Is a cookie banner required under CPRA?

The California Privacy Rights Act (CPRA) doesn’t explicitly require a cookie banner, but it does require businesses to provide a mechanism for consumers to opt out of the sale or sharing of their personal data, which can include data collected through cookies.

A standard (opt-in) cookie banner will not be sufficient to comply with CPRA. The Draft Regulations specify that an acceptable method to submit opt-out requests must address the sale and sharing of personal information.

To comply with CPRA, your website can provide: 

  • A clear “Do Not Sell/Share My Personal Information” (DNSMPI) link, which may include a mechanism to control cookie preferences. 
  • As an alternative option, businesses must honour opt-out signals, like the Global Privacy Control.

Consent management platforms like CookieYes offer users the ability to display an opt-out banner with a DNSMPI link where your site’s visitors can opt out of selling or sharing their data.