CCPA / CPRA
The CCPA and CPRA give California residents the right to opt out of the sale or sharing of their personal information. Unlike the GDPR, the model is opt-out: cookies may run, and the visitor can say no afterward. A clear Do Not Sell or Share link must be offered, and an opt-out browser signal such as Global Privacy Control must be honored. This page maps each obligation to the OptSens feature that supports it.
This documentation explains how OptSens features work. It is not legal advice. Whether and how the CCPA or CPRA applies to your business is a decision for you and your own counsel.
What the regulation expects of cookie usage
California visitors can let advertising cookies run and then opt out of the sale or sharing of their data. You must give them a Do Not Sell or Share link and treat a Global Privacy Control signal as a valid opt-out request.
Obligation map
| CCPA / CPRA obligation | OptSens feature |
|---|---|
| Opt-out model, not opt-in | CCPA mode via geo rules |
| Do Not Sell or Share link | Auto-injected Do Not Sell link, plus a manual placement option |
| Honor opt-out browser signals | Global Privacy Control detection with automatic opt-out |
| Notice of what is collected | The cookie declaration lists cookies and providers |
| Let visitors change the choice | Floating widget reopens the preference center |
| Proof of the opt-out | Consent records store the choice and GPC status |
| Signal to ad partners | US National section announced through IAB GPP, opt-out carried in the __uspapi string |
Opt-out, not opt-in
When a visitor is matched to CCPA mode by geo rules, the banner presents an opt-out experience rather than blocking scripts up front. OptSens shows a Do Not Sell or Share link. The link is injected automatically, and you can also place it yourself in your footer. Selecting it records the visitor's opt-out.
Global Privacy Control
CPRA treats GPC as a valid opt-out request. When Respect privacy signals is on for the domain, OptSens detects the GPC signal from the visitor's browser and applies an automatic opt-out without the visitor clicking anything. The consent record notes that GPC was detected and honored. See Global Privacy Control for detail.
Signaling downstream
To pass the opt-out on to advertising partners, OptSens announces the US
National section as applicable through IAB GPP
and carries the opt-out in the __uspapi string that US ad tech reads.
Proving the opt-out
Each opt-out is stored as a consent record with a timestamp, country, and the GPC detected and honored flags. View these in consent logs, export them, or generate a consent proof PDF for one visitor.
Data subject requests
California visitors can request access to or deletion of their data. Collect and track these through the DSAR workflow.