CCPA and Web Analytics: What Site Owners Need to Know in 2026

The California Consumer Privacy Act (CCPA) took effect January 1, 2020. The California Privacy Rights Act (CPRA) amended it and became fully enforceable January 1, 2023, adding the concept of "sharing" alongside "sale" and creating the California Privacy Protection Agency (CPPA) to enforce both.

For website operators, the practical obligations are: disclose what personal information you collect, give California residents a way to access or delete their data, give them a way to opt out of "sale" or "sharing," and do not retaliate against people who exercise these rights.

You are subject to CCPA if you do business in California AND meet at least one of: $25M+ annual revenue, process 100K+ California residents' data per year, or earn 50%+ revenue from selling/sharing California residents' data. Most internet businesses with US traffic hit the second threshold without realizing it.

This is where analytics specifically gets entangled. CCPA defines "sale" broadly: any disclosure of personal information for "monetary or other valuable consideration." "Sharing" was added by CPRA and covers cross-context behavioral advertising — think Google Signals, Facebook Pixel, retargeting tags.

When GA4 sends data to Google's advertising ecosystem (which it does by default with Google Signals on), that is "sharing" under CCPA. When you load Facebook Pixel for retargeting, that is also "sharing." When you use server-side tags to send first-party data to Meta's Conversions API for ad audiences, that is still "sharing."

Analytics tools that do NOT send data to ad networks — cookieless tools that aggregate traffic for the site owner only — typically do not trigger sharing obligations because no personal information leaves your processor relationship.

In practice, if you are GDPR-compliant for EU traffic, your CCPA exposure is usually small. The areas where CCPA adds friction are the "Do Not Sell or Share" link requirement and the right-to-delete handling — neither of which is hard if your analytics is privacy-first by default.

If any tool on your site qualifies as "selling" or "sharing" personal information about California residents, you must provide a clear link on your homepage labeled "Do Not Sell or Share My Personal Information" (or "Your California Privacy Choices" with an icon). This link must let visitors opt out of that selling/sharing within 15 days.

Tools that typically trigger this requirement: GA4 with Google Signals, Facebook Pixel, LinkedIn Insight Tag, Twitter (X) conversion tracking, TikTok Pixel, any retargeting platform, any data broker integration. Most modern marketing stacks have at least one.

Tools that typically do NOT trigger it: cookieless analytics like Sleek, Plausible, or Fathom (when configured without ad-network forwarding); first-party server logs; in-house dashboards. If your entire stack is privacy-first, you may legitimately not need a "Do Not Sell or Share" link at all — though publishing a privacy policy that says so is still wise.

GA4: Google provides a "data redaction" feature and a "consent mode" that limits ad-network data flow when users opt out. Configuration is non-trivial; many GA4 properties run misconfigured for CCPA. If your traffic is mostly US-based, this is the highest-risk area.

Plausible / Fathom / Sleek: cookieless by design, no personal information collected, no ad-network forwarding by default. CCPA obligations are minimal — typically just a privacy policy disclosure that you collect aggregate analytics and do not sell or share it.

Adobe Analytics, Mixpanel, Heap: more configurable, more risk. Each has CCPA-specific opt-out APIs you can call when a visitor opts out via your "Do Not Sell" link. Implementation is required, not automatic.

CCPA was first; many other states followed. As of 2026 there are comprehensive privacy laws in California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Oregon, Montana, Florida, Delaware, New Hampshire, New Jersey, Kentucky, Rhode Island, Maryland, Minnesota, and Nebraska. More are coming.

The good news: they are mostly modeled on CCPA, so a CCPA-compliant setup usually covers them too. The exceptions are around children's data (Florida is stricter), sensitive data definitions (varies), and consumer rights specifics.

The simplest path forward: pick analytics that are privacy-first by design and keep your privacy policy current. That covers the floor in every state without a per-state implementation effort.

Sleek does not collect personal information. IP addresses are hashed and discarded; no cookies are set; no fingerprinting. Aggregate analytics — pageviews, sources, devices, geography at country level — never leaves the customer's account and is never forwarded to ad networks.

Because no personal information is collected and nothing is "sold" or "shared" with third parties, Sleek customers do not need a "Do Not Sell or Share" link to use Sleek. Most still display one because of other tools on their site, but Sleek itself is not what triggers the requirement.

For data subject access requests (right to know, right to delete), Sleek's aggregate data does not contain PII to begin with — there is nothing to retrieve or delete on a per-person basis. We document this in our DPA and privacy policy.

CCPA does not ban any specific analytics tool. It does require disclosure, opt-out mechanisms, and honest data handling. Tools that share data with ad networks need active configuration and a "Do Not Sell or Share" link. Tools that do not share data with anyone — privacy-first analytics — sit naturally outside that requirement.

For most US businesses in 2026, the simplest CCPA-compliant analytics setup is one privacy-first analytics tool plus minimal advertising tags, with a clear privacy policy and an opt-out mechanism if any sharing tool is in scope. That is easier to maintain than a heavy GA4 + ad-pixel stack with carefully configured consent mode.