CCPA and device fingerprinting (2026 guide)

RegionCalifornia, United States

RegulatorCalifornia Privacy Protection Agency (CPPA) + California Attorney General

Effective1 January 2020 (CCPA), CPRA amendments effective 1 January 2023

Max penalty$2,500 per violation; $7,500 per intentional violation or violation involving a minor's data

Status in-force

TL;DR

California's CCPA names device fingerprints directly in its 'unique personal identifier' definition (Cal. Civ. Code §1798.140), so any fingerprint that singles out a household or device counts as personal information.
CCPA's compliance model is opt-out, not opt-in. The operational question is whether your fingerprint flow constitutes a 'sale' or 'share' under the statute. If it does, you must honour 'Do Not Sell or Share My Personal Information' and the Global Privacy Control (GPC) browser signal.
The CPRA tightened sensitive-data rules and added the right to limit use of sensitive personal information; fingerprinting tied to precise geolocation or biometric inference can fall under sensitive PI.
Enforcement has been led by the California AG (Sephora $1.2M, August 2022) and now the CPPA, with the December 2024 enforcement advisory naming sensor-class identifiers explicitly.

What CCPA says about fingerprinting

Unlike the GDPR, the California Consumer Privacy Act names device fingerprinting explicitly. Cal. Civ. Code §1798.140(v)(1)(A) defines 'personal information' to include 'unique personal identifiers', and §1798.140(aj) defines a 'unique personal identifier' as a persistent identifier that can be used to recognise a consumer, family or device, listing 'unique pseudonyms', 'device identifiers', 'beacons', 'probabilistic identifiers' and 'telephone numbers' as examples. A browser fingerprint is a probabilistic identifier by construction.

That definition was carried through the CPRA amendments (Proposition 24, effective 1 January 2023). The CPRA also created the California Privacy Protection Agency (CPPA), the dedicated regulator that now sits alongside the California Attorney General. Both have authority to fine and to issue rulemakings.

The 'sale' and 'share' question

Under CCPA §1798.140(ad), 'sale' is broad: it captures any disclosure of personal information to a third party for monetary or other valuable consideration. CPRA added §1798.140(ah)'s 'share' definition, which specifically covers disclosures for cross-context behavioural advertising, even where no money changes hands.

Most fingerprinting compliance work in California turns on whether your data flow crosses one of those thresholds. A first-party fingerprint used only for your own anti-fraud or product analytics is not a sale or share. The same fingerprint passed to an ad-tech partner for retargeting almost certainly is, and that triggers the obligation to honour 'Do Not Sell or Share My Personal Information' links and Global Privacy Control signals.

Consumer rights triggered by collecting a fingerprint

Right to notice: disclosed in your privacy policy and at or before the point of collection (§1798.100).
Right to know: what categories and specific pieces of personal information were collected (§1798.110).
Right to delete: with statutory exceptions for fraud detection and free speech (§1798.105).
Right to correct: added by CPRA (§1798.106).
Right to opt out of sale or sharing: including via the Global Privacy Control browser signal (§1798.120).
Right to limit use of sensitive personal information: added by CPRA (§1798.121).
Right to non-discrimination: you cannot deny service or charge more because a consumer exercised a right (§1798.125).

Global Privacy Control is not optional

The California AG's August 2022 settlement with Sephora ($1.2M) turned on Sephora's failure to honour the Global Privacy Control browser signal as an opt-out of sale. The decision made it unambiguous: GPC is a legally recognised opt-out signal in California, and businesses must process it server-side as a 'do not sell or share' instruction the moment they receive it.

For a fingerprinting pipeline, that means the GPC signal must be checked before any downstream sharing of the fingerprint with a third-party platform. The fingerprint itself can still be generated on the device (generation is not sale), but onward disclosure to anyone outside your service provider chain must stop.

Sensitive personal information and biometric inference

CPRA created a new sub-category, 'sensitive personal information' (§1798.140(ae)), which includes precise geolocation, biometric information processed for the purpose of uniquely identifying a consumer, and information concerning a consumer's health, sex life, race or religion. Consumers have a separate right under §1798.121 to limit the use of sensitive PI to specified purposes.

Most browser fingerprints are not, on their own, sensitive PI (for example: the GPU renderer string, the audio context output, the font list). But a fingerprinting pipeline that infers biometric attributes (gait from accelerometer, voice timbre, behavioural patterns) or that consumes precise GPS coordinates does pick up the additional sensitive-PI obligations.

CCPA obligations at a glance

Activity	Notice required?	Opt-out required?	Opt-in required?
First-party anti-fraud fingerprinting, no third-party sharing	Yes	No	No
First-party product analytics fingerprinting	Yes	No	No
Cross-context behavioural advertising using fingerprints	Yes	Yes (sale + share)	No
Selling fingerprints to a data broker	Yes + registry	Yes (sale)	No
Fingerprinting tied to precise geolocation	Yes	Yes	Limit-use right applies
Fingerprinting consumers under 16	Yes	-	Yes (opt-in by 13-16; parental for under-13)

Who is covered?

CCPA applies to a 'business' that does business in California and meets at least one of three thresholds in §1798.140(d): annual gross revenue over $25M (CPI-adjusted), buys/sells/shares the personal information of 100,000 or more consumers or households annually, or derives 50%+ of its annual revenue from selling or sharing consumers' personal information. A fingerprinting vendor or ad-tech intermediary will normally satisfy the second threshold by virtue of its business model alone.

Non-profits, government entities and medical providers regulated under HIPAA are mostly out of scope, with carve-outs.

Enforcement under CCPA

Enforcement in California is split between the AG (since 2020) and the CPPA (since 2023). Civil penalties under §1798.155 are capped at $2,500 per violation and $7,500 per intentional violation or violation involving a minor's data. Per-violation counts compound quickly: a single ad-tech pipeline that exposes one million Californian fingerprints to non-compliant sharing exposes the business to a theoretical maximum that dwarfs GDPR.

Notable enforcement actions

California AG v. Sephora (August 2022): $1.2M. Failure to disclose sale, failure to provide an opt-out, and failure to honour GPC signals. Often cited as the first 'GPC fine'.
California AG sweep of connected-vehicle data (August 2023): not a fine but an enforcement notice asking automakers about fingerprint-class telemetry sharing.
CPPA enforcement advisory on data minimisation (April 2024): named persistent device identifiers and sensor data as examples of categories where minimisation must be applied.
CPPA enforcement advisory on dark patterns in opt-out flows (December 2024): made clear that 'dark patterns in the opt-out journey' will be pursued aggressively.
CPPA settlement with DoorDash (February 2024): $375,000. CCPA's first 'sale' fine. DoorDash disclosed information including device identifiers to a marketing cooperative.

How Benny the Doorman fits into a CCPA-aware deployment

A typical CCPA-aware integration with Benny rests on three building blocks. First, Benny operates under a service-provider contract: our DPA is structured to make Benny a §1798.140(ag) service provider, so the disclosure of fingerprints to Benny is not itself a 'sale' or 'share'. Second, the application reads GPC and any CCPA-specific consent state before passing the fingerprint to any third party that is not also a service provider. Third, your privacy policy includes Benny in its list of service providers and the fingerprint in its categories-of-information disclosure.

Benny does not currently sell or share customer data to third parties. The hardware ID we return to you is yours to use within your service-provider chain. What you do with it downstream is what triggers the CCPA analysis.

Frequently asked questions

Does the CCPA apply to browser fingerprinting?

Yes. Device fingerprints fall squarely inside the 'unique personal identifier' definition in Cal. Civ. Code §1798.140. Collecting a fingerprint from a California consumer triggers the CCPA's notice, access, deletion, correction, and (where applicable) opt-out obligations.

Is fingerprinting a 'sale' under CCPA?

Not by itself. Generating a fingerprint on your own service is collection, not sale. The 'sale' or 'share' question is triggered when the fingerprint is disclosed to a third party for monetary or other valuable consideration, or to support cross-context behavioural advertising.

Do I need consent before fingerprinting in California?

Not for adult consumers in most cases. CCPA is an opt-out regime: you must give notice and an opt-out, but you do not need affirmative consent before collecting a fingerprint. Minors under 16 are the exception: they require opt-in, and under-13s require verifiable parental consent.

What is the Global Privacy Control and do I have to honour it?

GPC is a browser-level signal that tells a website the user opts out of sale and sharing of their personal information. Following the Sephora settlement, the California AG and CPPA treat it as a legally binding opt-out request, and businesses must implement server-side handling of the signal.

Does CCPA require a 'Do Not Sell or Share My Personal Information' link?

If your fingerprint flow involves a 'sale' or 'share' as defined in §1798.140, yes: the link is mandatory and must be honoured. If your fingerprinting is purely first-party and stays inside a service-provider chain, the link is not strictly required, though many businesses display it for clarity.

Are fingerprints 'sensitive personal information' under CPRA?

Not by default. The CPRA's sensitive PI category covers precise geolocation, biometric information used for unique identification, and a short list of other categories. A standard hardware fingerprint is not sensitive, but a fingerprint enriched with precise geolocation or behavioural biometrics can be.

What's the penalty for non-compliant fingerprinting under CCPA?

Up to $2,500 per violation, or $7,500 per intentional violation or one involving a minor's data. Per-violation counts apply per affected consumer, which scales fast. The Sephora settlement of $1.2M is a useful order-of-magnitude reference for a sale-and-GPC failure.

Does CCPA apply to companies outside California?

Yes, if they do business in California and meet one of the thresholds in §1798.140(d): annual revenue, processing volume, or revenue-from-selling-data percentage. A US-or-foreign company with no physical California presence can still be in scope.

Tooling

Benny the Doorman is built for this compliance posture.

Free, cookieless fingerprinting that defers to your consent management platform, runs on Indian infrastructure, and ships with a DPA addendum sized for the jurisdiction above.

Read the docs Request the DPA

Related jurisdictions

Last reviewed 2026-06-06