California Privacy Law: What Businesses Need to Know
Understand California privacy law requirements including CCPA and CPRA. Learn who must comply, consumer rights, penalties, and how to meet obligations.
California privacy law sets the standard for consumer data protection in the United States. The California Consumer Privacy Act, strengthened by the California Privacy Rights Act, gives residents extensive rights over their personal information and imposes concrete obligations on businesses that collect it.
This article is for educational purposes only and does not constitute legal advice. For guidance specific to your business, consult a qualified attorney familiar with California privacy regulations.
Overview of California Privacy Law
California has the most comprehensive privacy legislation of any US state. The framework consists of two primary laws that work together:
California Consumer Privacy Act (CCPA), signed into law in 2018 and effective January 1, 2020, established baseline privacy rights for California residents. It was the first broad consumer privacy law in the United States and prompted similar legislation in over a dozen other states.
California Privacy Rights Act (CPRA), passed by ballot initiative in November 2020 and effective January 1, 2023, amended and expanded the CCPA significantly. CPRA added new consumer rights, created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, and introduced the concept of "sensitive personal information" with additional protections.
When people refer to California privacy law today, they are generally referring to the combined CCPA/CPRA framework. The CPRA did not replace the CCPA but amended it, so the underlying statute remains the California Consumer Privacy Act.
Who Must Comply with California Privacy Law
California privacy law applies to for-profit businesses that do business in California and meet at least one of three thresholds:
- Annual gross revenue exceeding $25 million (adjusted for inflation beginning January 2023)
- Annually buying, receiving, selling, or sharing the personal information of 100,000 or more California residents, households, or devices
- Deriving 50% or more of annual revenue from selling or sharing consumers' personal information
Several important clarifications apply:
- "Doing business in California" is interpreted broadly. You do not need a physical presence in the state. If you sell products or services to California residents, you likely qualify.
- Nonprofits and government agencies are exempt.
- Employee and B2B data are fully covered. Earlier exemptions for employee and business contact data expired on January 1, 2023.
- The threshold applies to California residents specifically. A business processing data from one million users nationwide but fewer than 100,000 in California may still fall below the threshold, assuming it does not meet the revenue or data-sale criteria.
Even if your business falls below all three thresholds, maintaining compliance with California privacy law principles is good practice. Consumer expectations around data privacy continue to rise, and other state laws may apply with lower thresholds.
Consumer Rights Under California Privacy Law
The CCPA/CPRA grants California residents seven distinct rights regarding their personal information. Businesses must be prepared to fulfill requests for each.
Right to Know
Consumers can request that a business disclose the categories and specific pieces of personal information it has collected about them, the sources of that information, the business or commercial purposes for collecting it, and the categories of third parties with whom it is shared. Businesses must respond within 45 days and may extend once by an additional 45 days with notice.
Right to Delete
Consumers can request deletion of personal information a business has collected from them. The business must delete the data and direct its service providers and contractors to do the same. Exceptions exist for data needed to complete a transaction, detect security incidents, comply with legal obligations, or conduct research in the public interest.
Right to Correct
Added by CPRA, this right allows consumers to request that a business correct inaccurate personal information it holds about them. The business must use commercially reasonable efforts to correct the data upon receiving a verified request.
Right to Opt Out of Sale or Sharing
Consumers can direct a business to stop selling or sharing their personal information. "Sharing" under CPRA specifically includes providing personal information to third parties for cross-context behavioral advertising, regardless of whether money changes hands. This right is why many websites need to display a "Do Not Sell or Share My Personal Information" link.
Right to Limit Use of Sensitive Personal Information
CPRA introduced the concept of "sensitive personal information," which includes Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, health information, and sexual orientation. Consumers can direct businesses to limit the use of sensitive personal information to purposes necessary for providing the requested goods or services.
Right to Non-Discrimination
Businesses cannot deny goods or services, charge different prices, provide different quality, or threaten penalties against consumers who exercise their privacy rights. However, businesses may offer financial incentives for the collection, sale, or retention of personal information if the incentive is reasonably related to the value of the data and the consumer opts in.
Right to Data Portability
When a consumer exercises their right to know and requests specific pieces of personal information, the business must provide that data in a portable, readily usable format that allows the consumer to transmit it to another entity.
What Qualifies as Personal Information
California privacy law defines personal information broadly under Section 1798.140(v) as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The law lists 11 specific categories:
- Identifiers (name, alias, postal address, email, IP address, account name, Social Security number, driver's license number, passport number)
- Customer records information (financial information, medical information, health insurance information)
- Characteristics of protected classifications under California or federal law
- Commercial information (purchase history, purchasing tendencies)
- Biometric information
- Internet or other electronic network activity (browsing history, search history, interaction with websites or apps)
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Non-publicly available education information
- Inferences drawn from any of the above to create a consumer profile
Notable exclusions: publicly available information from government records, de-identified or aggregate consumer information, and information covered by certain sector-specific laws such as HIPAA or the Gramm-Leach-Bliley Act.
Privacy Policy Requirements Under California Privacy Law
Section 1798.100(a) of the CCPA requires businesses to provide consumers with a privacy policy that discloses specific information about their data practices. Your privacy policy must include:
- The categories of personal information collected in the preceding 12 months
- The categories of sources from which personal information is collected
- The business or commercial purpose for collecting, selling, or sharing personal information
- The categories of third parties to whom personal information is disclosed
- The specific rights available to California consumers and how to exercise them
- Whether the business sells or shares personal information, and the categories involved
- The retention period for each category of personal information, or the criteria used to determine the retention period
The privacy policy must be updated at least once every 12 months and must be accessible from a conspicuous link on the business's website homepage.
Businesses that sell or share personal information must also provide a "Do Not Sell or Share My Personal Information" link on their homepage and honor the Global Privacy Control (GPC) browser signal as a valid opt-out request, per CPPA regulations finalized in March 2024.
Enforcement and Penalties
California privacy law is enforced through two channels: regulatory enforcement and private litigation.
Regulatory Enforcement
The California Privacy Protection Agency (CPPA), established by CPRA, is the primary enforcement body. The California Attorney General retains concurrent enforcement authority. Penalties include:
- $2,500 per unintentional violation
- $7,500 per intentional violation
- $7,500 per violation involving a minor's data (under 16)
CPRA eliminated the 30-day cure period that originally existed under CCPA, meaning the CPPA can impose fines without first giving businesses a chance to fix the violation.
There is no statutory cap on total penalties. Because each affected consumer's data can constitute a separate violation, fines can accumulate rapidly. A business that intentionally mishandles data from 10,000 California residents could face up to $75 million in penalties.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowPrivate Right of Action
Section 1798.150 gives California consumers a private right of action specifically for data breaches involving unencrypted or unredacted personal information resulting from a business's failure to implement reasonable security measures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages if higher. This provision has driven significant class action litigation, particularly following large-scale data breaches.
How to Comply with California Privacy Law
Meeting your obligations under the CCPA/CPRA requires both legal and technical measures. Here is a practical compliance roadmap.
Determine whether the law applies to you. Assess your business against the three thresholds: $25 million revenue, 100,000 California consumers, or 50% revenue from data sales. If you meet any one, you must comply.
Map your data flows. Document every category of personal information you collect, the sources, the purposes, who receives it, and how long you retain it. This data inventory forms the basis for your privacy policy disclosures and your ability to respond to consumer requests.
Update your privacy policy. Ensure your policy includes all CCPA-mandated disclosures. Use a privacy policy generator with CCPA-specific sections to structure the document correctly. Publish it prominently on your website with a "Privacy" link in the footer.
Implement opt-out mechanisms. If you sell or share personal information, add a "Do Not Sell or Share My Personal Information" link to your homepage. Configure your website to detect and honor the Global Privacy Control signal. Ensure that any cookies used for cross-context behavioral advertising are disabled when a user opts out.
Build a consumer request workflow. Create at least two methods for consumers to submit requests (the law requires a minimum of a toll-free phone number and a website address). Establish internal procedures to verify the consumer's identity, locate their data, and respond within the 45-day window.
Review vendor contracts. Every service provider, contractor, and third party that receives personal information must have a written contract that restricts their use of the data, requires them to comply with CCPA obligations, and grants you the right to audit their practices.
Implement reasonable security measures. The private right of action for data breaches applies when a business fails to maintain reasonable security. Implement encryption, access controls, regular vulnerability assessments, and incident response procedures.
Train your staff. Employees who handle consumer inquiries or personal information must understand their CCPA obligations. The law specifically requires that personnel responsible for handling consumer requests be informed about CCPA requirements.
How California Privacy Law Compares to Other State Laws
California was the first US state to enact comprehensive privacy legislation, and its framework has influenced laws across the country. Understanding the relationship helps businesses build scalable compliance programs.
- Virginia (VCDPA): Requires opt-in consent for sensitive data processing. No private right of action. Lower enforcement activity than California.
- Colorado (CPA): Requires a universal opt-out mechanism for targeted advertising and data sales. Recognizes GPC signals.
- Connecticut (CTDPA): Similar to Colorado. Includes loyalty program exemptions.
- Texas (TDPSA): No revenue threshold, applying to any business that processes personal data and is not a small business under SBA definitions. Enforced by the Attorney General.
- Oregon (OCPA): Extends to nonprofit organizations. Requires recognition of opt-out preference signals.
The common thread across all US state privacy laws is transparency, consumer choice, and accountability. Businesses that fully comply with California privacy law typically need only incremental adjustments to meet requirements in other states, since the CCPA/CPRA framework is among the most demanding.
TermsBox offers a privacy policy generator that includes CCPA-specific disclosures, helping businesses create compliant documentation that addresses California requirements alongside other applicable privacy laws.
Changes on the Horizon
California privacy law continues to evolve. The CPPA has been actively issuing new regulations and has signaled several areas of focus for upcoming rulemaking.
Automated decision-making. The CPPA proposed regulations in late 2024 addressing automated decision-making technology, including profiling. Businesses using algorithms to make significant decisions about consumers (employment, lending, insurance, housing) may need to provide additional disclosures and opt-out rights.
Risk assessments. CPRA requires businesses engaged in high-risk processing to conduct cybersecurity audits and submit risk assessments to the CPPA. Final regulations on the scope and format of these assessments are expected to be finalized in 2026.
Children's privacy. The California Age-Appropriate Design Code Act, while separate from CCPA/CPRA, adds data protection requirements for online services likely to be accessed by children under 18. Legal challenges have delayed full enforcement, but businesses should prepare for eventual implementation.
Federal preemption. Congress has considered federal privacy legislation that could preempt state laws including the CCPA. No bill has passed as of early 2026, but a federal law would fundamentally change the compliance landscape. Until then, California privacy law remains the de facto national standard for businesses that serve consumers across the US.
Frequently Asked Questions
What is the main California privacy law?
The main California privacy law is the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Together they give California residents the right to know what personal information businesses collect, the right to delete it, the right to opt out of its sale or sharing, and the right to correct inaccurate data. The law is enforced by the California Privacy Protection Agency and the state Attorney General.
Does my business need to comply with California privacy law?
Your business must comply if it is a for-profit entity doing business in California and meets at least one threshold: annual gross revenue over $25 million, buying or selling the personal information of 100,000 or more California residents per year, or deriving 50% or more of annual revenue from selling or sharing personal information. Businesses below all three thresholds are exempt.
What are the penalties for violating California privacy law?
The California Privacy Protection Agency can impose fines of $2,500 per unintentional violation and $7,500 per intentional violation. There is no cap on the total number of violations that can be penalized. Additionally, consumers have a private right of action for data breaches, allowing them to sue for $100 to $750 per incident per consumer, or actual damages if higher.
Do I need to add a 'Do Not Sell My Personal Information' link to my website?
Yes, if your business sells or shares personal information as defined by the CCPA, you must provide a clear and conspicuous link titled 'Do Not Sell or Share My Personal Information' on your website homepage. You must also honor the Global Privacy Control signal as a valid opt-out request. Businesses that do not sell or share personal information are not required to display this link.