Understanding CCPA
The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for California residents. It was enacted in 2018 and significantly amended by the California Privacy Rights Act (CPRA) in 2023.
CCPA gives California consumers the right to know what personal information is collected about them, to delete personal information, to opt-out of the sale of their personal information, and to non-discrimination for exercising their rights.
Key Facts About CCPA
- Applies to businesses meeting specific revenue or data thresholds
- Uses an opt-out model (not opt-in like GDPR)
- Updated by CPRA effective January 2023
- Enforced by the California Privacy Protection Agency (CPPA)
California Consumer Rights
Under CCPA and CPRA, California residents have the following rights:
1. Right to Know
Consumers can request to know:
- Categories of personal information collected
- Specific pieces of personal information held
- Sources from which personal information is collected
- Business or commercial purpose for collecting
- Categories of third parties with whom information is shared
2. Right to Delete
Consumers can request deletion of their personal information, with certain exceptions (e.g., completing transactions, complying with legal obligations, security purposes).
3. Right to Opt-Out
Consumers can opt-out of the sale or sharing of their personal information. Businesses must provide a clear "Do Not Sell or Share My Personal Information" link.
4. Right to Correct
Added by CPRA: Consumers can request correction of inaccurate personal information.
5. Right to Limit Use of Sensitive Data
Consumers can limit the use of their sensitive personal information to what's necessary for the intended purpose.
6. Right to Non-Discrimination
Businesses cannot discriminate against consumers who exercise their CCPA rights, including by:
- Denying goods or services
- Charging different prices or rates
- Providing different level of service
- Suggesting different quality of goods or services
Business Obligations Under CCPA
If your business meets the CCPA threshold requirements, you have several obligations:
Privacy Notice Requirements
- Privacy Policy: Maintain a clear and conspicuous privacy policy describing data practices
- At Collection Notice: Provide notice at point of collection about categories of information collected
- Requests Dashboard: Designate methods for consumers to submit requests
Consumer Request Handling
- Respond to verifiable consumer requests within 45 days
- Can extend by 45 additional days (total 90) with notice
- Verify identity of requestor
- Provide free methods for submitting requests
Technical Requirements
- Implement a "Do Not Sell or Share My Personal Information" link
- Process opt-out preference signals (like Global Privacy Control)
- Provide a link to enable limiting use of sensitive personal information
Complete CCPA Compliance Checklist
Step 1: Determine If CCPA Applies to You
- Annual gross revenue exceeds $25 million
- Buy, sell, or share personal information of 100,000+ consumers annually
- Derive 50%+ of annual revenue from selling personal information
- Control or are controlled by business meeting above criteria
Step 2: Inventory Your Data
- Map all personal information collected
- Identify sources of personal information
- Document business purposes for collection
- Identify third parties with whom data is shared
- Determine retention periods for each category
Step 3: Update Privacy Policy
- Describe categories of personal information collected in last 12 months
- List categories of sources
- Explain business or commercial purpose
- List categories of third parties
- Include "Do Not Sell or Share My Personal Information" link
- Include "Limit Use of My Sensitive Personal Information" link
- Describe consumer rights under CCPA/CPRA
- Provide methods for submitting requests
Step 4: Implement Technical Requirements
- Add "Do Not Sell or Share" link to homepage and footer
- Add "Limit Use of Sensitive Personal Information" link
- Implement processes to handle opt-out requests
- Support Global Privacy Control (GPC) signals
- Create system to process consumer rights requests
Step 5: Update Business Processes
- Train employees on CCPA requirements
- Establish procedures for handling consumer requests
- Create verification procedures for requestors
- Develop timeline for responding (45 days)
- Update contracts with service providers
Step 6: Implement Security Measures
- Implement reasonable security procedures
- Conduct security assessments
- Establish breach notification procedures
- Document security measures in privacy policy
Step 7: Ongoing Compliance
- Review and update privacy policy annually
- Monitor regulatory updates
- Maintain records of consumer requests
- Conduct periodic audits of data practices
Do You Need to Comply?
CCPA applies to businesses that meet ONE of the following thresholds:
CCPA Threshold Requirements
- $25M+ Annual Gross Revenue: If your business earns more than $25 million in annual gross revenue
- 100K+ Consumers: If you buy, sell, or share personal information of 100,000 or more consumers annually
- 50% Revenue from Sales: If 50% or more of your annual revenue comes from selling personal information
- Joint Ventures: If you control or are controlled by a business meeting the above
Important Note
Even if you don't meet these thresholds, having a privacy policy is still recommended best practice. Many businesses choose to comply voluntarily to build trust with all customers.
CCPA Penalties and Enforcement
Non-compliance with CCPA can result in significant penalties:
Civil Penalties
- Non-intentional violations: Up to $2,500 per violation
- Intentional violations: Up to $7,500 per violation
- Per-violation basis: Each instance of non-compliance counts separately
Enforcement
- Enforced by the California Privacy Protection Agency (CPPA)
- Attorney General can pursue enforcement actions
- Private right of action for data breaches ($100-$750 per consumer per incident)
Calculating Your Risk
If you have 10,000 California consumers and collect data without proper disclosure, potential penalties could range from $25 million to $75 million for intentional violations.
CPRA Updates for 2026
The California Privacy Rights Act (CPRA) amended CCPA with several important changes that took effect in 2023 and continue to be relevant in 2026:
New Consumer Rights
- Right to Correct: Consumers can now request correction of inaccurate personal information
- Right to Limit Use of Sensitive Data: New category of sensitive personal information with additional protections
New Business Obligations
- Data Minimization: Businesses must limit collection to what is reasonably necessary
- Purpose Limitation: Data can only be used for stated purposes
- Storage Limitation: Retention must be only as long as necessary
California Privacy Protection Agency
The new CPPA agency took over enforcement in 2023, bringing additional resources and focus to privacy enforcement in California.
Ready to Analyze Your Privacy Policy?
Use PolicyLens to verify your privacy policy meets CCPA requirements and identify any compliance gaps.
Analyze Your Policy Free