorises every cookie on your site, including third-party scripts you didn’t knowingly add. It takes only a few minutes and gives you a categorised list to work from. ![Image](https://www.cookieyes.com/wp-content/uploads/2025/02/Cookie-scan-1024x513.png) *caption: CookieYes cookie manager gives a complete overview of all the cookies on your site* ### #2 Update your cookie policy Transparency is a core aspect of CPRA compliance. Businesses that collect personal information must inform consumers of their data practices. The email addresses and names collected for a newsletter sign-up or financial credentials used for billing fall under CPRA’s definition of personal information. For websites, the transparency requirements extend to cookies as well. Since they can collect personal information such as IP addresses or a user’s preferences, your company must provide a detailed description of the cookie usage. One way is to provide it as a section within your privacy policy and provide a direct link to it in the footer. ![An image of Apple's privacy policy with a separate section that details how it uses cookies on its website.](https://www.cookieyes.com/wp-content/uploads/2025/02/cookie-policy-example-1024x843.png) *caption: Apple’s privacy policy has a separate section that details how it uses cookies on its website.* You can also create a separate cookie policy manually or use free tools like the [CookieYes cookie policy generator](https://www.cookieyes.com/free-cookie-policy-generator/). This is a very popular and effective method for creating a cookie policy from scratch. The following are some of the key requirements of a cookie policy  - Data collection details: Specify what personal information is collected through cookies - Usage explanation: Describe how this data will be used, including any third-party sharing - Duration: Specify for how long cookies would remain on the user’s device - Consumer rights under CPRA: Inform about consumer rights such as the right to opt out of data sharing Additionally, make sure your cookie/privacy policy is readily available from the cookie consent banner, and if it is a privacy policy, it should include distinct sections that discuss cookie usage and consumer rights. A cookie policy is also known by the names cookie notice and cookie statement. ### #3 Provide granular controls CPRA clarifies that consent should be specific and purpose-driven. Businesses cannot rely on broad, all-encompassing consent to use multiple types of consumer data for various purposes. This makes it essential to implement granular controls that empower users to manage their cookie preferences with greater precision.  Here are some key considerations for granular cookie consent when opt-in is necessary:  - Category-specific choices Allow users to accept or reject cookies based on categories. For instance, they may agree to analytics cookies while opting out of advertising cookies. - User-friendly Interface Ensure that the interface for managing preferences is intuitive and straightforward, allowing users to make adjustments easily without navigating through multiple pages.  Businesses should avoid using [dark patterns](https://www.cookieyes.com/blog/dark-patterns-in-cookie-consent/)to obtain consent as it undermines users’ autonomy and decision-making. ### #4 Enable easy opt-out In addition to requiring an opt-out mechanism, the CPRA mandates that businesses must ensure the process is both convenient and accessible for consumers.  Additionally, ensure that there is a clear option for users to opt out of personalised advertisements and tracking at any point during their interaction with your site.  This should be accompanied by a link titled “[Do not sell or share my personal information](https://www.cookieyes.com/blog/do-not-sell-my-personal-information/),” which directs users to a dedicated opt-out page. ![The footer of the KFC website with a “Do not sell or share my personal information.”](https://www.cookieyes.com/wp-content/uploads/2025/02/opt-out-cpra-1024x302.png) *caption: The footer of the KFC website with a “Do not sell or share my personal information.”* If you’re using a consent management platform like CookieYes, you can enable a “Do Not Sell or Share My Personal Information” link in your cookie banner with a simple toggle. No coding needed. ![Image](https://www.cookieyes.com/wp-content/uploads/2026/03/CCPA-do-not-sell-924x1024.png) Once a consumer opts out of cookies, wait for at least twelve months before asking them to opt back in for the sale or sharing of personal information. Providing a convenient and straightforward opt-out experience is not only essential for regulatory compliance but also critical for user experience and building customer trust. Therefore, you may offer a simple way for users to change their preferences or opt-out at any time, such as a manage consent preferences link or widget on the website. The below video shows how a user opts in for performance cookies. Similarly, they can also opt-out at any time, enabling them to manage their consent preferences seamlessly. ### #5 Use a CPRA-compliant cookie banner Designing an effective opt-out banner is essential for CPRA compliance.  Below is a checklist of a CPRA-compliant cookie banner. Clear messaging The banner should clearly state that cookies are being used and provide a brief explanation of the categories of cookies used, their purposes, duration, etc. Consent options Your cookie banner should have a “Do not sell/share my personal information” link that enables them to opt out of third-party cookies. If your website caters to minors, you must provide an opt-in banner instead of an opt-out one.  Design The design should ensure that users can easily understand the cookie message and make informed choices without overwhelming them with technical jargon. ## Why is CookieYes the one-step solution for CPRA cookie compliance? Managing cookie consent shouldn’t be a source of frustration—it is an opportunity to build trust and stand out as a privacy-first business. CookieYes, a leading Cookie Consent Management Platform (CMP), makes it effortless to meet California Privacy Rights Act (CPRA) requirements while creating a seamless, user-friendly experience. ### Cookie audits CookieYes conducts deep scans of your website and generates an in-depth report of the cookies your website uses. You can also schedule your scans and automate the process. ### Customisable consent banners Create cookie consent banners that align with your brand’s identity while maintaining full CPRA compliance. Stand out with a design that enhances your website’s credibility and professionalism. ### Granular consent control Empower users with the ability to manage their privacy preferences by choosing which cookie categories—such as analytics, advertising, or functional—they want to enable or reject. ### One-click opt-out/opt-in mechanism Simplify cookie management with an intuitive platform that allows users to easily opt out of non-essential cookies at any time, building trust through transparency. ### Audit-ready compliance tracking Stay ahead with automated records of user consent. CookieYes helps you maintain detailed documentation, making audits stress-free and ensuring continuous compliance. ### Boost user trust with seamless integration CookieYes integrates effortlessly into your website, creating a smoother experience for your visitors. A privacy-first approach demonstrates your dedication to protecting user data—key to driving customer loyalty and long-term growth. Customise a CPRA cookie banner for your website in few steps Powering Privacy for 1.5M+ Businesses – Join Now [Get a free trial](https://app.cookieyes.com/trial?plan=basic-monthly&ref=SFB_3022025) 14-day free trialCancel anytime ## Challenges businesses face with CPRA cookie consent ### Managing user preferences and compliance Effectively managing, storing and honouring user preferences across digital properties can be complex. Robust automation tools are required to track consent and ensure compliance. ### Balancing compliance with user experience While compliance is essential, it shouldn’t disrupt the user experience. Design your cookie banners to be clear and informative without being intrusive.  ### Adapting to evolving regulations Privacy laws like the CPRA are constantly evolving, requiring businesses to stay updated and ensure their consent mechanisms remain compliant. This demands ongoing monitoring and updates to processes, systems, and policies to keep pace with regulatory changes. ### Ensuring global compliance For businesses operating across multiple jurisdictions, managing cookie consent becomes more challenging as they must comply with not only CPRA but also other privacy regulations like GDPR, PIPEDA, or LGPD. Harmonising these requirements while providing a seamless experience for users is a major challenge.  ### Consequences of non-compliance The California Privacy Protection Agency and the Attorney General enforce the law collaboratively. Failing to comply with CPRA cookie consent requirements can lead to fines of up to $7,500 per intentional violation and $2,500 for unintentional violations. Consumers also have a [private right of action](https://www.cookieyes.com/blog/ccpa-private-right-of-action/) in the event of data breaches. Beyond monetary penalties, non-compliance can harm your brand’s reputation. It is like serving a customer a cookie they are allergic to—not only could you face legal consequences, but you’ll also lose that customer’s trust. ## How to create a CPRA cookie consent banner: Best practices To maintain compliance and foster trust with your users, follow these best practices: - Use clear, simple language in your cookie banners and privacy/cookie policy - Do not use dark patterns - Regularly update your cookie consent mechanism to reflect any changes in data collection practices - Honour universal opt-out signals - Provide a “Do not sell my information” link - Link your cookie policy on the banner - Use CookieYes CMP as your all-in-one compliance solution Related read [Global privacy control for CPRA compliance](https://www.cookieyes.com/blog/global-privacy-control/) ## FAQ on CPRA cookie consent Is cookie consent required in California? Yes, businesses subject to the California Privacy Rights Act (CPRA) must provide a cookie consent banner. This banner must allow consumers to opt out of cookies that involve the sharing or selling of their personal information.For minors under the age of 16, the law requires stricter measures. Businesses must implement an opt-in mechanism instead, ensuring that consent is explicitly obtained before collecting or processing their personal information. What are the consent requirements for cookies under CPRA? The CPRA allows businesses to use cookies without obtaining explicit consent from users in most cases, except for minors. This means that businesses can set cookies on users’ devices as long as they inform the consumers of the use of cookies and provide a mechanism for users to opt out of the sale or sharing of their personal information.  Do I need a cookie consent banner for CPRA? CPRA does not require prior consent for most cookies, but if your website uses cookies for advertising or shares personal data, you must use a cookie banner to meet the CPRA opt-out requirements. What is the “Do Not Sell or Share” link and is it required? The “Do Not Sell or Share My Personal Information” link allows users to opt out of the sale or sharing of their personal data for advertising purposes. Under CPRA, it is required if your business sells or shares personal information. The link must be clearly visible on your website, typically in the footer and cookie banner. What happens if I don’t comply with CPRA cookie rules? Non-compliance with CPRA can lead to enforcement actions by the California Privacy Protection Agency (CPPA), including fines of up to $7,500 per violation. It can also result in reputational damage and loss of user trust. ###