California Consumer Privacy Act (CCPA): Complete Guide
Learn what the California Consumer Privacy Act (CCPA) is, who it applies to, and how to comply. Covers consumer rights, penalties, and CPRA updates.
The California Consumer Privacy Act (CCPA) is one of the most significant privacy laws in the United States, granting California residents substantial control over how businesses collect and use their personal information. If you run a business that serves customers in California, and most online businesses do, understanding what the CCPA is and whether it applies to you is essential for legal compliance.
This guide covers the full scope of the California Consumer Privacy Act, including who it applies to, what rights it grants consumers, how the CPRA amendments changed the law, and what steps you need to take to comply. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
What Is the CCPA?
The CCPA is a state privacy law that took effect on January 1, 2020. It was enacted through California Assembly Bill 375 and codified in California Civil Code Sections 1798.100 through 1798.199.100. The law gives California residents (referred to as "consumers" in the statute) specific rights over their personal information and imposes corresponding obligations on businesses that collect it.
In simple terms, the California Consumer Privacy Act answers a straightforward question: what happens to the personal data California residents hand over to businesses? Before the CCPA, businesses in California had limited obligations to disclose their data practices. The CCPA changed that by creating enforceable rights backed by real penalties.
The CCPA was significantly amended by the California Privacy Rights Act (CPRA), which voters approved through Proposition 24 in November 2020. The CPRA amendments took effect on January 1, 2023, with enforcement beginning July 1, 2023. Throughout this guide, references to the CCPA include the CPRA amendments unless stated otherwise.
Who Does the California Consumer Privacy Act Apply To?
The CCPA does not apply to every business. It targets for-profit businesses that meet specific thresholds and collect personal information from California residents.
Applicability thresholds
A for-profit business is subject to the CCPA if it meets any one of the following three criteria:
- Revenue threshold: Annual gross revenue exceeding $25 million in the preceding calendar year
- Data volume threshold: Annually buys, sells, or shares the personal information of 100,000 or more consumers, households, or devices (the CPRA updated this from the original 50,000)
- Revenue from data: Derives 50% or more of annual revenue from selling or sharing consumers' personal information
Who is a "consumer" under the CCPA?
A consumer is any natural person who is a California resident, as defined by Section 17014 of Title 18 of the California Code of Regulations. This includes:
- People who live in California, even temporarily
- People domiciled in California who are outside the state temporarily
It does not include people merely visiting California or passing through. However, the definition is broad enough that any business with a website accessible to California residents should evaluate whether it meets the thresholds.
Exemptions
The CCPA exempts several categories:
- Nonprofit organizations: The CCPA applies only to for-profit entities
- Government agencies: Not covered
- Data already covered by certain federal laws: Personal information governed by HIPAA, GLBA (financial institutions), FCRA (credit reporting), and DPPA (driver privacy) receives partial exemptions
- Employee and B2B data: Originally exempt, but the CPRA removed these exemptions effective January 1, 2023, bringing employee and business contact data under full CCPA protection
Consumer Rights Under the CCPA
The California Consumer Privacy Act establishes several specific rights for California residents. Businesses must honor these rights through verifiable consumer requests.
Right to know (Section 1798.100)
Consumers can request that a business disclose:
- The categories of personal information collected
- The specific pieces of personal information collected
- The categories of sources from which information was collected
- The business or commercial purpose for collecting or selling the information
- The categories of third parties with whom the information is shared
Businesses must respond to verified requests within 45 days, with the option to extend by an additional 45 days if necessary.
Right to delete (Section 1798.105)
Consumers can request deletion of their personal information. Businesses must comply and direct their service providers to delete the data as well, with limited exceptions including:
- Completing the transaction for which the data was collected
- Detecting security incidents or protecting against fraud
- Complying with a legal obligation
- Internal uses reasonably aligned with consumer expectations
Right to opt out of sale or sharing (Section 1798.120)
Consumers have the right to direct a business not to sell or share their personal information. The CPRA expanded this right to cover "sharing" for cross-context behavioral advertising, not just traditional sales. Businesses that sell or share data must provide a clear "Do Not Sell or Share My Personal Information" link on their website.
Right to non-discrimination (Section 1798.125)
Businesses cannot deny goods or services, charge different prices, or provide a different quality of service because a consumer exercised their CCPA rights. Limited exceptions exist for financial incentive programs where the price difference is reasonably related to the value of the consumer's data.
Rights added by the CPRA
The CPRA introduced additional rights effective January 1, 2023:
- Right to correct (Section 1798.106): Consumers can request correction of inaccurate personal information
- Right to limit use of sensitive personal information (Section 1798.121): Consumers can direct businesses to limit the use of sensitive data (Social Security numbers, financial information, precise geolocation, race, health data) to what is necessary for providing the requested service
What Counts as Personal Information Under the CCPA
The CCPA defines personal information broadly in Section 1798.140(v) as information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
This definition is intentionally wide. It includes:
- Identifiers: Name, alias, postal address, email address, Social Security number, driver's license number, passport number, IP address, account name
- Commercial information: Records of products or services purchased, obtained, or considered, and other purchasing or consuming histories
- Internet activity: Browsing history, search history, interaction with websites, applications, or advertisements
- Geolocation data: Precise physical location
- Biometric information: Fingerprints, face recognition data, voice recordings
- Professional or employment information: Job history, performance evaluations
- Education information: Records maintained by educational institutions
- Inferences: Consumer profiles created from any of the above to predict preferences, behavior, or characteristics
Sensitive personal information (added by CPRA)
The CPRA created a new subcategory with heightened protections:
- Social Security, driver's license, state ID, and passport numbers
- Account login credentials (username combined with password or security question)
- Financial account numbers with access codes
- Precise geolocation
- Racial or ethnic origin, religious beliefs, union membership
- Contents of mail, email, and text messages (where the business is not the intended recipient)
- Genetic data and biometric data used for identification
- Health information and sex life or sexual orientation data
Consumers can limit business use of sensitive personal information to what is strictly necessary for providing the service they requested.
How to Comply with the California Consumer Privacy Act
CCPA compliance requires changes to your data practices, your privacy disclosures, and your operational processes. Here is what businesses need to implement.
Update your privacy policy
Your privacy policy must include the following CCPA-specific disclosures, as required by Section 1798.100(a):
- Categories of personal information collected in the preceding 12 months
- Categories of sources from which information is collected
- The business or commercial purpose for collecting, selling, or sharing information
- Categories of third parties with whom information is shared
- Specific rights available to California consumers and how to exercise them
- Whether the business sells or shares personal information and the categories involved
- The retention period for each category of personal information, or the criteria used to determine retention
The privacy policy must be updated at least once every 12 months and must include the date it was last updated.
Implement consumer request processes
You need mechanisms for consumers to submit and verify requests:
- At least two request methods: A toll-free telephone number and one additional method (website form, email address, or in-person submission). Online-only businesses may provide only an email address.
- Verification process: You must verify the identity of consumers making requests. The level of verification should be proportionate to the sensitivity of the data involved.
- Response timeline: Confirm receipt within 10 business days. Provide a substantive response within 45 calendar days, with the option to extend by 45 additional days with notice.
- Free of charge: You cannot charge a fee for processing requests, with limited exceptions for manifestly unfounded or excessive requests.
Add required website notices
- "Do Not Sell or Share My Personal Information" link: Required if you sell or share personal information. Must be clearly visible on your homepage.
- "Limit the Use of My Sensitive Personal Information" link: Required if you use sensitive personal information beyond what is necessary to provide the requested service.
- Notice at collection: A disclosure at or before the point of data collection listing the categories of information collected and the purposes for each.
Update vendor contracts
Service providers and contractors that process personal information on your behalf must be bound by written contracts that:
- Specify the business purposes for which data is provided
- Require the service provider to comply with the CCPA
- Prohibit the service provider from selling or sharing the data
- Require the service provider to notify you if it can no longer meet its CCPA obligations
- Grant you the right to take reasonable steps to ensure compliance
CCPA Penalties and Enforcement
Understanding the enforcement landscape helps contextualize the urgency of compliance.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowCivil penalties
The California Attorney General and the California Privacy Protection Agency (CPPA), created by the CPRA, can impose:
- $2,500 per unintentional violation
- $7,500 per intentional violation
- $7,500 per violation involving a minor's data (under 16 years old)
The term "per violation" is significant. Each affected consumer record can constitute a separate violation, meaning penalties scale rapidly for businesses with large user bases.
Private right of action
Section 1798.150 gives consumers a private right of action specifically for data breaches involving unencrypted or unredacted personal information. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.
This private right of action is limited to data breach scenarios and does not extend to other CCPA violations. However, class action lawsuits under this provision have produced settlements in the tens of millions of dollars.
Enforcement track record
The California Attorney General has pursued enforcement actions against major companies since the CCPA took effect. Notable actions include a $1.2 million settlement with Sephora in 2022 for selling consumer data without proper disclosures or honoring opt-out signals. The CPPA has signaled aggressive enforcement priorities, including automated opt-out mechanisms and dark pattern prohibitions.
CCPA vs. GDPR: Key Differences
Businesses that operate internationally often need to comply with both the CCPA and the GDPR. While they share the goal of protecting personal data, their approaches differ substantially.
| Aspect | CCPA/CPRA | GDPR |
|---|---|---|
| Scope | California residents, threshold-based | Anyone in the EU/EEA, no revenue threshold |
| Legal basis | Opt-out model (collection allowed by default) | Opt-in model (must establish lawful basis first) |
| Consent | Required for minors under 16, opt-out for adults | Required for many processing activities (Article 6) |
| Enforcement | AG + CPPA (civil penalties) | Data Protection Authorities (administrative fines) |
| Maximum penalty | $7,500 per violation | 20 million EUR or 4% of global turnover |
| Private right of action | Data breaches only | Broader right to compensation (Article 82) |
| Data portability | Yes | Yes (Article 20) |
| Right to correct | Yes (added by CPRA) | Yes (Article 16) |
The fundamental philosophical difference is that the GDPR operates on an opt-in basis where businesses need a lawful basis to process data at all, while the CCPA operates on an opt-out basis where businesses can collect data but must respect consumer requests to stop.
For businesses subject to both laws, complying with the GDPR generally gets you most of the way toward CCPA compliance, but not entirely. The CCPA has unique requirements around the "Do Not Sell or Share" mechanism, the notice at collection, and the specific format of privacy policy disclosures.
Practical Steps to Get Started with CCPA Compliance
If you are evaluating whether the CCPA applies to your business and what to do about it, start with these steps.
Step 1: Determine applicability
Review the three thresholds (revenue, data volume, data revenue) against your current business metrics. If you are close to any threshold, plan for compliance proactively rather than waiting until you cross it.
Step 2: Map your data
Create a complete inventory of the personal information you collect, including:
- What categories of data you collect
- Where the data comes from (directly from consumers, from third parties, from automated collection)
- Why you collect it (specific business purposes)
- Who you share it with (service providers, third parties, advertising partners)
- How long you retain it
Step 3: Update your privacy disclosures
Your privacy policy needs CCPA-specific language covering all required disclosures. A compliance tool like TermsBox can help you generate a privacy policy that includes the required CCPA sections alongside GDPR disclosures, so you do not need to maintain separate documents for each law.
Step 4: Build request handling infrastructure
Set up intake methods (web form, email, phone number), identity verification procedures, response tracking systems, and internal workflows that can meet the 45-day response deadline consistently.
Step 5: Train your team
Everyone who handles consumer inquiries needs to recognize CCPA requests, route them correctly, and understand the consequences of mishandling them. Document your procedures and review them quarterly.
Step 6: Review vendor relationships
Audit your service providers, contractors, and third-party data relationships. Update contracts to include CCPA-required terms. Pay special attention to advertising technology vendors, as data shared for targeted advertising may qualify as "selling" or "sharing" under the CCPA.
Frequently Asked Questions
What is the CCPA in simple terms?
The CCPA (California Consumer Privacy Act) is a California law that gives residents the right to know what personal information businesses collect about them, request its deletion, opt out of its sale, and not face discrimination for exercising these rights. It applies to for-profit businesses that meet specific revenue or data volume thresholds.
Does the CCPA apply to small businesses?
The CCPA only applies to for-profit businesses that meet at least one of three thresholds: annual gross revenue over $25 million, buying or selling the personal information of 100,000 or more consumers or households per year, or deriving 50% or more of annual revenue from selling or sharing personal information. Small businesses below all three thresholds are exempt, though they may still be covered by other privacy laws.
What is the difference between the CCPA and the CPRA?
The CPRA (California Privacy Rights Act) is an amendment to the CCPA that took effect on January 1, 2023, with enforcement beginning July 1, 2023. It added new rights (correction, limiting use of sensitive data), created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, introduced the concept of sensitive personal information, and expanded the definition of sharing to include cross-context behavioral advertising.
What are the penalties for CCPA violations?
Civil penalties for CCPA violations range from $2,500 per unintentional violation to $7,500 per intentional violation, enforced by the California Attorney General and the CPPA. Consumers also have a private right of action for data breaches involving unencrypted or unredacted personal information, with statutory damages of $100 to $750 per consumer per incident, or actual damages if higher.
Does the CCPA apply to businesses outside California?
Yes. The CCPA applies to any for-profit business that meets the applicability thresholds and collects personal information from California residents, regardless of where the business is physically located. A company in Texas, New York, or even outside the United States can be subject to the CCPA if it serves California consumers and meets the criteria.