CCPA Compliance for Small Websites: What You Actually Need
A practical CCPA compliance checklist for small websites — who it applies to, what to add to your privacy policy, cookie banners, and how to honor opt-outs.
The California Consumer Privacy Act (CCPA), expanded by the CPRA, sounds like something only big tech needs to worry about. In reality, plenty of small sites — a SaaS side project, a niche ecommerce store, a content site running ad networks — fall under it the moment they collect California residents' data and hit certain thresholds. The good news: compliance for a small site is mostly documentation, a few clear user controls, and one or two backend changes.
Does CCPA actually apply to your site?
CCPA only applies to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds:
- Annual gross revenue over $25 million, or
- Buy, sell, or share personal info of 100,000 or more California consumers or households per year, or
- Derive 50% or more of annual revenue from selling or sharing personal information.
Most small websites don't hit the revenue or volume bar — but that 50% rule catches a lot of ad-funded blogs and affiliate sites. If you run programmatic ads (Google AdSense, Mediavine, Ezoic, etc.), data is being shared with ad partners, and a meaningful chunk of your revenue depends on it. That's enough to bring you into scope even with modest traffic.
Quick self-check
- Do you have visitors from California? (If your site is in English and indexed by Google, yes.)
- Do you collect any of: IP address, cookies, email, account data, purchase history?
- Do you use ad networks, analytics, retargeting pixels, or share data with third parties?
If you answered yes to all three and you run ads or sell user data in any form, treat yourself as in scope.
The minimum compliance stack
For a small site, CCPA compliance breaks into five concrete deliverables:
- A CCPA-compliant privacy policy
- A "Do Not Sell or Share My Personal Information" link or mechanism
- Honoring the Global Privacy Control (GPC) signal
- A way for users to request access or deletion of their data
- Internal records of how you handle requests
1. Update your privacy policy
Your policy must disclose, in plain language:
- The categories of personal information you collect (identifiers, internet activity, geolocation, commercial info, etc.)
- The sources (the user, cookies, analytics, ad partners)
- The business purposes for collection
- The third parties you share or sell to
- Consumer rights: know, delete, correct, opt-out of sale/sharing, limit use of sensitive info, non-discrimination
- How to submit a request (email, form, or toll-free number if you have 20+ employees)
- How long you retain each category of data
If your existing policy is a generic template from three years ago, it almost certainly misses CPRA additions like the right to correct and the sensitive personal information category. Rebuild it. AXOX Hub's Privacy Policy Generator will draft a CCPA/CPRA-aware policy you can paste in and customize.
2. Add a "Do Not Sell or Share" link
If you run ads or share data with third parties for cross-context behavioral advertising, CCPA treats that as "selling or sharing." You need a clearly labeled link in your footer — typically titled Do Not Sell or Share My Personal Information or Your Privacy Choices (with the official blue toggle icon) — that takes users to an opt-out page or fires your consent management platform's opt-out flow.
For most small sites, the easiest path is a free consent tool like Google's Consent Mode v2 with a CMP such as Cookiebot, Termly, or Osano (all have free tiers under a certain pageview count). The CMP handles the link, the toggle UI, and signals your ad partners to stop sharing data for that user.
3. Honor Global Privacy Control
California's AG has made it explicit: if a browser sends the GPC header, you must treat it as a valid opt-out request — no banner click required. Most modern CMPs handle this automatically, but verify it. You can confirm the header is being sent and detected using AXOX Hub's HTTP Header Checker to inspect the request/response cycle on your site.
4. Build a request workflow
You need a way for users to submit:
- Right to know — what data you have on them
- Right to delete — wipe their data (with allowed exceptions like fraud prevention)
- Right to correct — fix inaccurate info
- Right to opt out — stop sale/sharing
For a small site, a dedicated email like privacy@yourdomain.com plus a simple web form is enough. You must respond within 45 days (extendable once by another 45 with notice). You must verify the requester's identity — for account holders, logging in is sufficient; for anonymous visitors, ask for two or three matching data points.
5. Keep records
You don't need a fancy system. A spreadsheet with date received, type of request, verification method, action taken, and date closed will satisfy the recordkeeping requirement for two years. Keep it for at least 24 months.
Common mistakes small sites make
- Assuming "we don't sell data" means CCPA doesn't apply. Sharing with ad partners counts as selling under CPRA.
- Burying the opt-out link. It must be conspicuous — footer is standard, but it has to be visible without scrolling on mobile in most interpretations.
- Cookie banner with no real choice. "Accept" with no "Reject" button violates CPRA. Both options must be equally prominent.
- Ignoring GPC. Several enforcement actions (Sephora, DoorDash) hinged on this.
- Not training the one person handling requests. If that's you, write yourself a one-page SOP so you respond consistently.
Technical implementation checklist
- Audit every third-party script on your site (analytics, ads, chat widgets, embeds). Each one is a potential data-sharing relationship to disclose.
- Install a CMP and configure it to block non-essential scripts until consent is given for California users — or for all users, which is simpler.
- Add the "Your Privacy Choices" link to your global footer.
- Publish the updated privacy policy at a stable URL and link it from every page footer plus your cookie banner.
- Add a privacy request form or email link inside the policy.
- Test by visiting your site with GPC enabled (Brave, Firefox with the setting on, or DuckDuckGo extension) and confirm ad/tracking scripts are suppressed.
- Re-check your response headers and verify your CMP is firing correctly using a header inspection tool.
If you want a head start on the privacy policy itself, generate a CCPA/CPRA-aware draft with the AXOX Hub Privacy Policy Generator and customize the disclosures to match the actual third parties on your site.
Try the free tool
Open Tool