TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. CCPA Regulations: What Businesses Must Know in 2026
CCPA

CCPA Regulations: What Businesses Must Know in 2026

Guide to California Consumer Privacy Act regulations, covering final rules, opt-out requirements, enforcement updates, and compliance steps for businesses.

TermsBox Team|April 4, 202614 min read

The California Consumer Privacy Act regulations provide the detailed compliance rules that businesses must follow when handling the personal information of California residents. While the CCPA statute (California Civil Code Sections 1798.100 through 1798.199.100) establishes broad consumer rights and business obligations, the regulations fill in the practical requirements: how to process opt-out requests, what must appear in a privacy notice, how to verify consumer identities, and more.

This guide explains what the California Consumer Privacy Act regulations require, how they have evolved through multiple rounds of rulemaking, and what steps your business needs to take to comply. This content is for educational purposes and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.

What Are the California Consumer Privacy Act Regulations?

The CCPA regulations are the implementing rules that translate the statute's broad mandates into specific, enforceable requirements. Think of the CCPA itself as the law that says "businesses must let consumers opt out of the sale of their personal information." The regulations then specify exactly how that opt-out mechanism must work, what the link must say, where it must appear, and how quickly the business must respond.

The regulations are codified in Title 11, Division 6 of the California Code of Regulations. They were originally drafted by the California Attorney General's office under the authority granted by the CCPA. After the CPRA passed in November 2020, rulemaking authority shifted to the newly created California Privacy Protection Agency (CPPA), which has continued to issue new and updated rules.

There are three key regulatory milestones to understand:

  1. Original AG regulations (August 14, 2020): The first set of final regulations covering notice requirements, consumer request handling, opt-out procedures, and verification standards
  2. CPRA-era CPPA regulations (2023 onward): Expanded rules addressing the CPRA's new concepts, including sensitive personal information, automated decision-making, opt-out preference signals, and data broker obligations
  3. Ongoing rulemaking: The CPPA continues to develop regulations on topics such as cybersecurity audits, risk assessments, and automated decision-making technology

Key Requirements in the CCPA Final Regulations

The California Consumer Privacy Act regulations impose specific operational requirements on covered businesses. Understanding these requirements is essential for building a compliant privacy program.

Privacy notice requirements

Under Section 7003 of the regulations, businesses must provide a privacy notice that includes:

  • The categories of personal information collected in the preceding 12 months
  • The purposes for which each category is collected and used
  • The categories of third parties to whom personal information is disclosed or sold
  • A description of consumer rights under the CCPA and how to exercise them
  • The date the notice was last updated

The notice must be available at or before the point of collection. For websites, this means a clearly linked privacy policy accessible from every page. A privacy policy generator can help you create a compliant notice that covers these required elements.

Opt-out and opt-in requirements

Section 7026 of the regulations requires businesses that sell or share personal information to provide a "Do Not Sell or Share My Personal Information" link on their website. The regulations specify that this link must:

  • Be clearly visible and not hidden in menus or footers
  • Use the exact statutory language or a substantially similar phrase
  • Direct consumers to a page where they can exercise the opt-out right without requiring account creation

For consumers under 16, Section 7070 requires affirmative opt-in consent before selling their personal information. For consumers under 13, a parent or guardian must provide consent.

Opt-out preference signals

One of the most significant additions in the CPRA-era regulations is the requirement to honor opt-out preference signals. Under Section 7025, businesses must treat a valid opt-out preference signal (such as the Global Privacy Control, or GPC) as a binding opt-out request from the consumer.

This means:

  • Businesses cannot require consumers to submit a separate opt-out request if the browser sends a recognized signal
  • The business must process the signal as applying to the specific consumer or browser
  • Businesses must disclose in their privacy notice whether they honor opt-out preference signals

Verification of consumer requests

Sections 7060 through 7063 establish detailed requirements for verifying the identity of consumers who submit rights requests. The verification standard varies by the type of request and the sensitivity of the information involved:

  • Know requests (categories only): Reasonable degree of certainty, matching at least two data points
  • Know requests (specific pieces): Reasonably high degree of certainty, matching at least three data points plus a signed declaration under penalty of perjury
  • Deletion requests: Reasonable or reasonably high degree of certainty, depending on the sensitivity of the data

Businesses must not collect additional personal information solely for verification purposes unless necessary to match the requestor to information already held.

How the CCPA Regulations Have Evolved

The regulatory landscape under the CCPA has shifted substantially since the law first took effect in 2020. Understanding this evolution helps businesses stay current with their compliance obligations.

Phase one: Attorney General rulemaking (2019 to 2020)

The California Attorney General published proposed regulations in October 2019, received public comment, revised them, and finalized the rules on August 14, 2020. These first regulations addressed the core mechanics of the original CCPA: notice at collection, consumer request processing, opt-out procedures, and financial incentive disclosures.

Phase two: CPRA and the CPPA (2020 to 2023)

When California voters passed Proposition 24 in November 2020, the CPRA amended the CCPA in several significant ways and created the CPPA as a dedicated enforcement agency. The CPPA inherited rulemaking authority and began developing new regulations to address:

  • Sensitive personal information and the right to limit its use (Section 1798.121)
  • Opt-out preference signals and their technical specifications
  • Updated service provider and contractor requirements
  • Data minimization principles

Phase three: expanded rulemaking (2023 to present)

The CPPA has continued to propose and finalize regulations on more advanced topics. Areas of active or recent rulemaking include:

  • Automated decision-making technology (ADMT): Rules governing profiling and requiring businesses to provide consumers with information about and access to the logic of automated decisions
  • Cybersecurity audits: Regulations requiring certain businesses to conduct annual cybersecurity audits
  • Risk assessments: Rules requiring privacy risk assessments for processing activities that present significant risk to consumer privacy
  • Insurance and data broker obligations: Sector-specific requirements

Businesses should monitor the CPPA's regulatory updates page for newly proposed and finalized rules, as the rulemaking process is ongoing.

Enforcement of CCPA Regulations

Enforcement is what gives the California Consumer Privacy Act regulations their teeth. Noncompliance carries real financial consequences.

Enforcement bodies

Two entities share enforcement authority:

  • California Attorney General: Retains authority to bring civil actions for CCPA violations under Section 1798.155
  • California Privacy Protection Agency (CPPA): Gained independent enforcement authority under the CPRA, including the power to conduct investigations, issue subpoenas, and impose administrative fines

Penalty structure

The penalty framework under the CCPA and its regulations is straightforward:

  • Unintentional violations: Up to $2,500 per violation
  • Intentional violations: Up to $7,500 per violation
  • Violations involving minors' data: Up to $7,500 per violation (treated as intentional regardless of intent under the CPRA)

Because penalties accrue per violation, a single compliance failure affecting thousands of consumers can produce massive aggregate liability. A business that improperly sells the personal information of 10,000 consumers could face exposure of $25 million to $75 million.

Cure period changes

The original CCPA gave businesses a 30-day cure period after receiving notice of a violation. The CPRA removed this automatic right to cure for many violations, giving enforcers discretion on whether to offer a cure opportunity. This change means businesses cannot rely on fixing problems only after being caught.

Private right of action

Section 1798.150 gives consumers a private right of action specifically for data breaches resulting from a business's failure to implement reasonable security measures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages if higher. This provision has driven significant class action litigation.

How to Comply with the California Consumer Privacy Act Regulations

Compliance requires a systematic approach. The following steps address the core requirements of the CCPA regulations.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Step 1: Determine whether the CCPA applies to your business

Evaluate your business against all three statutory thresholds:

  1. Does your annual gross revenue exceed $25 million?
  2. Do you annually buy, sell, or share the personal information of 100,000 or more consumers, households, or devices?
  3. Do you derive 50% or more of annual revenue from selling or sharing personal information?

If you meet any one threshold and collect personal information from California residents, the CCPA regulations apply.

Step 2: Map your data flows

Create a comprehensive inventory of:

  • What categories of personal information you collect
  • Where the data comes from (directly from consumers, third parties, tracking technologies)
  • How you use each category
  • Who you share, disclose, or sell data to
  • How long you retain each category

This data mapping exercise is the foundation of everything that follows. You cannot write an accurate privacy notice or respond to consumer requests without it.

Step 3: Update your privacy notice

Your privacy notice must meet the requirements of Section 7003 of the regulations. At minimum, it needs to disclose the information identified in your data mapping, describe consumer rights, and explain how to exercise them. A compliance tool like TermsBox can help generate and maintain a privacy policy that addresses these regulatory requirements, with the ability to update the document as regulations evolve.

Step 4: Implement consumer request mechanisms

Set up processes to receive, verify, and fulfill:

  • Right to know requests (categories and specific pieces of information)
  • Right to delete requests
  • Right to correct inaccurate information
  • Right to opt out of sale or sharing
  • Right to limit use of sensitive personal information

The regulations require you to offer at least two methods for submitting requests, including a toll-free number. Online-only businesses may provide an email address instead of a toll-free number.

Step 5: Honor opt-out preference signals

Configure your website to detect and honor Global Privacy Control and similar opt-out signals. Your cookie consent management and analytics tools must be able to suppress data sharing when these signals are present.

Step 6: Train your staff

Section 7005 of the regulations requires businesses to train all individuals responsible for handling consumer inquiries about the business's privacy practices. Training must cover the CCPA's requirements and how to direct consumers to exercise their rights.

Common Compliance Mistakes Under the CCPA Regulations

Businesses frequently stumble on specific regulatory requirements. Avoiding these common mistakes can prevent enforcement actions and consumer complaints.

  • Burying the opt-out link: The regulations require a prominent link. Placing it deep in a footer or behind multiple clicks violates the spirit and letter of the rules.
  • Overcomplicating verification: Requiring excessive documentation to verify consumer identity discourages requests and may itself violate the regulations' proportionality requirements.
  • Ignoring opt-out preference signals: Since the CPPA's regulations mandate honoring GPC and similar signals, treating them as optional is a compliance gap.
  • Failing to update the privacy notice: The regulations require disclosing data practices from the preceding 12 months. A notice that has not been updated in two years is almost certainly inaccurate.
  • Confusing "sale" with money changing hands: Under the CCPA, "sale" includes sharing personal information for valuable consideration, which includes many common advertising arrangements like retargeting and data sharing with analytics platforms.
  • Missing the service provider contract requirements: The regulations require specific contractual provisions with service providers and contractors, including use limitations and obligations to notify the business of subcontractor use.

CCPA Regulations vs. Other Privacy Frameworks

Understanding how the California Consumer Privacy Act regulations compare to other frameworks helps businesses build a unified compliance strategy rather than treating each law in isolation.

CCPA regulations vs. GDPR

The GDPR (General Data Protection Regulation) and CCPA share some goals but differ in approach:

  • Legal basis: The GDPR requires a lawful basis for each processing activity. The CCPA does not require a legal basis but gives consumers the right to opt out of sale or sharing.
  • Scope: The GDPR applies to any organization processing EU residents' data, regardless of size. The CCPA has revenue and data volume thresholds.
  • Consent model: The GDPR generally requires opt-in consent for marketing and cookies. The CCPA uses an opt-out model for data sales.
  • Penalties: GDPR fines can reach 20 million EUR or 4% of annual global turnover, whichever is higher. CCPA penalties are per-violation at $2,500 to $7,500.

A business that complies with the GDPR will meet many CCPA requirements but not all of them. The CCPA has unique provisions, such as the "Do Not Sell" link requirement and specific verification standards, that require separate compliance measures. If your business operates across both jurisdictions, using a privacy policy generator that addresses multiple frameworks can streamline the process.

CCPA regulations vs. other US state privacy laws

Since the CCPA's passage, numerous states have enacted their own comprehensive privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and others. The CCPA regulations remain the most detailed and prescriptive of any US state framework, and California's enforcement posture has been the most aggressive. Businesses complying with CCPA regulations are generally well-positioned for other state laws but should verify each state's specific requirements.

How the CCPA Regulations Affect Your Website

For most businesses, the website is where CCPA compliance is most visible. The regulations directly affect several elements of your web presence.

Your website needs:

  • A comprehensive, current privacy policy that meets Section 7003 requirements
  • A "Do Not Sell or Share My Personal Information" link (if you sell or share data)
  • A "Limit the Use of My Sensitive Personal Information" link (if applicable)
  • A mechanism to detect and honor opt-out preference signals like GPC
  • A cookie consent solution that prevents data sharing before opt-out signals are processed
  • Forms or contact methods for consumers to submit rights requests

Many businesses use a compliance platform to manage these elements together. TermsBox, for example, combines a website scanner with a cookie consent banner and policy generators, which helps identify what data your site collects and keep your privacy disclosures aligned with actual practices.

Frequently Asked Questions

What are the CCPA regulations?

The CCPA regulations are the detailed rules issued by the California Attorney General and the California Privacy Protection Agency (CPPA) that implement the California Consumer Privacy Act. They fill in the operational details the statute leaves open, such as how businesses must handle opt-out requests, what constitutes a compliant privacy notice, and how consumer rights requests must be verified. The final regulations carry the force of law and are codified in Title 11 of the California Code of Regulations.

When did the CCPA final regulations take effect?

The original CCPA final regulations issued by the California Attorney General took effect on August 14, 2020. The CPRA amendments brought new rulemaking authority to the California Privacy Protection Agency, which has been issuing updated and expanded regulations since 2023. Businesses should monitor the CPPA website for the most current regulatory text, as new rules continue to be finalized.

Do the CCPA regulations apply to small businesses?

The CCPA regulations only apply to businesses that meet the CCPA's statutory thresholds: annual gross revenue over $25 million, buying or selling personal information of 100,000 or more consumers or households per year, or deriving 50% or more of annual revenue from selling or sharing personal information. If a business falls below all three thresholds, the regulations do not apply, though other privacy laws may still be relevant.

What are the penalties for violating CCPA regulations?

Civil penalties range from $2,500 per unintentional violation to $7,500 per intentional violation, enforced by the California Attorney General and the CPPA. The CPRA removed the 30-day cure period for many violations, meaning regulators can pursue penalties without first giving businesses a chance to fix the problem. Consumers also have a private right of action for data breaches, with statutory damages of $100 to $750 per consumer per incident.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

CCPA

California Data Privacy Law: A Complete Guide for 2026

Understand California data privacy law requirements, consumer rights, and business obligations under CCPA and CPRA. A practical compliance guide.

April 4, 202613 min read
CCPA

California Privacy Law: What Businesses Need to Know

Understand California privacy law requirements including CCPA and CPRA. Learn who must comply, consumer rights, penalties, and how to meet obligations.

April 4, 202613 min read
CCPA

CCPA in California: Complete Compliance Guide for 2026

Understand the CCPA in California, including who must comply, consumer rights, penalties, and practical steps to meet compliance requirements.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Are the California Consumer Privacy Act Regulations?
  • Key Requirements in the CCPA Final Regulations
  • Privacy notice requirements
  • Opt-out and opt-in requirements
  • Opt-out preference signals
  • Verification of consumer requests
  • How the CCPA Regulations Have Evolved
  • Phase one: Attorney General rulemaking (2019 to 2020)
  • Phase two: CPRA and the CPPA (2020 to 2023)
  • Phase three: expanded rulemaking (2023 to present)
  • Enforcement of CCPA Regulations
  • Enforcement bodies
  • Penalty structure
  • Cure period changes
  • Private right of action
  • How to Comply with the California Consumer Privacy Act Regulations
  • Step 1: Determine whether the CCPA applies to your business
  • Step 2: Map your data flows
  • Step 3: Update your privacy notice
  • Step 4: Implement consumer request mechanisms
  • Step 5: Honor opt-out preference signals
  • Step 6: Train your staff
  • Common Compliance Mistakes Under the CCPA Regulations
  • CCPA Regulations vs. Other Privacy Frameworks
  • CCPA regulations vs. GDPR
  • CCPA regulations vs. other US state privacy laws
  • How the CCPA Regulations Affect Your Website
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.