TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. California Data Privacy Law: A Complete Guide for 2026
CCPA

California Data Privacy Law: A Complete Guide for 2026

Understand California data privacy law requirements, consumer rights, and business obligations under CCPA and CPRA. A practical compliance guide.

TermsBox Team|April 4, 202613 min read

California data privacy law gives residents of the state some of the strongest consumer privacy protections in the United States. If your business collects personal information from people in California, you need to understand what the law requires, what rights consumers hold, and how to bring your operations into compliance.

This guide covers the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including applicability thresholds, consumer rights, business obligations, and enforcement. The information here is educational and should not be treated as legal advice. Consult a qualified attorney for guidance specific to your business.

What Is the California Data Privacy Law?

The California data privacy law refers primarily to the California Consumer Privacy Act (CCPA), signed into law on June 28, 2018, and effective January 1, 2020. The CCPA was substantially amended by the California Privacy Rights Act (CPRA), which California voters approved as a ballot proposition in November 2020. The CPRA amendments took full effect on January 1, 2023.

Together, these statutes create a comprehensive privacy framework that regulates how businesses collect, use, store, and share the personal information of California residents. The law is codified in California Civil Code Sections 1798.100 through 1798.199.100.

The CPRA introduced several significant changes to the original CCPA:

  • Created the California Privacy Protection Agency (CPPA), the first dedicated state privacy enforcement body in the U.S.
  • Added rights to correct personal information and limit use of sensitive personal information
  • Expanded the definition of cross-context behavioral advertising (referred to as "sharing")
  • Introduced data minimization and purpose limitation principles
  • Extended protections to employee and business-to-business personal information

Who Must Comply with California Data Privacy Law?

The CCPA applies to any for-profit entity that does business in California and collects personal information from California residents, provided the entity meets at least one of the following thresholds under Section 1798.140(d):

  1. Annual gross revenue exceeding $25 million in the preceding calendar year
  2. Data volume: Buys, sells, or shares the personal information of 100,000 or more California consumers, households, or devices annually
  3. Revenue from data: Derives 50% or more of annual revenue from selling or sharing consumers' personal information

Nonprofit organizations and government agencies are generally exempt. Small businesses that fall below all three thresholds are also exempt, though they remain subject to California's general consumer protection statutes and the data breach notification requirements under Civil Code Section 1798.82.

What counts as personal information?

The CCPA defines "personal information" broadly in Section 1798.140(v). It includes any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Common categories include:

  • Identifiers: Real name, alias, postal address, email address, account name, Social Security number, driver's license number, passport number
  • Commercial information: Records of products purchased, obtained, or considered
  • Internet activity: Browsing history, search history, interactions with a website or application
  • Geolocation data: Precise physical location
  • Biometric information: Fingerprints, face scans, voiceprints
  • Professional or employment information: Job history, performance evaluations
  • Sensitive personal information (added by CPRA): Government IDs, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, health data, sexual orientation, contents of mail, email, and text messages

Consumer Rights Under California Data Privacy Law

The CCPA as amended by the CPRA grants California residents six core rights. Businesses must honor these rights when a verifiable consumer request is submitted.

Right to know (Section 1798.100)

Consumers can request that a business disclose the specific pieces of personal information it has collected, the categories of information, the sources from which it was collected, the business or commercial purposes for collecting it, and the categories of third parties to whom it has been disclosed.

Right to delete (Section 1798.105)

Consumers can request that a business delete the personal information it has collected from them. Businesses must also instruct their service providers and contractors to delete the data. There are limited exceptions, including when the data is necessary to complete a transaction, detect security incidents, exercise free speech, or comply with a legal obligation.

Right to opt out of sale or sharing (Section 1798.120)

Consumers can direct a business to stop selling or sharing their personal information. The CPRA expanded this right to cover "sharing" for cross-context behavioral advertising, which captures many common advertising practices that do not involve a literal sale of data. Businesses must provide a "Do Not Sell or Share My Personal Information" link on their homepage.

Right to correct (Section 1798.106)

Added by the CPRA, this right allows consumers to request that a business correct inaccurate personal information it maintains about them.

Right to limit use of sensitive personal information (Section 1798.121)

Also added by the CPRA, consumers can direct a business to limit its use of sensitive personal information to what is necessary to perform the services or provide the goods the consumer reasonably expects. Businesses must display a "Limit the Use of My Sensitive Personal Information" link on their website.

Right to non-discrimination (Section 1798.125)

Businesses cannot deny goods or services, charge different prices, provide a different quality of service, or suggest they will do any of the above because a consumer exercised their CCPA rights.

Business Obligations Under California Data Privacy Law

Meeting the requirements of the California data privacy law requires more than publishing a privacy policy update. Businesses face operational obligations that touch data collection, disclosure, security, and contract management.

Privacy policy requirements

Section 1798.100(a) requires businesses to inform consumers at or before the point of collection about the categories of personal information collected and the purposes for which those categories will be used. Your privacy policy generator output should include CCPA-specific disclosures covering:

  • Categories of personal information collected in the preceding 12 months
  • Categories of sources from which information was collected
  • Business or commercial purposes for collecting or selling the information
  • Categories of third parties with whom the information is shared
  • Specific rights available to California residents and how to exercise them

The privacy policy must be updated at least once every 12 months.

Responding to consumer requests

Businesses must provide at least two methods for consumers to submit requests, including a toll-free telephone number and a website address. Upon receiving a verifiable request, the business must respond within 45 calendar days. This period may be extended by an additional 45 days when reasonably necessary, provided the business notifies the consumer of the extension.

Data minimization

The CPRA introduced data minimization principles in Section 1798.100(c). Businesses must limit the collection of personal information to what is reasonably necessary and proportionate to the purposes for which it was collected. Retention periods must also be disclosed and limited to what is necessary for each stated purpose.

Service provider and contractor agreements

Section 1798.100(d) requires written contracts with service providers and contractors that process personal information on the business's behalf. These contracts must prohibit the service provider from retaining, using, or disclosing the information for purposes other than performing the services specified in the contract.

Data security

While the CCPA does not prescribe specific security standards, Section 1798.150 creates a private right of action when a data breach results from a business's failure to implement and maintain "reasonable security procedures and practices." This provision effectively requires businesses to maintain security measures appropriate to the nature of the information.

California Data Privacy Law Enforcement and Penalties

Enforcement of the CCPA is handled by two entities: the California Privacy Protection Agency (CPPA) and the California Attorney General's office.

The CPPA, established by the CPRA and operational since 2023, has rulemaking authority and administrative enforcement powers. It can investigate potential violations, conduct audits, and impose administrative fines.

Penalty amounts under the CCPA are:

  • $2,500 per unintentional violation
  • $7,500 per intentional violation
  • $7,500 per violation involving a minor's personal information (under 16)

These are per-violation penalties, meaning each affected consumer or each instance of noncompliance counts separately. A systematic violation affecting thousands of consumers can quickly result in substantial liability.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Private right of action for data breaches

Section 1798.150 allows consumers to bring civil lawsuits when their nonencrypted or nonredacted personal information is subject to unauthorized access due to a business's failure to maintain reasonable security. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. Class action lawsuits under this provision have resulted in multi-million dollar settlements.

Enforcement trends

The CPPA has increasingly focused on enforcement actions related to:

  • Failure to honor opt-out requests, particularly through Global Privacy Control (GPC) signals
  • Inadequate privacy notices that omit required disclosures
  • Sale or sharing of personal information without proper consent mechanisms
  • Dark patterns that make it difficult for consumers to exercise their rights

How California Data Privacy Law Compares to Other Privacy Regulations

The CCPA exists alongside other major privacy frameworks, and businesses that operate across jurisdictions need to understand the differences.

CCPA vs. GDPR

The EU General Data Protection Regulation (GDPR) and the CCPA share similar goals but differ in structure. The GDPR applies to all organizations processing EU residents' data regardless of size, while the CCPA has revenue and data-volume thresholds. The GDPR requires a lawful basis for processing (consent, contract, legitimate interest, etc.), while the CCPA defaults to allowing processing with an opt-out right for sales and sharing. GDPR penalties can reach up to 20 million EUR or 4% of global annual turnover.

CCPA vs. other U.S. state privacy laws

Several other states have enacted comprehensive privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPSA), among others. The CCPA remains the most expansive in scope, with the broadest definition of personal information, the lowest enforcement thresholds in practice, and the only private right of action for data breaches among state privacy laws.

Key differences across state laws include:

  • Opt-out vs. opt-in models: Most states follow the CCPA's opt-out approach, though some require opt-in consent for sensitive data processing
  • Enforcement authority: Most states vest enforcement solely in the Attorney General, while California has a dedicated agency
  • Private right of action: Unique to California among comprehensive state privacy laws
  • Cure periods: Some states offer a 30 or 60 day cure period before enforcement, while the CPRA eliminated the CCPA's original 30-day cure period

Steps to Achieve California Data Privacy Law Compliance

Bringing your business into compliance requires a structured approach. The following steps provide a practical framework.

  1. Map your data: Conduct a thorough inventory of what personal information you collect, where it comes from, how it is used, where it is stored, and who it is shared with.

  2. Update your privacy policy: Ensure your privacy policy includes all CCPA-required disclosures. A privacy policy generator can help you create a baseline document that covers the required categories, but you will need to customize it to reflect your actual data practices.

  3. Implement consumer request processes: Build intake mechanisms (web form and toll-free number), identity verification procedures, and response workflows that meet the 45-day timeline.

  4. Add required website links: Display "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" links on your website homepage where applicable.

  5. Honor Global Privacy Control: The CPPA's regulations require businesses to treat GPC signals as valid opt-out requests. Configure your website to detect and respect these browser signals.

  6. Review vendor contracts: Ensure service provider and contractor agreements include the CCPA-required provisions restricting use of personal information.

  7. Train your team: Employees who handle consumer inquiries or personal information should understand CCPA requirements and your internal procedures.

  8. Implement reasonable security: Conduct a risk assessment and implement security measures proportionate to the sensitivity of the data you hold.

Tools like TermsBox's compliance scanner can help identify what trackers, cookies, and third-party services your website loads, which is a practical starting point for understanding your data collection footprint.

Common Compliance Mistakes to Avoid

Businesses frequently stumble on these points when trying to comply with the California data privacy law:

  • Ignoring GPC signals: The CPPA has made clear that failing to honor Global Privacy Control constitutes a violation. Treating GPC as optional is a common and costly mistake.
  • Using dark patterns: Making it harder to opt out than to opt in, requiring unnecessary steps to submit a request, or using confusing language all qualify as dark patterns under CPPA regulations.
  • Incomplete privacy policy disclosures: Omitting categories of personal information, failing to list third-party categories, or not updating the policy annually.
  • No service provider contracts: Sharing personal information with vendors without written agreements that meet CCPA requirements.
  • Treating employee data differently: Since the CPRA took effect, employee and B2B personal information receives the same protections as consumer data.
  • Assuming exemption without checking: Businesses just below the revenue threshold may still cross the 100,000 consumer data-processing threshold without realizing it, particularly through cookie and tracking data.

Managing your website's cookie policy and consent mechanisms is one of the most visible aspects of CCPA compliance, since cookies and trackers frequently involve the sale or sharing of personal information through advertising networks.

Frequently Asked Questions

What is the California data privacy law called?

The primary California data privacy law is the California Consumer Privacy Act (CCPA), originally signed in 2018 and significantly amended by the California Privacy Rights Act (CPRA) in 2020. The CPRA amendments took full effect on January 1, 2023, and the combined statute is often referred to simply as the CCPA as amended by the CPRA.

Does the California data privacy law apply to businesses outside California?

Yes. The CCPA applies to any for-profit business that collects personal information from California residents and meets at least one revenue or data-processing threshold, regardless of where the business is physically located. A company based in New York, London, or Tokyo must comply if it serves California consumers and crosses the statutory thresholds.

What are the penalties for violating California data privacy law?

The California Privacy Protection Agency and the state Attorney General can impose administrative fines of up to $2,500 per unintentional violation and $7,500 per intentional violation or violation involving a minor's data. Consumers also have a private right of action for data breaches, with statutory damages ranging from $100 to $750 per consumer per incident, or actual damages if greater.

What rights do consumers have under California data privacy law?

California residents have the right to know what personal information a business collects, the right to delete that information, the right to opt out of the sale or sharing of their data, the right to correct inaccurate information, and the right to limit the use of sensitive personal information. Businesses cannot discriminate against consumers who exercise these rights.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

CCPA

CCPA Regulations: What Businesses Must Know in 2026

Guide to California Consumer Privacy Act regulations, covering final rules, opt-out requirements, enforcement updates, and compliance steps for businesses.

April 4, 202614 min read
CCPA

California Privacy Law: What Businesses Need to Know

Understand California privacy law requirements including CCPA and CPRA. Learn who must comply, consumer rights, penalties, and how to meet obligations.

April 4, 202613 min read
CCPA

CCPA in California: Complete Compliance Guide for 2026

Understand the CCPA in California, including who must comply, consumer rights, penalties, and practical steps to meet compliance requirements.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is the California Data Privacy Law?
  • Who Must Comply with California Data Privacy Law?
  • What counts as personal information?
  • Consumer Rights Under California Data Privacy Law
  • Right to know (Section 1798.100)
  • Right to delete (Section 1798.105)
  • Right to opt out of sale or sharing (Section 1798.120)
  • Right to correct (Section 1798.106)
  • Right to limit use of sensitive personal information (Section 1798.121)
  • Right to non-discrimination (Section 1798.125)
  • Business Obligations Under California Data Privacy Law
  • Privacy policy requirements
  • Responding to consumer requests
  • Data minimization
  • Service provider and contractor agreements
  • Data security
  • California Data Privacy Law Enforcement and Penalties
  • Private right of action for data breaches
  • Enforcement trends
  • How California Data Privacy Law Compares to Other Privacy Regulations
  • CCPA vs. GDPR
  • CCPA vs. other U.S. state privacy laws
  • Steps to Achieve California Data Privacy Law Compliance
  • Common Compliance Mistakes to Avoid
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.