Navigating CCPA and CPRA: What Businesses Need to Know

The compliance article about CCPA that nobody writes is the one that tells you how much data you are legally allowed to keep after a user opts out. Not how to restrict data. Not which fines to avoid. What you are permitted to retain.

The answer is: more than you think. And almost every business is destroying it anyway.

Here is how that happens. GDPR is an opt-in law. Before a European visitor's data can be collected for analytics or advertising, you must get affirmative consent. CCPA is an opt-out law. A California resident's data can flow by default. The obligation is to stop when they say stop, honor the GPC browser signal automatically, and not use the data for selling or cross-context behavioral advertising without explicit permission. CCPA/CPRA allows cookies to be enabled by default, with a method for people to opt out and request their personal data be deleted. GDPR requires opt-in before data can be collected. First-party analytics that does not share data to third parties for behavioral targeting purposes sits outside the opt-out obligation entirely. First-party analytics cookies typically do not constitute a sale. However, if you use third-party analytics like Google Analytics and the service uses data for its own purposes, the analysis changes.

Most businesses do not know this. They apply their EU consent configuration globally, gate US traffic behind an opt-in banner, and discard every session that does not click Accept. Then they wonder why their California traffic has a 40% lower conversion rate than any other state. It does not. They stopped measuring it.

The compliance failure and the data loss failure are the same failure. The architecture that broke your US analytics is also the architecture that will fail a CCPA audit. You do not have to choose between compliance and measurement. But you do have to understand what the law actually requires, not the version of it that a European-facing CMP vendor sold you.

---

What changed and why it matters now

Starting January 1, 2024, CPRA prohibited personal data sharing. That is not the same as prohibiting data collection. The distinction is what most analytics stacks get wrong. The moment a third-party analytics script transmits visitor data to a server you do not control, for that vendor's own product improvement or modeling purposes, it constitutes sharing under CCPA. Retargeting pixels, lookalike audience feeds, and real-time bidding signals are all in scope for the term "sharing," even if no money changes hands. If anonymous visitor data leaves your site for any third-party processing, including Meta Pixel, Google Analytics, or an identity resolution vendor, that constitutes sharing subject to consumer rights.

The enforcement record has sharpened. On May 1, 2025, the CPPA fined Capital One Financial Corporation for violating consumer privacy due to the use of embedded tracking technologies including Meta Pixel and Google Analytics. This decision broadens the interpretation of the CCPA's private right of action and acknowledges that unauthorized third-party data sharing can form a basis for liability.

That ruling changes the calculus for every business running a standard third-party analytics stack. "We have a privacy policy" is not a defense. "We installed a CMP" is not a defense unless the CMP is actually working. And that is where the second failure compounds the first.

Recent settlements, including Tractor Supply ($1.35M) and Sling TV ($530K), were driven by failures to honor opt-out requests and the presence of dark patterns. The pattern in every case: a consent infrastructure that looked functional in a dashboard but failed in practice. Either the opt-out link did not technically stop data transmission, or the GPC browser signal was silently ignored.

Twelve US states now require honoring Opt-Out Preference Signals including GPC, creating a de facto national standard. This is not a California edge case anymore. If your consent stack does not handle GPC automatically, you are non-compliant across most of the US west coast, mountain west, and northeast simultaneously.

---

The question your analytics is not answering

Open your GA4 right now. Filter to California. Look at your session count for the last 90 days. Now look at your opt-out rate in your CMP. If your CMP is showing 60-70% opt-out rates on California traffic, you are missing 60-70% of your California sessions, reporting on the 30% who clicked Accept as if they represent the whole state.

That is not a compliance problem. That is a reporting problem that cascades into a spending problem. Every bid optimization, every audience lookalike, every conversion report is built on a skewed sample. You are not measuring your California customers. You are measuring your California customers who click Accept on cookie banners. Those are not the same population.

The fix is not to remove the banner. The fix is to understand what data you are legally permitted to collect, build an architecture that collects it cleanly, and reserve the consent gate for what actually requires consent under the specific law applicable to each visitor's jurisdiction.

First-party analytics on US traffic, without sharing to third parties, generally does not trigger CCPA's opt-out obligation. It requires disclosure in your privacy policy, and it requires that you have a real "Do Not Sell or Share" mechanism for the data that does constitute sharing. But it does not require you to blank your analytics for every California visitor who has not explicitly clicked Accept.

The businesses that understand this have a significant measurement advantage over those that do not. Their California data is intact. Their Lookalike Audiences are trained on real customers. Their CPA numbers reflect what is actually happening in the most valuable consumer market in the US.

---

Where the CMP is silently failing you

There is a second layer to this problem that is almost never discussed in compliance coverage.

Your consent management platform is probably a third-party script. OneTrust, Cookiebot, Usercentrics, Iubenda: all of them load from third-party CDNs. uBlock Origin and Brave block those CDNs by name. Somewhere between 30-40% of privacy-conscious visitors, the same visitors most likely to use GPC or care about consent decisions, never see your banner at all. The script fails silently. No log entry. No error in your analytics. No indicator that consent infrastructure failed on that session.

If the CMP script that produces a consent signal is blocked by the user's browser extension before the page loads, no signal reaches Google. The conversion either fires without consent mode or does not fire at all. Either outcome produces silent data loss that only shows up as a revenue gap weeks later.

For CCPA purposes this creates a compounding problem. The opt-out request you are required to honor is never received, because the mechanism for receiving it never loaded. Regulators do not care why the banner was missing. The California Privacy Protection Agency expects organizations to demonstrate, not just assert, that their privacy controls work. "Our CMP was blocked by an ad blocker" is not a documented consent record. It is an absence of one.

A CMP that cannot read browser consent signals is already out of step with the law. The Digital Omnibus brought cookie governance directly into GDPR through Articles 88a and 88b, introducing the requirement that CMPs recognize browser consent signals. This is the regulatory direction of travel. A third-party CMP that gets blocked before it can read those signals is not a CMP. It is a banner that loads for the users who are least likely to need it.

The first-party CMP model solves this at the architectural level. When the consent management script loads from your own subdomain, it is not on any filter list. uBlock Origin does not have a rule for datacops.yourstore.com. The banner loads on every session. Consent is recorded. The GPC signal is read. The opt-out propagates to your analytics stack. This is what compliant infrastructure actually looks like in 2026, not a checked box in a vendor's dashboard.

---

CCPA vs GDPR: the framework your analytics team needs

Before evaluating any tool, the person owning analytics and the person owning compliance need to agree on one thing: which law applies to which traffic, and what that law actually requires.

CCPA and GDPR are structurally different obligations. Getting them confused costs both measurement accuracy and compliance standing.

CCPA applies to for-profit businesses meeting at least one of: annual gross revenue exceeding $25 million; buying, selling, or sharing the personal information of 100,000 or more California consumers or households annually; or deriving 50% or more of annual revenue from selling or sharing personal information. GDPR applies to any processing of EU residents' personal data, regardless of business size.

For most mid-market US businesses, CCPA is the operative law on domestic traffic and GDPR is the operative law on European traffic. Running GDPR-level opt-in consent on US traffic is legally unnecessary and analytically destructive.

What CCPA actually requires for analytics:

For analytics that stays first-party, meaning data is not shared to a third party for their own modeling or advertising purposes, there is generally no opt-out obligation. Disclose what you collect in your privacy policy, provide a functional Do Not Sell or Share link, and honor GPC signals.

For analytics that shares data to third parties, including most standard GA4 deployments, Meta Pixel, and any server-side CAPI implementation, the sharing obligation applies. Visitors can opt out. You must honor GPC. You must stop transmission when they do. Under CCPA, Google Analytics may run by default in many cases, but its behavior must adjust when a valid opt-out or Global Privacy Control signal is detected.

The practical implication: a first-party analytics stack that does not share data outside your own infrastructure has significantly lighter CCPA obligations than a third-party analytics stack, while maintaining full data fidelity. This is the architectural argument for first-party tracking that nobody makes in the compliance literature, because compliance vendors sell consent management, not analytics.

For paid media specifically, the picture is sharper. Displaying confirmation of an honored opt-out request is now required: businesses must provide a clear, immediate acknowledgement to ensure the user knows their request to stop the sale or sharing of data has been processed. The symmetry rule requires the path to withdrawing consent to be just as intuitive as the path to granting it. If your CMP makes it two clicks to reject and one click to accept, that asymmetry is now an enforcement target.

---

The conversion tracking problem inside compliance

CCPA compliance is not just a consent banner question. It is a conversion tracking quality question, and most businesses do not connect these two things.

When a California visitor clicks your Meta or Google ad and converts, that conversion event travels through your pixel or CAPI into the ad platform's optimization system. If that data included a bot session, a VPN-masked IP, or a fraudulent lead, and the transmission was CCPA-compliant in every procedural respect, you have still sent garbage into the machine. The algorithm trains on it. The Lookalike Audience gets worse. The CPA climbs. Your compliance checkbox did not prevent the data quality failure.

This is Layer 5 of the broken data stack, and it sits downstream of every consent decision you make. Compliant transmission of bot signals is still bot signal transmission. The Global IVT rate is 20.64% (Fraudlogix 2026). Instagram IVT runs at 38%. Audience Network IVT hits 67%. Every one of those invalid events that reaches your CAPI is training Meta on what your converted customers look like. The next campaign finds more of them.

The full architecture for a CCPA-compliant, measurement-intact 2026 conversion stack requires: first-party analytics that cleans data before it leaves your domain, a first-party CMP that loads on every session and routes consent correctly by geography, and a CAPI layer that filters bots before any event fires. Each layer failing independently produces its own compounding damage. All three failing together means you are spending budget on an audience that does not exist and receiving compliance warnings about the mechanism you used to send them there.

---

Quick answers

Does CCPA require a cookie banner?

Not in the way GDPR does. CCPA requires a "Do Not Sell or Share My Personal Information" link on pages where data collection for selling or sharing occurs, and it requires honoring GPC signals automatically. A full opt-in banner is not required for US-only operations, though it is required for any traffic subject to GDPR. The most common and expensive mistake is applying EU-style opt-in consent globally, which destroys US analytics data that you were legally permitted to collect.

What is the GPC signal and do I have to honor it?

Global Privacy Control is a browser-level signal that communicates an opt-out preference. Twelve US states now require honoring Opt-Out Preference Signals including GPC, creating a de facto national standard. If your CMP does not automatically detect and enforce GPC signals, you are non-compliant across most major US markets. Enforcement actions have named ignored GPC signals as a specific violation.

Can I use Google Analytics after someone opts out under CCPA?

It depends on how GA4 is configured. If you have a service provider agreement with Google that restricts Google from using your data for its own purposes, analytics may continue with restrictions. Without that agreement and proper Consent Mode v2 configuration, GA4 transmissions after a CCPA opt-out could constitute prohibited sharing. Script blocking prevents Google Analytics from loading entirely when an opt-out or GPC signal applies. Google Consent Mode v2 allows Google Analytics to load but restricts cookies and identifiers when consent is denied.

What are the CCPA fines?

Intentional violations carry fines of up to $7,500 per consumer, per incident. At scale, a single campaign running non-compliant tracking can produce per-consumer violations in the thousands. The Capital One enforcement action in May 2025 demonstrated that regulators are now treating unconsented third-party tracking pixel transmission as a violation basis, not just banner non-existence.

Do I need a CMP for CCPA?

Not technically required by name, but you need the functional equivalent: a mechanism that records opt-out requests, enforces them technically across your analytics and advertising stack, and honors GPC signals automatically. A link that records preferences but does not stop pixel and analytics data transmission does not satisfy CCPA. Compliance requires that the opt-out request is technically honored, meaning the data flows that constitute selling or sharing actually stop when the link is activated.

What is "sharing" under CCPA?

Sharing means disclosing personal information to a third party for cross-context behavioral advertising purposes, regardless of monetary compensation. Running a Meta Pixel that transmits behavioral data to Meta for audience modeling constitutes sharing. Running GA4 with Google using that data for product improvement constitutes sharing. The solution is either a service provider contract limiting third-party use, or a first-party data architecture that does not transmit to those third parties without explicit permission.

---

The tools: what each one actually covers

The market splits into three categories: consent management platforms (CMPs) that handle the banner and opt-out mechanics, analytics platforms that need to be configured for CCPA compliance, and full-stack compliance platforms that combine consent with data governance. The third category is largely enterprise territory. Most growing businesses need to make a choice in the first two.

OneTrust

The market share leader in enterprise privacy. OneTrust covers data mapping, DSAR workflows, vendor risk management, consent management, and regulatory assessments across GDPR, CCPA, CPRA, and a long list of emerging US state laws. For organizations with a mature privacy function, a dedicated DPO, and multi-jurisdiction complexity, it is the most complete option. Contract sizes are reported to commence at approximately $50,000 per year, and contracts tend to be long-lasting, which may limit flexibility for rapidly-changing companies. In Q2 2026, the reported minimum increased to approximately $10,000 per year for smaller tiers. OneTrust's cookie banner loads from a third-party CDN. At 30-40% blocking rates among privacy-conscious users, a meaningful fraction of your highest-intent visitors never receive the consent mechanism. You need to account for this in your compliance documentation. Right for: large enterprises managing privacy programs across multiple jurisdictions who need a full GRC platform, not just a banner. Value: 6/10. Price: custom, typically $10K-$50K+/year.

Cookiebot by Usercentrics

Widely deployed, automated cookie scanning, clean setup for small and medium sites. Cookiebot does monthly rescanning that keeps consent records current as your tech stack changes without manual review, which is genuinely useful. It is Google-certified TCF v2.2 compliant and covers GDPR, CCPA, and most major frameworks. In August 2025, Cookiebot doubled its pricing, a move that triggered significant customer backlash and drove a meaningful wave of migration searches. Per-domain pricing means costs compound quickly for multi-site operations, roughly ten times the single-site rate for a ten-domain deployment. The third-party CDN blocking issue applies here identically to OneTrust. Cookiebot loads from a Cookiebot-owned domain that is on major filter lists. The banner blocking rate is not visible in your analytics. Right for: EU-focused businesses on a single domain that want automated compliance without an enterprise contract. Value: 6/10. Price: from ~€9/month per domain.

Osano

US privacy law specialist with particularly strong CCPA and US state law coverage. Osano takes an unusual position: it offers a financial guarantee against fines incurred while using its platform, which is a meaningful differentiator for legal teams that want a contractual backstop. DSAR workflows are clean, and the vendor risk scoring feature is useful for organizations managing a large stack of third-party tools. Pricing starts at $199/month for its Plus plan. Third-party CDN deployment applies here too; Osano's script loads from Osano-controlled servers that appear on common block lists. The compliance guarantee does not protect against the data loss that happens when the banner never loads. Right for: US-focused mid-market organizations that want strong CCPA coverage and a compliance guarantee from their vendor. Value: 7/10. Price: $199/month and up.

Ketch

Design-first CMP with strong enterprise scalability. Ketch's architecture allows highly customized consent experiences with API-first integrations, which is unusual in the category. It covers GDPR, CCPA, CPRA, and a wide range of US state laws. Native identity resolution allows consent preferences to apply across devices and channels. Ketch is best for companies prioritizing future-proof, scalable, cross-regulatory compliance. The limitation is the same as OneTrust: Ketch loads from Ketch-controlled infrastructure, not your subdomain. The filter list exposure is not prominently disclosed. Free tier available for basic CCPA compliance. Enterprise pricing is sales-led and not published. Right for: enterprise and mid-market teams that need API-first consent infrastructure with sophisticated identity resolution and cross-device preference management. Value: 7/10. Price: free tier available; paid plans not publicly disclosed.

Usercentrics

The parent company of Cookiebot, Usercentrics targets slightly more complex implementations than the Cookiebot brand while sitting below enterprise OneTrust territory. Web CMP plans start at €7/month for one domain and scale by session volume and domain count. Cross-domain consent sharing is a genuine differentiator for multi-property deployments. TCF v2.2 certified, Google-certified CMP. The session-based pricing model means a high-traffic month can push you into the next tier without warning. Third-party CDN, same blocking exposure as the rest of the category. Right for: global businesses that need multi-regulation CMP coverage and TCF v2.2 certification across multiple properties, with predictable feature depth. Value: 6/10. Price: from €7/month.

Iubenda

Legal document generator that bundled cookie consent into its platform. The core value is attorney-drafted privacy policies and terms of service maintained automatically as regulations change, combined with a functioning consent banner. For businesses that need legal documents and consent management as a combined purchase, the economics are attractive at the low end. The Essentials plan starts at $5.99 per site per month billed yearly for up to 25,000 pageviews. At scale, per-pageview and per-site pricing compounds quickly. No DSAR automation included. Third-party script, same blocking exposure as the category. Right for: small businesses and early-stage startups that need a compliant privacy policy and basic CCPA/GDPR banner at minimal cost. Value: 7/10. Price: from $5.99/site/month.

Termly

Policy generator that expanded into consent management. Termly's free plan covers basic consent banners and compliance-oriented legal document templates for sites under 10,000 monthly visitors. Google Consent Mode v2 support included. The platform's limitations show at scale: customization is restricted, multi-jurisdiction handling is less sophisticated than CMP-focused competitors, and DSAR automation is not available. Useful for solo founders and small sites that need a starting point. Third-party script, same blocking exposure. Right for: very small sites, bloggers, and solo founders who need a free CCPA/GDPR starting point and basic policy generation. Value: 7/10. Price: free up to 10,000 monthly visitors; paid from ~$14/month.

CookieYes

Clean interface, strong WordPress and Shopify ecosystem fit, generous free tier. CookieYes is one of the most deployed CMPs globally. Setup is fast. The GDPR and CCPA coverage is functional. The free plan includes a basic cookie banner, basic customization, up to 15,000 pageviews per month, and 100 pages per scan on one domain. Per-domain pricing means a business managing five sites on the Pro plan pays $125/month for cookie consent only, with no DSAR, no API, and no legal policy generation. The customization ceiling is real for growing businesses. Third-party script. Right for: WordPress-based small businesses and Shopify stores that need a functional CCPA/GDPR banner without enterprise overhead. Value: 7/10. Price: free; paid from ~$10/month.

Enzuzo

Strong mid-market position especially for ecommerce. Enzuzo covers the full CCPA/CPRA compliance lifecycle including auto-generated privacy policies, cookie banners with geo-targeting, Do Not Sell or Share link management, and DSAR intake and response workflows. Google-certified CMP. Native Shopify App Store integration is a genuine differentiator: no GTM required, consent signals cannot be blocked by theme customization, which is a common failure point. Enzuzo has a native Webflow plugin that deploys with no code and handles consent automatically for Webflow-built sites. Third-party CDN for the banner itself. DSAR automation is available on paid plans, which separates it from lightweight competitors. Right for: Shopify and Webflow ecommerce businesses that need CCPA compliance plus policy generation in one platform without enterprise pricing. Value: 8/10. Price: free plan; paid from $9/month.

TrustArc

Privacy management platform that pairs technology with advisory services. The advisory model is the real differentiator: for organizations that want expert human guidance through a CCPA/CPRA compliance program, not just a self-serve platform, TrustArc offers something none of the pure-software tools can. Data inventory, DSAR workflows, cookie consent with GPC support, and a dedicated team that tracks regulatory changes. Pricing is enterprise-level and requires a conversation. Most relevant since CPRA reclassified employee data as PII, which adds operational complexity most compliance tools do not address. Right for: mid-market to enterprise organizations that want hands-on compliance advisory alongside a technology platform, especially those navigating CPRA's expanded employee data rules. Value: 7/10. Price: enterprise, quote-based.

Didomi

European-origin CMP with global regulatory coverage, now significantly expanded through the April 2025 acquisition of Addingwell for $83M. That acquisition bundles CMP and server-side GTM in a single vendor, which is a meaningful architectural shift: compliance infrastructure and conversion tracking infrastructure now come from the same place. Didomi is Google-certified, covers GDPR, CCPA, CPRA, LGPD, and a long list of others. The consolidated offering through Addingwell makes it the closest competitor to a bundled consent-plus-tracking architecture. The pricing has moved toward enterprise territory post-acquisition. Third-party CDN for the CMP component. Right for: EU-origin businesses that want compliance and server-side tracking from a single vendor post-Addingwell, especially those with complex European regulatory obligations. Value: 7/10. Price: free tier available; paid enterprise, quote-based.

Securiti.ai

AI-powered data governance platform that covers CCPA compliance as part of a broader data intelligence offering. Securiti's positioning is around automated data discovery: it scans your systems to find and classify personal data, generates data maps, and automates DSAR fulfillment. For organizations where the CCPA compliance challenge is not the banner but the internal data governance, Securiti addresses the problem consent management platforms cannot. Compliance automation, risk assessment, and vendor management are included. This is enterprise software with enterprise pricing and implementation timelines. Right for: large organizations with complex data environments where the primary CCPA risk is internal data governance and DSAR volume, not banner mechanics. Value: 7/10. Price: enterprise, quote-based.

Clym

Unusual positioning: covers privacy, accessibility, and governance in one platform. ReadyCompliance pre-configures 150+ regulations automatically. RealtimeCompliance continuously monitors 1,200+ third-party services, meaning consent management stays current as your tech stack changes. All of it deploys in around 30 minutes. GPC signal detection is built in. For businesses managing rapid stack changes without a dedicated compliance team, the automatic monitoring of third-party services is a real capability gap that most CMPs ignore. Pricing is not prominently disclosed. Right for: SMB and mid-market businesses with complex or frequently-changing tech stacks that want automated regulatory coverage across privacy and accessibility. Value: 7/10. Price: not publicly disclosed; free trial available.

CookieScript

Strong in automated compliance enforcement and cookie scanning. CookieScript was rated the top CMP on G2 in 2024 by peer reviews. Its automated scanning keeps consent records current, and the platform covers GDPR, CCPA, and major frameworks. The GPC signal handling is clean. Pricing is accessible for small businesses. The main gap is DSAR automation and the broader compliance ecosystem features that OneTrust and TrustArc offer. Third-party script, same blocking exposure as the category. Right for: small to mid-market businesses that want automated cookie compliance and strong peer-reviewed ratings at a competitive price. Value: 7/10. Price: free plan; paid plans from approximately $9/month.

DataCops

DataCops is a different category of product than the consent management tools above. The others manage compliance. DataCops manages compliance and the conversion data pipeline in a single architecture. The distinction matters when you understand how the two problems compound each other.

The first-party CMP loads from your own subdomain: datacops.yourstore.com. Not on any filter list. uBlock Origin has no rule for your subdomain. The banner loads on every session. GPC signals are detected and honored. Anonymous analytics flow unconditionally after rejection because anonymous data is legal without consent under CCPA. Identifiable data waits for consent. Cookieless persistent identity resolution activates by default for non-EU traffic where no legal requirement exists for consent gating. For EU traffic, the TCF 2.2 banner loads first.

The bot filtering is built into the architecture before any event fires. The 361B IP database, covering 146.4B datacenter and cloud IPs, 202B residential and mobile carrier IPs, 11.9B VPN endpoints, and 620M proxy and anonymizer IPs, runs against every session before a conversion event reaches Meta CAPI, Google CAPI, TikTok Events API, or LinkedIn Insight CAPI. Bots do not reach the platforms. The Lookalike Audience trains on verified human behavior.

The integration covers Meta CAPI, Google Ads Enhanced Conversions, TikTok Events API, and LinkedIn Insight CAPI from one pipeline starting at $49/month for the Business plan. That is where CAPI access begins. The Free and Growth plans at $0 and $7.99/month provide first-party analytics and the CMP but not CAPI. The Organization plan at $299/month covers 300,000 sessions.

Setup is one script tag plus one CNAME record. Live in 5-30 minutes. No developer required. Works on Shopify, WooCommerce, Webflow, and custom builds.

SOC 2 Type II is in progress, which matters for enterprise procurement. DataCops is a newer brand relative to OneTrust, Cookiebot, and Didomi. The integration catalog is narrower than Tealium, Segment, or mParticle for enterprise-scale data routing. If you need Pinterest CAPI or Snapchat Events, DataCops does not cover those platforms.

Right for: ecommerce and DTC brands spending on Meta, Google, TikTok, or LinkedIn that want a single architecture handling CCPA-compliant consent, first-party analytics, and clean CAPI delivery simultaneously, without separate vendors for each layer. Value: 9/10 for the target profile. Price: Free / $7.99 / $49 / $299 / Enterprise custom. CAPI starts at $49.

---

When NOT to use DataCops

Four scenarios where a different tool wins and it is the correct call.

If your only channel is Meta and you have no interest in Google, TikTok, or LinkedIn CAPI, Meta's free one-click CAPI launched April 15, 2026 does the job at $0. The bot filtering is absent and the EMQ ceiling is lower, but if your operation is simple and single-platform, paying $49/month for multi-platform CAPI you will not use is not good economics.

If you have in-house GTM engineers and want full container control over your tagging architecture, Stape at $17/month gives you 80+ templates and the infrastructure layer without the opinionated bundling. DataCops is an outcome product. Stape is an infrastructure product. Engineers who want to build their own stack rather than buy an assembled one should use Stape.

If you need SOC 2 Type II certification available today, Tracklution at €31/month has it. DataCops is in process. If your enterprise procurement requires a current certification, that gap is real.

If you are running a Shopify-only operation above seven figures in GMV and need millisecond-level order tracking with deep Shopify data model fidelity, Elevar at $200/month was built specifically for that problem. DataCops covers Shopify but was not engineered specifically around Shopify's order data model the way Elevar was. For Shopify-only at high order volume, Elevar's native integration depth is worth the price differential.

---

The comparison table

---

The buyer decision by business type

Shopify DTC, $50K-$500K/month GMV, US-focused, spending on Meta and Google. Use DataCops at $49/month. One architecture handles CCPA-compliant consent, first-party analytics, and clean CAPI delivery to both platforms. The bundling eliminates three separate vendor contracts. If you want to start free before committing to CAPI, the Free plan gives you the analytics and CMP layer.

EU-primary business, GDPR as primary concern, Meta CAPI secondary. Use Didomi for GDPR compliance, evaluate the Addingwell integration for server-side delivery. DataCops is worth adding for the US traffic bot filtering if your Meta spend is material. Didomi's EU pedigree and post-acquisition infrastructure depth is the right starting point for EU-first compliance.

SaaS company, US-only, no GDPR exposure, main concern is GPC handling and CCPA analytics. Enzuzo or Termly for the compliance layer. First-party analytics via DataCops Free if you want to preserve US analytics fidelity without applying EU-style consent globally.

Enterprise, multiple jurisdictions, mature privacy program, dedicated DPO. OneTrust or TrustArc for the governance layer. Add DataCops at the Business tier for the CAPI and bot filtering layer that neither OneTrust nor TrustArc provides. These are not competing products at the enterprise level. They address different layers of the same infrastructure.

Small business, single domain, tight budget, basic CCPA compliance. CookieYes free tier or Termly free tier gets you to functional compliance quickly. Upgrade to Enzuzo when you need DSAR automation and geo-targeting. The compliance spend at this stage is under $15/month.

Agency managing multiple client sites across jurisdictions. Iubenda or Termly for bundled policy generation and consent across sites. Enzuzo for clients with Shopify or Webflow builds. DataCops for any client with meaningful paid media spend where bot filtering and CAPI delivery matter.

---

What 2026 enforcement is actually targeting

The California Privacy Protection Agency published an enforcement sweep in 2024 and has accelerated activity since. The patterns in the cases are consistent. Regulators are not primarily looking for absent banners. They are testing whether opt-out requests are technically honored, whether GPC signals are detected and enforced, whether the symmetry rule applies to your consent design, and whether your third-party pixel transmissions actually stop when a consumer exercises their rights.

GPC and opt-out signal enforcement across top user journeys is a primary test. Enable GPC in a supported browser. Walk your highest-traffic pages. Confirm no outbound calls to ad networks or data partners. Repeat with a manual opt-out via your Do Not Sell or Share link. Compare the network logs. Any vendor appearing in both lists is a failure.

That is the test you should run on your own site before a regulator does. Open a browser with uBlock Origin and GPC enabled. Walk your homepage and your product pages. Watch your network requests. Note which ad pixels and analytics scripts still fire after the GPC signal was sent. That list is your compliance exposure.

The CIPA class action risk is a separate and escalating problem. California's Invasion of Privacy Act creates class action risk for sites running unconsented third-party scripts. This is not CCPA enforcement. It is civil litigation, and the damages per affected user can be significant. Most lightweight consent management tools have no CIPA posture at all. If you have material California traffic and third-party scripts on your site, your legal team should know this exists.

---

The architectural question behind the compliance question

Every tool in this article solves a version of the same problem: data moves where you do not want it to go, and you need a mechanism to stop it or redirect it. The tools that only address the banner layer are solving the display problem. The tools that address the signal propagation layer are solving the enforcement problem. The tools that address the data pipeline layer are solving the measurement problem.

CCPA compliance in 2026 requires all three. You need the banner to display and honor opt-out requests. You need the signal to propagate to every downstream platform that receives your data. And you need the underlying data pipeline to be clean enough that what does transmit is worth optimizing on.

Most businesses have a patchwork answer to this: one tool for consent, another for analytics, another for CAPI, and no architecture connecting them. The consent decision made in the banner does not automatically propagate to the CAPI layer. The CAPI layer does not filter bots before transmission. The analytics layer runs different tracking logic than the CAPI layer. Every gap between these tools is a potential compliance exposure and a definite measurement gap.

The consolidation move in 2026, Didomi acquiring Addingwell, Meta and Google both releasing free one-click CAPI tools, Stape building consent integrations into its server-side infrastructure, is happening because the market is recognizing this. The future is a single architecture, not a stack of separate tools coordinated by a GTM implementation. The question is whether the tools that emerge from consolidation actually solve the data quality problem or just make compliance cheaper.

---

The conversions you sent to Meta last month: how many of the ones from California can you prove were real humans, collected under the correct legal framework, from a consent banner that actually loaded?