CCPA + CPRA compliance for server-side tracking

CCPA protects personal information about California residents. In an ecommerce tracking context, that can include account data, order events, device identifiers, cookie IDs, hashed emails, IP addresses, geolocation, and advertising IDs when they can identify or be reasonably linked to a consumer or household. Moving the collection point from browser pixels to a server route improves control, but it does not remove the privacy obligations attached to the data.

The law applies to for-profit businesses that do business in California and meet key thresholds: annual gross revenue over $25 million, buying, selling, or sharing personal information of more than 100,000 consumers or households, or deriving more than 50% of annual revenue from selling or sharing personal information. A merchant outside California can still fall in scope if it serves California residents and meets one of those tests.

CPRA amended CCPA and added the sensitive personal information category, usually shortened to SPI. SPI includes high-risk data such as precise geolocation, government IDs, account credentials, financial account data, health information, biometrics, and characteristics such as race, religion, union membership, and sexual orientation. Server-side tracking should classify those fields before routing because SPI can trigger a consumer's right to limit use and disclosure.

GDPR and CCPA / CPRA both regulate personal data, but the operating model is different. GDPR starts from lawful basis and often prior consent. California law focuses heavily on notice, opt-out, consumer rights, and specific rules for sale, sharing, and sensitive personal information.

CCPA rights need operational plumbing. A privacy policy can state the rights, but the tracking stack also needs lookup, suppression, export, deletion, correction, and audit controls tied to the identifiers used in server-side events.

A sale is not limited to exchanging personal information for cash. Under CCPA, sale can include making personal information available to another party for monetary or other valuable consideration. That means some advertising, enrichment, marketplace, affiliate, or data collaboration arrangements need careful review even when the contract does not call the exchange a sale.

CPRA separately regulates sharing, which covers disclosure of personal information for cross-context behavioral advertising. The point is whether the data helps target ads based on activity across businesses, sites, apps, or services. Retargeting and ad platform optimization can therefore count as sharing even if no money changes hands and even if the merchant sees the activity as ordinary campaign measurement.

Processing is broader. It includes collecting, using, retaining, disclosing, analyzing, deleting, or otherwise handling personal information. Server-side tracking processors can support a business by routing events under instructions, but the business still has to decide whether each destination activity is a sale, sharing, service-provider processing, contractor processing, or a permitted internal use.

California compliance should be visible and usable. The consumer must be able to find the required choices without searching through account settings or guessing which banner button controls advertising disclosures.

• Do Not Sell or Share My Personal Information link in the site footer.
• Limit the Use of My Sensitive Personal Information link when sensitive personal information is collected and used beyond permitted purposes.
• Privacy policy with specific CCPA-required sections covering categories collected, sources, purposes, disclosures, rights, request methods, retention, and sale or sharing practices.
• Consumer request handling that verifies the request where required and responds within 45 days unless a valid extension applies.
• Cookie banner with opt-out controls and Global Privacy Control signal support where sale or sharing may occur.

Global Privacy Control is a browser-level privacy signal. When a consumer uses a browser, extension, or user agent that sends the header Sec-GPC: 1, covered businesses must treat that signal as a valid opt-out of sale and sharing for that browser or device. The signal has to be honored without requiring the consumer to find another toggle first.

Server-side tracking needs to preserve GPC state from the edge of the request through event enrichment, consent evaluation, and destination dispatch. If the browser says Sec-GPC: 1, the server should attach that state to the event and suppress destinations or fields that would create sale or sharing. Logging the decision matters because privacy teams need proof that the signal was detected and enforced.

TrackLayer is built to make California privacy controls enforceable inside the event pipeline. The goal is to connect consumer choices with destination behavior, not leave opt-outs as a policy statement that the tracking stack cannot apply.

CCPA enforcement can reach $2,500 per violation and $7,500 per intentional violation or certain violations involving children. In tracking systems, a violation can multiply quickly when the same defective opt-out, privacy notice, or destination rule affects many consumers or many events.

CCPA also includes a private right of action for certain data breaches involving nonencrypted and nonredacted personal information when reasonable security procedures were not maintained. That makes security controls, access logs, encryption, retention, and incident response part of the privacy program, not separate technical hygiene.

Sensitive personal information should be inventoried before it can enter event payloads, customer audiences, logs, warehouses, or ad platform integrations. Common SPI categories include: