What is the CCPA?
The California Consumer Privacy Act was signed into law in 2018 and came into effect on January 1, 2020. It was significantly expanded by Proposition 24 (the CPRA, California Privacy Rights Act) in 2020, which took effect in January 2023. Enforcement sits with two bodies: the California Attorney General and the California Privacy Protection Agency (CPPA), a dedicated regulator created by the CPRA.
The law grants California residents four core rights. The right to know what personal information a business collects and what it does with it. The right to delete their data. The right to opt out of the sale or sharing of their personal information. And the right to non-discrimination, meaning businesses cannot treat you worse for exercising your privacy rights.
One thing to understand upfront: the CCPA only applies to businesses that meet at least one of three thresholds. Annual gross revenue above $25 million. Data collected or bought on more than 100,000 California consumers or households per year. Or more than 50% of annual revenue derived from selling consumers' personal information. These thresholds catch a significant portion of mid-size businesses, especially any company with substantial US web traffic.
Does the CCPA apply to web analytics?
For most analytics tools, yes. Web analytics platforms like Google Analytics receive personal information from your visitors by design: IP addresses (even if partially anonymised), device identifiers, browser fingerprint components, and a full log of browsing behaviour on your site. Google then uses this data across its advertising infrastructure.
The CPRA's 2023 amendments are particularly important here. They expanded the definition of regulated activity to include not just "selling" data but "sharing" it for the purpose of cross-context behavioural advertising. Running Google Analytics on your site and allowing Google to use that data to build advertising profiles is sharing under the CPRA definition, full stop.
The practical implication: if your business meets the CCPA thresholds and you use Google Analytics, Meta Pixel, or similar tools, you have active CCPA compliance obligations tied to your analytics setup.
What counts as "selling" data under the CCPA?
Broader than most people assume. The original CCPA defined "sale" as disclosing a consumer's personal information to a third party for monetary or other valuable consideration. That "other valuable consideration" part is key. Google provides Analytics for free; in return, it receives data it uses to improve ad targeting. Courts and regulators have found this qualifies.
The CPRA then added "sharing" as a separate regulated activity specifically to close the loophole that emerged from services claiming they weren't technically "selling" data. Sharing for cross-context behavioural advertising is now regulated separately from selling, and the same opt-out obligations apply to both.
The stakes are real. In 2022 the California Attorney General fined Sephora $1.2 million for failing to honour opt-out requests, including requests made via the Global Privacy Control browser signal. Sephora argued it wasn't "selling" data; the AG disagreed. That case set the tone for how broadly California regulators interpret these definitions.
If you use any third-party pixel or analytics tool that receives personal data and uses it beyond serving you directly, you are almost certainly sharing under the CPRA definition.
What does CCPA compliance look like in practice?
For businesses using cookie-based analytics, compliance requires several concrete steps. You need to add a clear "Do Not Sell or Share My Personal Information" link to your website, typically in the footer. You must honour the Global Privacy Control browser signal automatically, which means configuring your consent management platform to detect GPC and block data sharing for those users without requiring them to click anything. Your privacy policy needs to be updated to list the categories of personal information you collect and the categories of third parties you share it with, along with the purposes.
You also need a process for responding to deletion requests within 45 days. If a California resident asks you to delete their data, you must pass that request to any third-party service providers, including Google, that hold data you shared with them.
For businesses using cookie-free analytics like TrackTrendy, the picture is much simpler. No personal data is collected, and nothing is shared with third parties for advertising purposes. There is nothing to disclose, nothing to delete, and no opt-out mechanism required for analytics. Your compliance posture is cleaner from the start.
How does CCPA compare to GDPR?
The two laws share the same general direction but differ on a fundamental point: consent direction. GDPR is opt-in. You cannot collect or process personal data without a lawful basis, and for advertising-related tracking, that basis is almost always explicit consent. The CCPA is opt-out. Businesses can collect and share data by default; users must actively object.
This means a GDPR-compliant setup (where you block all tracking until users consent) is almost always CCPA-compliant too, because you are already giving users control. A CCPA-compliant setup that simply adds an opt-out link is not necessarily GDPR-compliant.
Other differences: GDPR applies to any organisation anywhere in the world that processes EU residents' data, regardless of company size. CCPA only applies above the thresholds described above, but it applies to any business with California visitors, including those based outside the US. GDPR's ePrivacy Directive has specific cookie rules; the CCPA has no equivalent cookie-specific regulation, but cookies that contain personal identifiers are covered as personal information.
If you are building for a global audience, you are dealing with both laws. Cookie-free analytics sidestep the most difficult compliance questions in both.
How does cookie-free analytics simplify CCPA compliance?
TrackTrendy stores no IP addresses, sets no cookies, and assigns no persistent identifiers to individual visitors. Session data is aggregated immediately and cannot be traced back to a specific person or device. Nothing in that data pipeline qualifies as personal information under the CCPA definition.
That means no third-party data sharing to disclose. No opt-out mechanism required for analytics. No deletion requests to handle because there is no identifiable data to delete. And no exposure to the regulatory risk that comes with relying on tools whose business model depends on monetising the data they collect from your visitors.
You still need a privacy policy, and you still need to think carefully about any other data you collect (contact forms, e-commerce, email marketing). But your analytics setup stops being a compliance liability and starts being a neutral part of your stack.