Scantra
SEO & Compliance Monitor

California Website Compliance Requirements

high risk

California has the strictest website-privacy regime in the United States — the CCPA and its successor the CPRA — plus the CalOPPA privacy-policy requirement, court-affirmed ADA accessibility liability, and an emerging AI-transparency statute. If you collect any data from California residents, you almost certainly have website obligations here.

Last reviewed 2026-06-01 · Risk rating rationale: CCPA/CPRA enforcement is active (CPPA agency + AG), private right of action exists for data breaches, and the state hosts the largest pool of plaintiffs' lawyers in the country.

Find out in 10 seconds whether your site meets California's requirements

Scantra runs a free, no-account, 9-check audit of your homepage covering privacy policy, contact info, CCPA-style opt-out, security headers, accessibility, and SEO basics. Most California sites we scan fail at least three.

Run a free scan →

No credit card · Email required so we can send you the full results.

Key California laws affecting websites

The statutes most likely to apply to a commercial website serving California residents. Click a citation to read the official text where available.

CCPA

California Consumer Privacy Act of 2018· Effective 2020

Applies to: For-profit businesses that collect California residents' personal info AND meet at least one of: (a) $25M annual gross revenue, (b) buy/sell/share personal info of 100,000+ CA residents, or (c) derive 50%+ of revenue from selling personal info.

What your website must do

  • A 'Do Not Sell or Share My Personal Information' link in the footer of every page
  • A 'Notice at Collection' shown to users at or before data collection
  • A privacy policy describing data categories, purposes, and consumer rights
  • A working mechanism to handle access, deletion, and opt-out requests within 45 days

Citation: Cal. Civ. Code §§ 1798.100–1798.199.100 · Official source ↗

CPRA

California Privacy Rights Act of 2020· Effective 2023

Applies to: Same thresholds as CCPA, slightly amended; created the California Privacy Protection Agency (CPPA) which now has independent enforcement authority.

What your website must do

  • All CCPA requirements above, plus:
  • A separate 'Limit the Use of My Sensitive Personal Information' opt-out (when applicable)
  • Honor the Global Privacy Control browser signal as an opt-out request
  • Annual cybersecurity audits and risk assessments for higher-risk processing

Citation: Cal. Civ. Code § 1798.100 et seq. (as amended) · Official source ↗

CalOPPA

California Online Privacy Protection Act· Effective 2004

Applies to: Any commercial website that collects personally identifiable information from California residents. Threshold is essentially zero.

What your website must do

  • Conspicuously post a privacy policy on the site
  • Identify what categories of PII are collected and with whom they are shared
  • Describe how a consumer can review and request changes to their info
  • State the effective date of the policy

Citation: Cal. Bus. & Prof. Code §§ 22575–22579

CA AI Transparency Act

California AI Transparency Act (SB 942)· Effective 2026

Applies to: Generative AI providers with more than 1 million monthly users in California. Effective January 1, 2026.

What your website must do

  • Disclose AI-generated content with both visible labels and embedded provenance metadata
  • Provide a free public detection tool for the generated content
  • Maintain detection accuracy at or above the regulator's threshold

Citation: Cal. Bus. & Prof. Code § 22757 et seq.

California compliance by topic

Consumer data protection

State-specific rule applies

What your site has to disclose, ask consent for, and allow consumers to do with their personal information.

California enforces the broadest consumer-data regime in the US through the CCPA/CPRA. Even a small business with no California office can fall under it the moment it processes 100,000 California residents' data points — a number a typical analytics integration crosses in weeks.

Practical requirements for your website

  • Publish a CCPA-compliant Privacy Policy that lists data categories, purposes, sharing relationships, and consumer rights
  • Show a 'Notice at Collection' before or at the point of collection
  • Add a 'Do Not Sell or Share My Personal Information' link in the global footer
  • Add a 'Limit the Use of My Sensitive Personal Information' link if applicable
  • Honor Global Privacy Control browser signals as opt-out requests
  • Respond to access / deletion / correction requests within 45 days

Cookies and tracking

State-specific rule applies

When you need consent, opt-outs, or universal-signal honor for cookies and analytics scripts.

California doesn't have a standalone cookie statute, but the CPRA treats most analytics, advertising, and cross-context behavioral tracking cookies as 'sharing' personal information. That triggers the same opt-out mechanism as a sale.

Practical requirements for your website

  • Make the 'Do Not Sell or Share' footer link suppress advertising and analytics cookies on opt-out
  • Treat the Global Privacy Control header as an opt-out — no consent banner click required
  • Allow CA residents to opt out of cookies tied to cross-context behavioral advertising
  • Disclose third-party cookie sharing in the privacy policy

Accessibility (ADA + state)

State-specific rule applies

WCAG conformance expectations and how the state's accessibility cases tend to be litigated.

The Unruh Civil Rights Act applies the federal ADA to California businesses with statutory damages of $4,000 per violation. Robles v. Domino's (9th Cir. 2019) confirmed that public-facing commercial websites must be accessible to blind users.

Practical requirements for your website

  • Conform to WCAG 2.1 Level AA as the de facto compliance standard
  • Provide text alternatives for non-text content (alt text on images, captions on video)
  • Ensure keyboard navigability for all interactive elements
  • Maintain a 4.5:1 minimum contrast ratio for body text
  • Publish a documented accessibility statement with a contact route for users who hit a barrier

Cybersecurity and breach response

State-specific rule applies

What 'reasonable security' looks like under state law and how fast you have to notify after a breach.

California requires reasonable security procedures for any personal information about California residents (Cal. Civ. Code § 1798.81.5). Data-breach notification (§ 1798.82) is mandatory and includes a 72-hour AG-notification trigger for breaches of 500+ residents.

Practical requirements for your website

  • Implement reasonable administrative, physical, and technical security controls — the CIS Controls are the operational benchmark
  • Encrypt PII in transit and at rest
  • Notify affected residents 'in the most expedient time possible and without unreasonable delay' after a breach
  • Notify the California AG within 72 hours for breaches affecting 500+ CA residents
  • Maintain documented incident-response procedures

Email and SMS marketing

State-specific rule applies

How federal CAN-SPAM and TCPA interact with state-level marketing rules in this jurisdiction.

California's Bus. & Prof. Code § 17529.5 mirrors the federal CAN-SPAM Act and adds a private right of action plus statutory damages of $1,000 per email. False header information or deceptive subject lines on marketing email to a CA resident can produce class actions quickly.

Practical requirements for your website

  • Use truthful, non-deceptive subject lines and From addresses
  • Include a real physical postal mailing address in every commercial email
  • Provide a clear, working unsubscribe mechanism that processes requests within 10 business days
  • Do not send commercial email to a recipient who has opted out

AI regulation

State-specific rule applies

Which AI uses the state has chosen to regulate, who's covered, and what the website has to disclose.

California is the first state with a comprehensive AI transparency law (SB 942). Effective January 1, 2026, large generative AI providers must visibly label AI-generated content, embed provenance metadata, and offer a free public detection tool. SB 1047 (frontier-model safety) was vetoed but several related bills are pending.

Practical requirements for your website

  • If you serve generative AI to 1M+ California users: implement visible labels on AI-generated content
  • Embed C2PA-compatible provenance metadata in generated images, audio, and video
  • Operate a free public AI-detection tool for content you generated
  • Document your detection accuracy and publish the methodology

Frequently asked questions about California website compliance

Does my website need to comply with CCPA if I don't have a California office?

Yes if you process the personal information of California residents and you meet one of the three CCPA thresholds — $25M revenue, 100,000+ CA residents' data, or 50%+ revenue from selling personal data. Location of your office is irrelevant; what matters is whose data you handle. Most US e-commerce, SaaS, and content sites cross at least one threshold once analytics and ad-tech are connected.

What's the minimum California-compliant footer?

At a minimum: a 'Privacy Policy' link, a 'Do Not Sell or Share My Personal Information' link, and a 'Your Privacy Choices' or 'Limit the Use of My Sensitive Personal Information' link when you process sensitive categories. All three must work from every page of the public site. Scantra's free scan checks whether these links are present and reachable.

Does the Global Privacy Control browser signal really count as an opt-out?

Yes — the California Attorney General confirmed in 2021 and the CPPA reaffirmed in 2023 that the Global Privacy Control (GPC) header must be treated as a valid opt-out of sale/sharing of personal information for users who have it enabled. Ignoring it is a CCPA violation and has produced enforcement actions.

How big is the fine if I'm out of compliance?

Up to $2,500 per unintentional violation and $7,500 per intentional violation, per consumer, per violation. The CPPA has its own enforcement budget and a track record of high-six-figure settlements against mid-market businesses. The CCPA's data-breach private right of action allows $100 to $750 per consumer in class actions.

Is a Sephora-style opt-out workflow required?

Yes — the 2022 Sephora settlement clarified that for businesses subject to CCPA, the opt-out must propagate to every advertising and analytics vendor receiving the user's data, and selection must be honored within 15 business days. A footer link that only updates a local preference doesn't satisfy the law.

Ready to check your own site against California's requirements?

The same free 9-rule scan, no signup needed. Two of the findings include drafted fixes you can copy/paste; full results (and ongoing monitoring) come with a free account.

Run a free scan →

No credit card · Email required so we can send you the full results.

Compliance overviews for other states

We're building a state-by-state compliance overview for the entire United States. Here's what's published today:

Important: Scantra is a software tool and a non-profit publisher, not a law firm. The summaries on this page are written for general business orientation and reflect the editors' reading of the statutes as of 2026-06-01. They are not legal advice and should not be the only source you rely on for compliance decisions. For your specific situation, consult a licensed attorney in California.