What Is CCPA?
The California Consumer Privacy Act (CCPA) is a state law that grants California residents significant rights over their personal information and imposes obligations on businesses that collect, use, or sell consumer data. It was enacted in 2018 and represents the most comprehensive privacy legislation in the United States.
CCPA was designed to give California consumers transparency and control over how their personal information is handled, while also creating business accountability for data practices.
CCPA Key Facts
- Effective: January 1, 2020
- Amended by: California Privacy Rights Act (CPRA) in 2023
- Model: Opt-out (vs GDPR's opt-in)
- Enforcement: California Privacy Protection Agency (CPPA)
- Penalties: Up to $7,500 per intentional violation
History and Evolution
CCPA has evolved significantly since its passage:
2018: Original CCPA
The California Consumer Privacy Act was signed into law in June 2018, following intense public debate about data privacy in the wake of high-profile data breaches and scandals involving tech companies.
2020: CCPA Takes Effect
CCPA became enforceable on January 1, 2020, requiring businesses to comply with its provisions regarding consumer rights and business obligations.
2023: CPRA Amendments
The California Privacy Rights Act (CPRA) passed in November 2020 and took effect on January 1, 2023. CPRA significantly expanded CCPA by:
- Adding new consumer rights (right to correct, limit use of sensitive data)
- Creating the California Privacy Protection Agency
- Expanding the definition of personal information
- Adding requirements for data minimization and purpose limitation
- Clarifying and strengthening enforcement
Important
As we move through 2026, businesses should ensure they are compliant with the full CPRA amendments, not just the original CCPA. Many of the significant obligations come from CPRA updates.
Who Must Comply with CCPA?
CCPA applies to for-profit businesses that meet certain thresholds and do business in California:
Threshold Requirements
A business must comply with CCPA if it meets any one of the following criteria:
- Annual Revenue: Has annual gross revenue exceeding $25 million
- Data Volume: Buys, sells, or shares personal information of 100,000 or more consumers annually
- Revenue from Data: Derives 50% or more of annual revenue from selling or sharing personal information
- Joint Ventures: Controls or is controlled by a business meeting any of the above criteria
What Is "Doing Business in California"?
A business does business in California if it:
- Is incorporated in California or has a primary domicile here
- Has annual revenue from California exceeding $25 million
- Buys or sells personal information of 50,000+ California residents
- Derives 25%+ of annual revenue from selling California data
Service Providers and Contractors
Businesses that don't meet the threshold may still be affected if they serve as:
- Service Providers: Process data on behalf of businesses meeting thresholds
- Contractors: Process personal information for business purposes
- Third Parties: Receive personal information from other businesses
California Consumer Rights
CCPA grants California residents multiple rights over their personal information:
1. Right to Know
Consumers can request to know:
- Categories of personal information collected
- Specific pieces of personal information held
- Sources of personal information
- Business or commercial purpose for collection
- Categories of third parties with whom data is shared
Businesses must respond to these requests within 45 days (extendable to 90 days with notice).
2. Right to Delete
Consumers can request deletion of their personal information, with certain exceptions such as:
- Completing a transaction or contract
- Complying with legal obligations
- Security and fraud prevention
- Internal business purposes aligned with consumer expectations
3. Right to Opt-Out
Consumers can direct businesses to stop selling or sharing their personal information. This is the foundation of CCPA's opt-out model.
4. Right to Correct
Added by CPRA: Consumers can request correction of inaccurate personal information.
5. Right to Limit Use of Sensitive Data
Added by CPRA: Consumers can limit use of their sensitive personal information to what's necessary.
6. Right to Non-Discrimination
Businesses cannot discriminate against consumers who exercise their rights, including by denying service, charging different prices, or providing different quality of service.
Business Obligations Under CCPA
Businesses subject to CCPA must fulfill several obligations:
Privacy Policy Requirements
Your privacy policy must include:
- Categories of personal information collected in the past 12 months
- Sources of personal information
- Business or commercial purpose for collection
- Categories of third parties with whom information is shared
- Description of consumer rights and how to exercise them
- Specific pieces of personal information held (upon request)
Required Links and Notices
- "Do Not Sell or Share My Personal Information" link on homepage and footer
- "Limit Use of My Sensitive Personal Information" link
- Notice at collection for each category of data
Consumer Request Handling
- Provide at least two methods for submitting requests
- Respond within 45 days (can extend 45 more days)
- Verify identity of requestor
- Not charge fees for handling requests
- Maintain records of requests for 24 months
Service Provider Contracts
Contracts with service providers must:
- Specify the personal information being processed
- Prohibit use beyond contractual purposes
- Require data security protections
- Allow audit rights for compliance
Sensitive Personal Information
CPRA introduced a new category of "sensitive personal information" that receives additional protections:
What Qualifies as Sensitive?
- Social Security, driver's license, passport numbers
- Financial account information with security codes
- Precise geolocation data
- Racial or ethnic origin, religious beliefs
- Mail, email, text message content
- Genetic data, biometric information
- Health information, medical conditions
- Sex life or sexual orientation information
Requirements for Sensitive Data
- Consumers can limit use to what's necessary for the purpose
- Must provide "Limit Use of Sensitive Personal Information" link
- Can still collect with appropriate notice
- Must honor consumer requests to limit use
Enforcement and Penalties
CCPA violations can result in significant consequences:
Civil Penalties
- Non-intentional violations: Up to $2,500 per violation
- Intentional violations: Up to $7,500 per violation
- Per violation: Each instance of non-compliance counts separately
Private Right of Action
For data breaches specifically, consumers can sue:
- $100-$750 per consumer per incident
- Actual damages or statutory damages (whichever greater)
- Injunctive or other relief
Enforcement Agency
The California Privacy Protection Agency (CPPA) is responsible for enforcement, with authority to:
- Issue regulations and guidance
- Conduct investigations
- Impose administrative penalties
- Refer cases to Attorney General for litigation
CCPA vs GDPR: Key Differences
While both are major privacy regulations, CCPA and GDPR differ significantly:
Consent Model
- CCPA: Opt-out (data collection allowed unless consumer says no)
- GDPR: Opt-in (explicit consent required before collection)
Scope
- CCPA: Applies to businesses meeting thresholds
- GDPR: Applies to all organizations processing EU data
Penalties
- CCPA: Up to $7,500 per violation
- GDPR: Up to €20M or 4% of global revenue
Data Subject Rights
- CCPA: Focus on know, delete, opt-out
- GDPR: More extensive (access, rectify, erase, portability, object)
For a detailed comparison, see our GDPR vs CCPA guide.
Steps to CCPA Compliance
Here's how to achieve CCPA compliance:
1. Determine Applicability
- Calculate annual revenue
- Count California consumers whose data you handle
- Determine percentage of revenue from data sales
- Check if you're part of a joint venture meeting thresholds
2. Data Mapping
- Inventory all personal information collected
- Identify sources and purposes
- Document third-party sharing
- Determine retention periods
3. Update Policies
- Revise privacy policy for CCPA requirements
- Add required links to website
- Create notices at collection
- Update consumer-facing communications
4. Implement Processes
- Create consumer request intake methods
- Build verification procedures
- Establish response timelines (45 days)
- Train customer service and employees
5. Technical Implementation
- Add "Do Not Sell" link to footer
- Add "Limit Use of Sensitive Data" link
- Implement preference signal processing (GPC)
- Update cookie consent mechanisms
Analyze Your Privacy Policy
Use PolicyLens to check if your privacy policy meets CCPA requirements and identify any compliance gaps.
Analyze Your Policy Free