The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), is the strongest privacy law in the United States. If you do business in California, collect data from California residents, or have significant revenue, CCPA likely applies. Unlike GDPR which requires opt-in consent, CCPA grants rights consumers can exercise after data collection. This includes knowing what data you collect, deleting their data, and opting out of data sales. Penalties reach $7,500 per intentional violation, and consumers can sue for data breaches.
Who Must Comply with CCPA
CCPA applies to for-profit businesses meeting any of these thresholds:
For more insights on this topic, see our guide on Cookie Consent Implementation: A Complete Guide for 2026.
Annual gross revenues over $25 million: If your business generates more than $25 million per year, CCPA applies regardless of how much California data you handle. This catches most large companies even if they have minimal California presence.
Buy, sell, or share personal information of 100,000+ California consumers or households: "Share" includes providing data to third parties even without monetary exchange. Many websites hit this threshold through analytics and advertising alone.
Derive 50% or more of annual revenues from selling or sharing California consumer data: Data brokers and companies whose primary business is data monetization fall under this threshold.
Note these are "or" conditions—meeting any one triggers full CCPA obligations. Also, CCPA applies based on where consumers are located, not where your business is incorporated or operates.
Key Definitions
CCPA uses specific terminology that shapes compliance requirements:
Personal information: Broadly defined as information that identifies, relates to, or could reasonably be linked to a California resident or household. This includes obvious identifiers like names and emails, but also IP addresses, device IDs, browsing history, and inferences about preferences or behavior.
Selling: Not limited to monetary transactions. Sharing personal information for "valuable consideration" counts as selling. This includes many common practices—providing data to advertisers in exchange for ad revenue, sharing analytics with partners, or allowing third-party pixels to track users.
Sharing: Cross-context behavioral advertising, even without money changing hands. If you allow ad networks to build profiles across websites, you're "sharing" under CCPA.
Sensitive personal information: CPRA (CCPA amendment) created a category for data like Social Security numbers, financial account credentials, precise geolocation, health data, and contents of communications. Extra restrictions apply.
Consumer Rights Under CCPA
CCPA grants California residents extensive rights over their personal information:
Right to know: Consumers can request disclosure of what personal information you collected, sources of that information, purposes for collection, third parties you shared it with, and specific pieces of information collected about them. You must provide this within 45 days.
Right to delete: Consumers can request deletion of their personal information. You must delete from your records and direct service providers to delete. Exceptions exist for completing transactions, security, complying with legal obligations, and other specified purposes.
Right to opt-out: Consumers can opt out of "sale" or "sharing" of personal information. You must provide a clear "Do Not Sell or Share My Personal Information" link and honor opt-outs within 15 days. Can't ask users to opt back in for at least 12 months.
Right to limit use of sensitive personal information: Consumers can limit use of sensitive data to only what's necessary to provide services. Can't use it for profiling or targeted advertising if consumer opts out.
Right to correct: Consumers can request correction of inaccurate personal information. Added by CPRA, this right took effect in 2023.
Right to non-discrimination: Can't deny goods or services, charge different prices, or provide different quality based on exercise of CCPA rights. Financial incentives are allowed if they're reasonably related to value of consumer data.
"Do Not Sell or Share" Link
If you sell or share personal information, you must provide a clear opt-out mechanism:
Link requirements: Conspicuous link titled "Do Not Sell or Share My Personal Information" on your homepage and privacy policy. Must be easy to find—buried in footer among dozens of other links doesn't qualify.
No account required: Consumers shouldn't need to create an account or log in to opt out. Anonymous visitors must be able to opt out.
Universal opt-out signals: Must recognize browser-based opt-out signals like Global Privacy Control (GPC). If a user's browser sends GPC signal, treat it as valid opt-out request.
Processing timeframe: Honor opt-out within 15 business days. Don't sell or share that consumer's data after receiving the request.
Privacy Policy Disclosures
CCPA requires specific disclosures in your privacy policy that go beyond generic privacy statements:
Categories of information collected: List categories collected in the last 12 months. CCPA specifies categories—identifiers, commercial information, internet activity, geolocation, audio/visual, professional information, education information, inferences. Use these categories.
Sources of information: Disclose where you get data—directly from consumers, from third parties, from automated tracking, etc.
Business or commercial purposes: Explain why you collect each category. Be specific—"to improve our services" is too vague. "To analyze which product features are most popular and prioritize development" is better.
Third parties you share with: List categories of third parties that receive personal information. Include service providers, advertising networks, analytics providers, and anyone else who gets data.
Rights and how to exercise them: Explain each CCPA right in plain language and provide clear instructions for exercising them. Include web forms, email addresses, or toll-free numbers.
Verifiable Consumer Requests
You must verify consumer identity before fulfilling requests, but balance security with accessibility:
Matching process: For know and delete requests, verify identity using information you already have. Ask questions only you and the consumer would know based on existing data. Don't collect new data to verify requests.
Degree of certainty: For know requests, match at least two data points. For delete requests, match at least three data points due to sensitivity of deletion. For sensitive personal information, you can require higher standard.
Opt-out doesn't require verification: Don't create barriers to opt-out. Process Do Not Sell requests immediately without identity verification.
Authorized agents: Accept requests from agents authorized by consumers. Verify both agent's authority and consumer identity.
Service Provider Requirements
Third parties that process data on your behalf are "service providers" with specific contractual requirements:
Written contracts: Must have contracts prohibiting service providers from retaining, using, or disclosing personal information for any purpose except performing specified services. Can't sell the data or use it for their own purposes.
Common service providers: Cloud hosting, email services, analytics platforms, payment processors. Ensure your contracts meet CCPA requirements. Major vendors typically provide CCPA-compliant agreements.
Contractor limitations: Unlike service providers, "contractors" can use data for their own purposes. The distinction matters—be clear about the relationship and ensure contracts reflect reality.
CCPA vs GDPR
If you're complying with both, understand the key differences:
Consent model: GDPR requires opt-in consent for most processing. CCPA allows processing by default with opt-out for sales and sharing. This fundamental difference affects implementation.
Scope: GDPR applies to processing EU residents' data. CCPA applies based on business thresholds and California resident data. You might fall under CCPA but not GDPR, or vice versa.
Data sales: GDPR doesn't use "selling" terminology but generally prohibits it without explicit consent. CCPA allows sales unless consumer opts out. GDPR is stricter here.
Enforcement: GDPR is enforced by data protection authorities who can issue massive fines. CCPA is enforced by California Attorney General, and consumers can sue for data breaches. Different enforcement models create different risks.
Technical Implementation
Compliance requires technical capabilities to fulfill consumer requests:
Data mapping: Document what personal information you collect, where it's stored, who it's shared with, and retention periods. Without this, you can't fulfill know or delete requests.
Opt-out mechanisms: Implement Do Not Sell link that sets cookies or updates preferences to prevent data sales. Recognize Global Privacy Control signals automatically.
Request portal: Build or buy systems to handle requests at scale. Manual email-based processes don't scale and risk missing deadlines. Tools like OneTrust, TrustArc, or custom portals help manage workflows.
Deletion capabilities: Ensure you can actually delete data when requested. Distributed databases, backups, and third-party integrations complicate this. Design systems with deletion in mind.
Getting Started with CCPA
Prioritize these implementation steps:
Determine if CCPA applies to your business based on thresholds. Conduct data inventory—map all personal information flows. Update privacy policy with CCPA disclosures. Add Do Not Sell link if you sell or share data. Establish processes for handling consumer requests. Train staff on CCPA requirements and verification procedures. Consider legal review of contracts with service providers.
CCPA compliance is ongoing, not one-time. Privacy practices evolve, new services are added, regulations are updated through guidance and amendments. Build compliance into regular business processes rather than treating it as a project.
Related Reading
- Privacy Policy Essentials: What Every Website Needs
- Terms of Service Guide: Protect Your Business
- GDPR Compliance for Websites: EU Privacy Requirements
Ensure CCPA Compliance
We implement CCPA-compliant privacy mechanisms, request handling workflows, and disclosure requirements for California businesses.
Get Compliant