CCPA & CIPA affect more than California. Here’s why your business needs to care about cookie consent.
If you own a business with a website, you may already have a “We use cookies” pop-up or a privacy policy in place. But is that enough to protect you from today’s data privacy laws?
You may be familiar with the California Consumer Privacy Act (CCPA), but fewer realize how broadly it can apply — or that it now works alongside another law, the California Privacy Rights Act (CPRA). Together, these laws give California residents expanded rights over their personal data.
And importantly, these laws aren’t based on where your business is located. They’re based on who is accessing your site. If California residents visit your website, CCPA/CPRA compliance may apply, even if your company operates entirely outside of California.
What are the CCPA and CPRA?
Most people refer to the “California Privacy Act,” but there are actually two laws working together:
- CCPA (California Consumer Privacy Act) became effective in 2020.
- CPRA (California Privacy Rights Act) expanded the CCPA beginning in 2023.
Together, these laws grant California residents greater control over their personal information. In general, California consumers have the right to:
- Know what personal data is collected about them
- Access that data
- Request deletion or correction
- Opt out of the selling or sharing of their data
- Limit the use of sensitive personal information
“Personal information” is broadly defined and can include names, email addresses, IP addresses, device identifiers, purchase history and website tracking data.
Why does this affect businesses outside California?
Here is the key point that many businesses miss: These laws are triggered by the consumer’s location, not your business’s location. Even if your business is based outside California, doesn’t intentionally target California customers and has no offices, employees or storefronts there, you may still be subject to these laws.
Common Ways Businesses Accidentally Fall Under CCPA/CPRA
Your business may be affected if you:
- Sell products or services online
- Use contact forms, email marketing or customer accounts
- Run Google Analytics, Meta ads or tracking pixels
- Collect IP addresses or device data
- Offer subscriptions, memberships or digital products
You do not need a physical presence in California. Simply operating a website that collects data from users can be enough to trigger compliance obligations.
Cookie consent and the role of the CIPA
Another important law to understand is the California Invasion of Privacy Act (CIPA). While CCPA/CPRA focus on transparency and consumer rights, CIPA addresses consent around the interception or recording of communications. In recent years, CIPA has been used in lawsuits related to session replay tools, chat features, analytics platforms and tracking technologies.
The risk here isn’t limited to “secret” tracking. Even standard analytics tools can create exposure if data is collected or shared without proper notice and consent.
In short, how your website collects and handles data matters — not just what you say in your policy.
Cookie consent is more than a banner
CCPA/CPRA and CIPA don’t always align perfectly, which is why compliance can feel confusing. However, one thing is consistent: businesses must be transparent and give users meaningful control over their data. At minimum, this means:
- Disclosing what data you collect
- Allowing users to opt out of selling or sharing personal data
- Respecting user choices through technical controls — not just legal language
Consent banners that only say “OK” or “Read More” are no longer sufficient. Users must be able to accept, reject or customize non-essential cookies.
If you already work with Infomedia, we can help you manage this process with a vetted tool called CookieYes. This tool scans your site for cookies and tracking scripts, categorizes them and helps ensure that non-essential tools don’t run until appropriate consent is given. If you’re ready to get started, reach out to us to set up a time to chat.
Should you use the same consent banner for everyone?
In many cases, yes.
Determining consent based on location can introduce risk — especially since CCPA applies to California residents regardless of where they’re physically located at the time. Additionally, identifying a user’s location before consent may raise its own privacy concerns.
Because similar privacy laws are emerging in other states, many businesses choose to apply the same consent standards site-wide to reduce complexity and future risk.
The bottom line
Even if your business isn’t based in California, California privacy laws can still apply to you. Online businesses are the most commonly affected, often without realizing it.
Whether or not you believe you meet the thresholds, having a compliant cookie consent banner and reviewing your privacy practices with legal counsel is a smart move. Tools like CookieYes don’t replace legal advice — but they do handle the most visible, enforceable parts of compliance and significantly reduce risk.
If you need help reviewing your setup or implementing a consent solution, Infomedia is here to help.
