CCPA in California: Complete Compliance Guide for 2026
Understand the CCPA in California, including who must comply, consumer rights, penalties, and practical steps to meet compliance requirements.
The CCPA in California establishes one of the strongest consumer privacy frameworks in the United States. If your business collects personal information from California residents, understanding the California Consumer Privacy Act is not optional. It is a legal obligation with real enforcement and financial penalties.
This guide explains who the CCPA applies to, what rights it grants California consumers, how the CPRA amendments changed the law, and what concrete steps you need to take to comply. This article is educational content and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
What Is the CCPA in California?
The CCPA (California Consumer Privacy Act) is a state privacy law codified in California Civil Code Sections 1798.100 through 1798.199.100. It took effect on January 1, 2020, and was significantly amended by the California Privacy Rights Act (CPRA), which voters approved through Proposition 24 in November 2020. The CPRA amendments took effect on January 1, 2023, with enforcement beginning July 1, 2023.
The California CCPA gives residents, referred to as "consumers" in the statute, specific enforceable rights over their personal information. It requires covered businesses to be transparent about their data collection practices and to honor consumer requests to access, delete, correct, and opt out of the sale or sharing of their data.
Before the CCPA, California had limited privacy legislation for commercial data practices. The CCPA changed that by creating a comprehensive framework that mirrors aspects of the European Union's GDPR while remaining distinct in scope and structure. Unlike the GDPR, the CCPA applies only to for-profit businesses that meet defined thresholds, not to every entity that processes personal data.
Who Must Comply With the CCPA in California?
The CCPA does not apply to every business. It targets for-profit entities that collect personal information from California residents and meet at least one of three thresholds.
Applicability thresholds
A for-profit business is subject to the California CCPA if it meets any one of the following criteria:
- Revenue threshold: Annual gross revenue exceeding $25 million in the preceding calendar year
- Data volume threshold: Annually buys, sells, or shares the personal information of 100,000 or more consumers, households, or devices
- Revenue from data: Derives 50% or more of annual revenue from selling or sharing consumers' personal information
These thresholds are evaluated independently. A business earning $10 million in annual revenue but processing personal information from 100,000 California households still falls within the CCPA's scope under the data volume threshold alone.
Businesses outside California
The CCPA applies regardless of where a business is physically located. A company headquartered in New York, Texas, or another country is subject to the law if it meets the thresholds and collects personal information from California residents. Physical presence in California is not required.
Exemptions
Several categories fall outside the CCPA's scope:
- Nonprofit organizations are fully exempt
- Government agencies are not covered
- Data governed by certain federal laws, including HIPAA (health data), GLBA (financial data), and FCRA (credit reporting), receives partial exemptions
- Employee and B2B data was originally exempt, but the CPRA removed these exemptions effective January 1, 2023
Consumer Rights Under the California CCPA
The CCPA grants California residents several specific rights. Businesses must honor these through verifiable consumer requests and respond within 45 calendar days (with a possible 45-day extension for complex requests).
Right to know (Section 1798.100)
Consumers can request disclosure of:
- The categories of personal information collected
- The specific pieces of personal information held about them
- The sources from which the information was collected
- The business or commercial purpose for collection
- The categories of third parties with whom the information is shared
Businesses must provide this information free of charge for up to two requests per consumer in a 12-month period.
Right to delete (Section 1798.105)
Consumers can request that a business delete any personal information it has collected about them. The business must also direct its service providers and contractors to delete the data. Exceptions exist for data needed to complete a transaction, detect security incidents, comply with legal obligations, or exercise free speech.
Right to correct (Section 1798.106)
Added by the CPRA, this right allows consumers to request that a business correct inaccurate personal information. The business must use commercially reasonable efforts to comply with verified correction requests.
Right to opt out of sale or sharing (Section 1798.120)
Consumers can direct a business to stop selling or sharing their personal information. The CPRA expanded "sharing" to include cross-context behavioral advertising, meaning businesses that use retargeting or behavioral ad networks must provide this opt-out even if no traditional "sale" occurs.
Businesses must include a clear "Do Not Sell or Share My Personal Information" link on their website.
Right to limit sensitive personal information (Section 1798.121)
The CPRA introduced the category of sensitive personal information, which includes Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, biometric data, health information, and sexual orientation. Consumers can direct businesses to limit the use and disclosure of sensitive data to what is necessary for the expected service.
Right to non-discrimination (Section 1798.125)
Businesses cannot deny goods or services, charge different prices, or provide a different quality of service because a consumer exercised their CCPA rights. Financial incentive programs tied to data collection are permitted only with the consumer's opt-in consent.
What Personal Information Does the CCPA in California Cover?
The CCPA defines personal information broadly. Under Section 1798.140(v), it includes any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household.
This encompasses:
- Identifiers: Name, email address, postal address, IP address, Social Security number, driver's license number, passport number, account names
- Commercial information: Purchase records, browsing history, product interactions, consumer preferences
- Internet activity: Browsing history, search history, information regarding interactions with websites, applications, or advertisements
- Geolocation data: Precise physical location (latitude/longitude)
- Biometric information: Fingerprints, facial recognition data, voiceprints
- Professional or employment information: Current or past job history, performance evaluations
- Education information: Records maintained by educational institutions
- Inferences: Consumer profiles drawn from any of the above to reflect preferences, characteristics, behaviors, or attitudes
Publicly available information from government records is excluded, as is de-identified or aggregate consumer information that cannot reasonably be linked to any individual.
How to Comply With the CCPA in California
Compliance with the California CCPA requires operational changes across your business. The following steps address the law's core requirements.
Step 1: Determine whether the CCPA applies to you
Evaluate your business against all three thresholds. If you are approaching any threshold, begin compliance work proactively. Revenue can fluctuate, and data volumes tend to grow.
Step 2: Map your data practices
Conduct a thorough data inventory that documents:
- What categories of personal information you collect
- Where the data comes from (directly from consumers, third-party sources, cookies, tracking pixels)
- How you use the data (service delivery, marketing, analytics, advertising)
- Who you share data with (service providers, contractors, third parties, ad networks)
- How long you retain the data
This inventory forms the foundation of your privacy disclosures and is necessary for responding to consumer requests accurately.
Step 3: Update your privacy policy
California Civil Code Section 1798.130(a)(5) requires businesses to update their privacy policy at least once every 12 months. Your privacy policy must include:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now- Categories of personal information collected in the preceding 12 months
- Categories of sources
- Business or commercial purposes for collection or selling
- Categories of third parties with whom you share personal information
- A description of consumer rights and how to exercise them
- Whether you sell or share personal information, and if so, the categories involved
You can create a compliant privacy policy using a privacy policy generator and customize it with the specific disclosures required under the CCPA.
Step 4: Implement consumer request mechanisms
You must provide at least two methods for consumers to submit requests. At minimum, include:
- A toll-free telephone number
- A website address (web form or email) for submitting requests
For businesses that operate exclusively online with direct consumer relationships, only the online method is required. You must verify the identity of consumers making requests, with the verification standard scaled to the sensitivity of the data requested.
Step 5: Add opt-out mechanisms
If you sell or share personal information, include:
- A "Do Not Sell or Share My Personal Information" link on your homepage and any page where personal information is collected
- Support for the Global Privacy Control (GPC) browser signal, which the California Attorney General has confirmed must be treated as a valid opt-out request
- A process to communicate opt-out requests to third parties who received the data
Step 6: Review vendor contracts
The CCPA distinguishes between service providers, contractors, and third parties. Under Sections 1798.100(d) and 1798.140, you need written contracts with service providers and contractors that:
- Specify the business purpose for data processing
- Prohibit selling or sharing the personal information received
- Require the same level of privacy protection the CCPA mandates
- Grant you the right to audit compliance
Step 7: Train your team
Section 1798.135(a)(3) requires that all individuals responsible for handling consumer inquiries about your privacy practices are informed of CCPA requirements. This includes customer support staff, data analysts, and anyone who processes access or deletion requests.
CCPA Enforcement and Penalties in California
Enforcement of the CCPA in California occurs through two channels: government action and private lawsuits.
Government enforcement
The California Attorney General and the California Privacy Protection Agency (CPPA) enforce the CCPA. The CPPA, created by the CPRA, is the first dedicated data protection authority in the United States.
Civil penalties are:
- $2,500 per unintentional violation
- $7,500 per intentional violation
These penalties apply per violation, meaning a company that mishandles the personal information of 10,000 consumers could face penalties in the tens of millions of dollars. The CPRA also removed the 30-day cure period that originally allowed businesses to fix violations before facing penalties.
Private right of action
Section 1798.150 grants consumers a private right of action specifically for data breaches involving nonencrypted or nonredacted personal information resulting from a business's failure to maintain reasonable security procedures.
Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. Class action lawsuits are common under this provision, and settlements have reached millions of dollars.
Recent enforcement trends
The CPPA has been actively expanding its enforcement efforts since 2023. Notable actions include investigations into large-scale data brokers, location data companies, and businesses that failed to honor GPC signals. The agency has also issued draft regulations on automated decision-making and risk assessments that will create additional compliance obligations when finalized.
CCPA vs. Other Privacy Laws
Understanding how the California CCPA compares to other privacy frameworks helps businesses operating across multiple jurisdictions prioritize their compliance efforts.
CCPA vs. GDPR
The GDPR applies to any organization processing personal data of EU residents, regardless of size. The CCPA applies only to for-profit businesses meeting defined thresholds. Key differences include:
- Legal basis: The GDPR requires a lawful basis for all processing (consent, contract, legitimate interest). The CCPA allows data collection by default and gives consumers opt-out rights.
- Scope: The GDPR covers all data controllers and processors. The CCPA targets for-profit businesses above its thresholds.
- Consent model: The GDPR is opt-in for most processing. The CCPA is opt-out, meaning businesses can collect data until consumers object.
- Penalties: GDPR fines reach up to 20 million EUR or 4% of global annual turnover. CCPA penalties are per-violation at $2,500 to $7,500.
CCPA vs. other U.S. state privacy laws
Several states have enacted their own comprehensive privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA). While each varies in scope and detail, the CCPA remains the broadest in consumer rights and the strictest in enforcement. Businesses that comply with the CCPA are generally well-positioned to meet the requirements of other state laws, though specific provisions may differ.
Common Compliance Mistakes to Avoid
Businesses frequently make errors when implementing CCPA compliance. Avoiding these pitfalls saves time, reduces legal risk, and protects consumer trust.
- Ignoring the Global Privacy Control (GPC): The California Attorney General confirmed that GPC browser signals must be treated as valid opt-out requests. Failing to honor GPC is a violation.
- Using a one-size-fits-all privacy policy: A generic privacy policy that does not address CCPA-specific disclosure requirements is insufficient. Your policy must include the categories, purposes, and third-party sharing details outlined in Section 1798.130.
- Failing to verify consumer identity: Businesses must verify the identity of consumers submitting requests. The standard must be proportionate to the sensitivity of the data. Lax verification exposes you to social engineering, while overly burdensome verification can itself be a violation.
- Overlooking service provider contracts: Sharing personal information with vendors without proper contracts reclassifies those vendors as third parties, potentially triggering additional opt-out requirements and disclosure obligations.
- Not training staff: Consumer-facing employees who cannot explain privacy practices or process requests properly create compliance gaps and enforcement risk.
Tools like TermsBox can help streamline compliance by scanning your website for trackers and cookies, generating the required legal documents, and keeping your privacy policy updated as your data practices change.
Frequently Asked Questions
What does the CCPA require businesses to do in California?
The CCPA requires covered businesses to disclose what personal information they collect, allow California residents to request deletion of their data, provide an opt-out mechanism for the sale or sharing of personal information, and avoid discriminating against consumers who exercise their rights. Businesses must also respond to verifiable consumer requests within 45 days.
Does the CCPA in California apply to small businesses?
The CCPA only applies to for-profit businesses meeting at least one threshold: annual gross revenue over $25 million, buying, selling, or sharing personal information of 100,000 or more consumers or households per year, or earning 50% or more of annual revenue from selling or sharing personal information. Small businesses below all three thresholds are exempt from the CCPA, though other privacy laws may still apply.
What are the penalties for violating the CCPA in California?
Civil penalties range from $2,500 per unintentional violation to $7,500 per intentional violation, enforced by the California Attorney General and the California Privacy Protection Agency (CPPA). Consumers also have a private right of action for data breaches involving unencrypted personal information, with statutory damages between $100 and $750 per consumer per incident.
How does the CPRA change the CCPA in California?
The CPRA, effective January 1, 2023, amended the CCPA by adding new consumer rights including correction and limiting use of sensitive personal information. It created the California Privacy Protection Agency as a dedicated enforcement body, expanded the definition of sharing to cover cross-context behavioral advertising, and removed previous exemptions for employee and B2B contact data.