Navigating CCPA and CPRA: What Businesses Need to Know

In January 2026 a fresh round of CCPA regulations took effect, and I watched a dozen companies do the same panicked thing in response. A user clicks "Do Not Sell or Share," and they kill all analytics for that visitor. No page views, no funnel data, nothing. They think that is compliance. It is not. It is over-compliance, and it is quietly costing them their measurement stack for no legal reason at all.

That is the lie at the center of most CCPA content: that an opt-out means you go dark. It does not. California law never said that.

This is not a legal post, I am not your privacy counsel, and you should have one. This is a marketing-data post. The question I actually want to answer is the one the law firms skip: what can you still measure after a Californian opts out? Because the honest answer is "more than you think," and most businesses are leaving lawful data on the table out of fear.

The real fix is not a bigger consent banner. It is an architecture that separates two kinds of data at the source, anonymous measurement that flows no matter what, and identifiable data that waits for permission. That is what DataCops is built around, and it maps almost exactly onto how CCPA and CPRA actually work. Paired with a server-side Conversion API, it lets you keep lawful measurement intact instead of going dark. For the privacy-first marketing pattern in long form, see privacy-first marketing.

Quick stuff people keep asking

What is the difference between CCPA and CPRA? CCPA is the original 2018 California law. CPRA is the 2020 amendment that expanded it - added the "Share" concept for cross-context behavioral advertising, created a sensitive-personal-information category, and set up the California Privacy Protection Agency to enforce it. In practice, in 2026, when people say "CCPA" they mean the CCPA as amended by CPRA. It is one regime now, not two.

Who must comply in 2026? A for-profit business doing business in California that hits one of three thresholds: $25 million-plus in annual gross revenue, buys or sells the personal information of 100,000-plus California consumers or households, or makes 50% or more of its revenue from selling or sharing personal information. You do not need an office in California. You need California customers.

Does CPRA affect analytics and ad tracking? Yes, but not the way panic suggests. It affects identifiable tracking and cross-context behavioral advertising - the stuff that follows a named person around. Aggregate, anonymous, first-party analytics is a different category. The law treats it differently. So should you.

What are the new January 2026 regulations? The headline items are formal requirements around automated decision-making technology, mandatory risk assessments for higher-risk processing, and tighter cybersecurity-audit expectations. The opt-out and data-sale rules did not get gentler. They got more operationalized.

What is the "Do Not Sell or Share" requirement? Consumers can tell you to stop selling their personal information and stop sharing it for cross-context behavioral advertising. You must honor it, you must offer a clear way to do it, and you must respect the Global Privacy Control browser signal as a valid opt-out. Critically, this is an opt-out on selling and sharing - not a blanket ban on you measuring your own site.

How does CPRA affect consent management platforms? It makes the opt-out mechanism mandatory and the GPC signal binding. But here is what gets missed: a CMP governs identifiable, sale-and-share-grade data. If you route every byte of analytics through the CMP, you have handed the CMP veto power over data it has no legal reason to touch.

What are the penalties for non-compliance? Up to $2,663 per violation, and up to $7,988 per intentional violation or violation involving a minor, as adjusted. Per violation - and "per consumer affected" adds up fast. The CPPA can act without giving you a cure period.

Does CCPA require a cookie consent banner? Not explicitly, the way the EU's regime does. CCPA is opt-out, not opt-in. You do not need to block analytics until someone consents. You need a working, honored "Do Not Sell or Share" path and you need to respect GPC. The EU-style "click to accept before anything loads" wall is not a CCPA requirement. Many US sites run it anyway, out of habit.

The gap: "opt-out" got confused with "no data"

Here is the structural mistake, and it is everywhere.

Businesses treat a CCPA opt-out like a GDPR consent withdrawal. They are not the same animal. GDPR is opt-in - no consent, no processing. CCPA is opt-out - processing is lawful until the consumer says stop, and even then "stop" applies to selling and sharing, not to all measurement.

When a Californian opts out, you must stop selling their data and stop sharing it for cross-context behavioral advertising. You do not have to stop knowing how many people visited your pricing page. Aggregate, de-identified, first-party analytics - counting sessions, measuring funnel drop-off, seeing which campaign drove traffic, with no persistent identifier tied to a real person - is not a "sale" and not a "share." It is you measuring your own property. That stays lawful.

So the businesses going fully dark on opted-out users are not being compliant. They are being scared. They have blinded themselves to data the law never asked them to give up. Their conversion rates, their funnel metrics, their channel attribution - all degraded, voluntarily, for nothing.

The opposite mistake is just as common and far more dangerous: keeping identifiable tracking and ad-platform sharing running after an opt-out because pulling it apart was too hard. That is the actual violation. That is the per-consumer fine.

Both mistakes come from the same root cause. The data is not separated. Anonymous measurement and identifiable, shareable data flow through the same third-party scripts, in the same pipeline, with no isolation. So when an opt-out lands, you have exactly two crude options: kill everything or kill nothing. There is no clean middle, because the architecture never built one.

Two tiers, separated at the source

The way out is to stop treating "analytics" as one thing. It is two.

Tier one: anonymous, aggregate, first-party measurement. Session counts, funnel steps, page performance, campaign-level traffic. No persistent cross-context identifier, no profile tied to a real person. This tier is lawful for everyone, opted-out or not. It should never depend on a consent state, because consent is not legally required for it.

Tier two: identifiable data, and anything shared with ad platforms for cross-context behavioral advertising. This tier is what the opt-out actually governs. It should be gated - present for users who have not opted out, switched off cleanly the moment someone does or sends a GPC signal.

The point is that the two tiers are split at the source, in your own infrastructure, before anything goes anywhere. Then honoring an opt-out is not a panic button. It is a switch on tier two while tier one keeps running, lawfully, uninterrupted. You stay compliant and you keep measuring. Those were never actually in conflict.

This is the architecture DataCops is built on. First-party, running on your own subdomain. Anonymous analytics flow unconditionally. Identifiable data is held to the consent and opt-out state. When CAPI sends conversions to Meta, Google, TikTok or LinkedIn, opted-out users are excluded from that share by design, not by a fragile last-minute script. On the bot side, ingestion-level filtering against a 361.8 billion-plus IP database means the data you keep is real humans, not contamination - which matters, because de-identified data still has to be genuine data to be worth anything.

To be straight with you: DataCops is a newer brand and SOC 2 Type II is still in progress, so if you are a heavily regulated enterprise buyer, that may factor into your timeline. And none of this replaces a privacy lawyer reviewing your specific exposure. But the architectural principle - two tiers, separated before data leaves your hands - is exactly the shape CCPA and CPRA reward.

Decision guide

A user opts out or you detect GPC. Stop tier two for that user - selling, sharing, identifiable tracking. Keep tier one anonymous analytics running. That is compliant, not a loophole.

You currently kill all analytics on opt-out. You are over-blocking. Re-enable anonymous, aggregate measurement for opted-out users. You are losing data you are legally allowed to have.

You run an EU-style "accept first" wall on a US-only site. CCPA does not require it. You are likely suppressing lawful measurement and hurting conversion for no compliance gain. Reassess.

Sensitive personal information involved. CPRA gives consumers a right to limit its use. Treat it as its own stricter tier. Do not lump it in with general analytics.

You sell or share data and miss the GPC signal. That is a live violation in 2026. GPC is a binding opt-out. Make sure your stack actually reads and honors it.

B2B-only and assuming you are exempt. You are not. CPRA covers B2B personal data. The old partial B2B carve-out expired. A business contact is still a California consumer.

You did not have to go dark

The companies handling this well are not the ones with the biggest consent banners. They are the ones who understood that CCPA draws a line between selling people's data and measuring your own website - and built their stack to respect that exact line.

The ones struggling treat every opt-out as an emergency, because their architecture forces an all-or-nothing choice every single time. That is not the law being harsh. That is a pipeline that was never designed for the law.

So go look at your own setup. When a Californian clicks "Do Not Sell or Share" tomorrow, what actually happens? If the answer is "everything stops" or "honestly, we are not sure" - you do not have a compliance problem yet. You have an architecture problem that is one audit away from becoming one.