All Guides

Privacy + Compliance

Achieve CCPA Compliance

By TC Timebomb, Moonvine

Meet California’s privacy requirements before your next visitor from the Golden State arrives.

California’s privacy law affects more businesses than you’d expect. If you have website visitors from California and collect any personal data—even just through Google Analytics—you may need to comply.

The good news: Most small businesses can achieve compliance in an afternoon with the right plugin.

This guide covers: Who needs to comply, what compliance actually requires, and the fastest path to getting it done.

What this covers: CCPA applicability thresholds, the four consumer rights you must support, plugin-based setup for WordPress and Shopify, and a custom JavaScript consent implementation for developers.

Who it’s for: Business owners and site administrators with California visitors who need to determine if CCPA applies and implement compliance quickly.

Key outcome: You’ll have a cookie consent banner that actually blocks tracking until consent is given, a published privacy policy, and a process for handling deletion requests.

Time to read: 9 minutes

Part of: Privacy & Compliance series

Jump to Quick Questions ↓

Do You Need CCPA Compliance?

CCPA applies if your business meets ANY of these thresholds:

Annual revenue over $25 million
Collect data from 50,000+ California residents annually
Derive 50%+ of revenue from selling personal data

Important: “Collect data” includes running Google Analytics, using contact forms, or sending email newsletters. If you have a website with California visitors, you’re probably collecting data.

If you’re under all three thresholds: You’re not legally required to comply, but adding a privacy policy and cookie consent is still good practice. Skip to “The Minimum Setup” below.

If you meet any threshold: Keep reading for full compliance requirements.

What CCPA Actually Requires

CCPA gives California residents four rights:

Right to Know – What data you collect and why
Right to Delete – Request their data be deleted
Right to Opt-Out – Stop the sale of their data
Right to Non-Discrimination – Same service regardless of privacy choices

Your obligations:

Privacy policy that lists what you collect and how you use it
“Do Not Sell My Personal Information” link (even if you don’t sell data)
Process deletion requests within 45 days
Cookie consent banner that actually blocks tracking until consent is given

That’s it. Everything else is implementation detail.

The Minimum Setup: Use a Plugin

Plugins handle everything—cookie scanning, consent banners, privacy policy generation, and request handling. This is the recommended approach for most sites.

For WordPress:

Complianz (free) – Most popular, handles CCPA + GDPR, auto-generates privacy policy
CookieYes (free tier, $89/year for premium) – Clean UI, good cookie scanning
Cookie Notice (free) – Simpler, lightweight option

Setup (15-30 minutes):

Install your chosen plugin
Run the setup wizard
Let it scan your site for cookies and tracking scripts
Review and publish the auto-generated privacy policy
Test: Open your site in incognito, decline cookies, verify Google Analytics doesn’t load (check Network tab in DevTools)

For Shopify:

Pandectes GDPR Compliance (free tier available)
Consentmo ($9/month)

For any platform:

Termly, Iubenda, or Cookiebot ($10-50/year)
They provide embeddable scripts that work on any site

Cost: Free to $100/year for most small businesses.

Full Compliance (For Larger Businesses)

If you meet CCPA thresholds or want complete compliance, you’ll need:

1. Formal Request Handling Process

Verify requester identity before processing
Respond within 10 days, complete within 45
Document all requests for compliance records

2. Data Inventory

What personal data you collect
Where it’s stored
Who has access
How long you keep it

3. Third-Party Agreements

Contracts with vendors who process your data
Ensure they meet CCPA requirements

4. Staff Training

Who handles privacy requests
What the process is
What to escalate

This level typically requires legal counsel or a compliance consultant.

Custom Implementation (For Developers)

If you need custom consent management—or want to understand what the plugins are doing under the hood—here’s a minimal implementation.

Where this goes: Add the JavaScript to your site’s main JS file or in a <script> tag in the <head>. The consent banner HTML goes at the end of <body>, before the closing tag.

<!-- Add this HTML at the end of <body>, before </body> -->
<div id="ccpa-banner" style="display:none; position:fixed; bottom:0; left:0; right:0; background:#333; color:#fff; padding:1rem; z-index:9999;">
  <p>We use cookies for analytics and marketing. 
    <button onclick="ccpaConsent.accept(['analytics','marketing'])">Accept All</button>
    <button onclick="ccpaConsent.accept([])">Reject All</button>
    <a href="/privacy-policy">Privacy Policy</a>
  </p>
</div>

<script>
// Add this in <head> or your main JS file
const ccpaConsent = {
  init() {
    if (!this.hasConsent()) {
      document.getElementById('ccpa-banner').style.display = 'block';
    }
    this.applyConsent();
  },

  hasConsent() {
    return localStorage.getItem('ccpa_consent') !== null;
  },

  accept(categories) {
    localStorage.setItem('ccpa_consent', JSON.stringify({
      analytics: categories.includes('analytics'),
      marketing: categories.includes('marketing'),
      timestamp: Date.now()
    }));
    document.getElementById('ccpa-banner').style.display = 'none';
    this.applyConsent();
  },

  applyConsent() {
    const consent = JSON.parse(localStorage.getItem('ccpa_consent') || '{}');
    // Only load tracking scripts if user consented
    if (consent.analytics) {
      // Load Google Analytics here
    }
    if (consent.marketing) {
      // Load Facebook Pixel, etc. here
    }
  }
};

document.addEventListener('DOMContentLoaded', () => ccpaConsent.init());
</script>

Key point: Your analytics and marketing scripts should NOT be in the page by default. They should only load inside the applyConsent() function after the user accepts.

Testing:

Open DevTools → Application → Local Storage
Clear the ccpa_consent key
Reload the page—banner should appear
Click Reject All
Check Network tab—no analytics requests should appear
Clear localStorage, reload, Accept All—analytics should now load

The CCPA Compliance Checklist

Your privacy policy is published and linked in the footer
Cookie banner appears on first visit
Declining cookies actually blocks tracking (test in incognito with DevTools open)
“Do Not Sell My Personal Information” link exists (even if you don’t sell data)
You have a process for handling deletion requests (even if it’s just an email address)

Common CCPA Questions

Does CCPA apply to my small business?

Only if you meet one of three thresholds: over $25 million annual revenue, collect data from 50,000+ California residents annually, or derive 50%+ of revenue from selling personal data. Most small businesses don’t meet these, but having a privacy policy is still good practice.

What’s the difference between CCPA and GDPR?

GDPR (European) is opt-in: you need consent before collecting data. CCPA (California) is opt-out: you can collect data but must allow users to opt out and delete. GDPR is stricter, so GDPR compliance generally covers CCPA too.

Do I need a “Do Not Sell” link even if I don’t sell data?

If CCPA applies to you, yes. The regulation requires the link to exist even if you don’t sell data. It can explain that you don’t sell personal information when clicked.

Sources

CCPA Compliance Questions Answered

Who does the CCPA apply to?

The CCPA applies to for-profit businesses that collect California residents’ personal data AND meet at least one threshold: annual gross revenue over $25 million, buy/sell/share personal data of 100,000+ consumers or households, or derive 50% or more of revenue from selling personal information. You do not need to be based in California.

What is the difference between CCPA and CPRA?

The CPRA (effective January 2023) amended and expanded the CCPA. Key additions include a new category of “sensitive personal information” with extra protections, data minimization requirements, a 12-month limit on retention where feasible, and creation of the California Privacy Protection Agency for enforcement.

Do you need a “Do Not Sell My Personal Information” link?

If your website sells or shares personal information (including for targeted advertising), California law requires a conspicuous “Do Not Sell or Share My Personal Information” link on your homepage and in your privacy policy. Under CPRA, you also need a “Limit the Use of My Sensitive Personal Information” link if applicable.

What are the penalties for CCPA non-compliance?

The California Privacy Protection Agency can impose fines of $2,500 per unintentional violation and $7,500 per intentional violation. Consumers also have a private right of action for data breaches, with statutory damages of $100-$750 per consumer per incident, which can escalate to millions in class actions.

✓ Your Site Meets CCPA Consumer Privacy Requirements

A “Do Not Sell My Personal Information” link is visible in the site footer
Your privacy policy discloses the categories of personal information collected and their business purposes
A documented process exists for responding to consumer data access and deletion requests within 45 days
Opt-out requests are honored within 15 business days and confirmed to the consumer
Service provider contracts include CCPA-required data processing restrictions

Test it: Click your “Do Not Sell My Personal Information” link, submit a test opt-out request, and verify the confirmation email arrives and the request appears in your tracking system.