Skip to main content
Katla supports CCPA/CPRA compliance through an opt-out consent model. Unlike GDPR (which requires opt-in), CCPA allows cookies by default and gives visitors the right to opt out of the sale or sharing of their personal information.

How CCPA mode differs from GDPR

BehaviorGDPR (default)CCPA
Cookies before consentBlocked (opt-in)Allowed (opt-out)
Cookie guardInstalled immediatelyNot installed
Banner purposeAsk for permissionInform and offer opt-out
Primary action”Accept All""Do Not Sell or Share”
GPC signalIgnoredHonored as opt-out

Configuration

Set regulation to 'ccpa' in your widget settings, or use 'auto' for client-side detection: 
<!-- Auto-detection (recommended) -->
<script src="https://dist.katla.app/{siteId}.js"></script>
When regulation is 'auto' (the default), the script detects the visitor’s region at runtime:
  1. GPC signal — If navigator.globalPrivacyControl is true, CCPA mode is used
  2. Timezone — US timezones (America/*) default to CCPA; all others default to GDPR
This detection runs entirely client-side and requires no geo-IP service. The script remains fully CDN-cacheable. To force CCPA mode for all visitors, set regulation: 'ccpa' in your site’s widget settings.

Global Privacy Control (GPC)

GPC is a browser-level signal that tells websites the user does not want their data sold or shared. Under CCPA, businesses must honor this signal. When Katla detects GPC in CCPA mode:
  1. An opt-out is automatically recorded
  2. The consent API receives consentType: 'optedOut'
  3. The widget shows a confirmation: “Your Global Privacy Control signal has been honored”
  4. The settings button (gear icon) appears instead of the full banner

Checking GPC programmatically

KatlaConsent.isGPCEnabled()  // true if browser has GPC enabled
KatlaConsent.getRegulation() // 'ccpa' or 'gdpr'

.well-known/gpc.json

To fully comply with GPC, deploy a .well-known/gpc.json file on your domain: 
{
  "gpc": true,
  "lastUpdate": "2025-01-01"
}
This file signals to browsers that your site respects GPC. It is deployed on your domain, not by the Katla widget.

”Do Not Sell or Share” UI

In CCPA mode, the consent banner shows:
  • Title: “Your Privacy Choices”
  • Description: Informs visitors about data collection and their opt-out rights
  • “Do Not Sell or Share My Personal Information” — Primary button that triggers opt-out
  • “Cookie Preferences” — Opens the category customization modal
  • “Close” — Dismisses the banner without action (cookies continue)
CCPA opt-outs are recorded with:
  • consentType: 'optedOut' (distinct from GDPR’s 'rejected')
  • regulation: 'ccpa' in the consent record
  • Categories set to ['functional'] only
When a visitor opts out under CCPA, Google Consent Mode parameters are updated:
ParameterValue
ad_storagedenied
ad_user_datadenied
ad_personalizationdenied
analytics_storagegranted
Analytics remain granted because CCPA does not restrict analytics collection by default — only the sale or sharing of personal information. Set privacyPolicyUrl in your widget settings to display a “Privacy Policy” link in the consent banner and preferences modal: 
// In widget settings
{
  regulation: 'ccpa',
  privacyPolicyUrl: 'https://example.com/privacy'
}