California’s privacy regulations are among the strictest in the world. If your website receives traffic from there, you may need to comply with the CCPA and CPRA. We help you detect if these laws apply to you and adapt your site to avoid penalties.
Even if your company is not based in the United States, California’s privacy regulations could still apply to your website
Since January 1, 2020, the California Consumer Privacy Act (CCPA) has granted consumers the right to access their data, delete their personal information, and opt out of the sale of their data. As of 2023, the CPRA strenghtens and expands these rights, introducing new principles such as limiting the use of sensitive data and allowing the correction of inaccurate information.
This law applies to for-profit companies, whether or not they are located in California, as long as they meet at least one of the following conditions: have annual revenues over $25 milion, process data from more than 50,000 individuals per year (a threshold raised to 100,000 under the CPRA), or derive more than 50% of their revenue from the sale of personal data.
Even if you're not in California, if you receive traffic from there and meet any of the above criteria, you must comply with the CCPA/CPRA.
This includes displaying clear privacy notices, informing users about data sales, and providing mechanisms to exercise rights such as opting out or requesting data deletion.
The CPRA expands the CCPA with new obligations for businesses, strengthens user rights, and increases penalties for non-compliance. It marks a key development in California’s digital privacy regulations.
Since January 1, 2023, the CPRA strengthens the CCPA without replacing it, adding new obligations for businesses:
The CPRA expands user rights and raises legal requirements:
Comply with Google Consent Mode and keep your legal texts
always up to date with the GDPR, effortlessly.
The CCPA and CPRA grant California consumers specific rights over their personal information. If your website processes this data, you must comply with a set of clear legal obligations.
Right to opt out of data sales
Users can request that their information not be shared or sold to third parties.
Access, correction, and deletion of personal data
Consumers can view, correct, or delete the data you have collected about them.
Limitation of the use of sensitive data
You must allow users to limit the use of information such as geolocation, health data, or biometric characteristics.
Transparency about the data you collect and use
Your website must clearly inform users about what data it collects, how it is used, and whether it is shared.
Mechanisms to exercise rights (DSARs)
You must provide a form or a clear channel for users to easily exercise their rights.
Security measures and proactive accountability
Implement good cybersecurity practices and be able to demonstrate compliance if requested.
With the Lawwwing plugin, you get a cookie banner compatible with Google Consent Mode v2 and keep your legal texts up to date with the GDPR, all backed by legal experts.
In this section, we answer the most common questions about cookie policies and how to ensure your website complies with current regulations.
You could face fines of up to $7,500 per violation. You also risk losing user trust or receiving complaints if you don’t respect their privacy rights.
Start for free with Google 
