What is CCPA? California Privacy Law Explained
Learn what CCPA means for your business. Complete guide covering CCPA requirements, consumer rights, CPRA updates, and how to create a compliant privacy policy.
If you run a business that serves California residents, the California Consumer Privacy Act (CCPA) could apply to you. This landmark privacy law has reshaped how businesses handle personal data in the United States, and understanding it is crucial for compliance.
In this guide, we'll explain everything you need to know about CCPA in clear, practical terms - from who it applies to, to what rights it grants consumers, to how you can ensure compliance.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a state-level data privacy law that gives California residents greater control over the personal information that businesses collect about them. It took effect on January 1, 2020, with enforcement beginning on July 1, 2020.
CCPA is often called the "GDPR of the United States" because it was the first comprehensive privacy law in America, though it has significant differences from its European counterpart.
CCPA vs. CPRA: What Changed?
In November 2020, California voters approved Proposition 24, which created the California Privacy Rights Act (CPRA). CPRA is essentially CCPA 2.0 - it amends and expands the original law.
Key CPRA changes that took effect on January 1, 2023:
- Created a new enforcement agency: the California Privacy Protection Agency (CPPA)
- Introduced the category of "sensitive personal information" with additional protections
- Expanded the right to correct inaccurate data
- Increased the lookback period for data requests from 12 to 15 months
- Tripled the revenue threshold from $25 million to $25 million (adjusted for inflation)
- Added new restrictions on automated decision-making
- Introduced risk assessments for high-risk data processing
When people refer to "CCPA" today, they typically mean the law as amended by CPRA.
Who Does CCPA Apply To?
CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds:
Revenue Threshold
Annual gross revenues exceeding $25 million (adjusted annually for inflation - currently $26.45 million for 2025)
Consumer Data Threshold
Buy, sell, or share the personal information of 100,000 or more California consumers or households per year
Revenue from Data Sales
Derive 50% or more of annual revenue from selling or sharing consumers' personal information
Not sure if CCPA applies to you? Create a CCPA-compliant privacy policy to ensure you're covered regardless of your business size.
Important Notes
- You don't need to be located in California - serving California residents is enough
- Non-profit organizations are generally exempt
- Service providers and contractors have different obligations
- The law applies to personal information collected both online and offline
What Personal Information Does CCPA Protect?
CCPA has a broad definition of personal information. It covers any information that identifies, relates to, or could reasonably be linked with a particular California consumer or household.
Categories of Personal Information
Identifiers
- Real name, alias, postal address, email, phone number
- Unique personal identifier, IP address, account name
- Social security number, driver's license, passport number
Customer Records
- Purchase history, payment information
- Employment information
- Education information
Protected Classifications
- Age, race, gender, sexual orientation
- Marital status, veteran status
- Disability status
Commercial Information
- Products or services purchased
- Purchasing or consuming histories
- Tendencies or preferences
Biometric Information
- Fingerprints, facial recognition data
- Voiceprints, iris scans
- Behavioral patterns
Internet Activity
- Browsing history, search history
- Information on consumer interaction with websites or apps
- Clickstream data
Geolocation Data
- Precise location data
- Movement patterns
Sensory Data
- Audio, electronic, visual, or similar information
Professional Information
- Current or past job history
- Performance evaluations
Inferences
- Profile reflecting preferences, characteristics, behavior, attitudes
Sensitive Personal Information (Under CPRA)
CPRA created a special category requiring additional protections:
- Social security, driver's license, passport numbers
- Account credentials with passwords
- Precise geolocation
- Racial or ethnic origin, religious beliefs, union membership
- Contents of mail, email, and text messages
- Genetic data
- Biometric data for identification
- Health information
- Sex life or sexual orientation
Consumer Rights Under CCPA
CCPA grants California consumers several enforceable rights:
Right to Know
Consumers can request:
- What categories of personal information you've collected
- Specific pieces of personal information you hold
- Sources of that information
- Business purposes for collection
- Third parties with whom you've shared data
You must respond within 45 days (with a possible 45-day extension).
Right to Delete
Consumers can request deletion of their personal information, with certain exceptions (e.g., completing transactions, legal obligations, security purposes).
Right to Opt-Out of Sale/Sharing
Consumers can opt out of the sale or sharing of their personal information. You must provide a clear "Do Not Sell or Share My Personal Information" link on your website.
Right to Correct
Under CPRA, consumers can request correction of inaccurate personal information.
Right to Limit Use of Sensitive Personal Information
CPRA allows consumers to limit the use and disclosure of their sensitive personal information to what's necessary to provide goods or services.
Right to Non-Discrimination
Businesses cannot discriminate against consumers for exercising their CCPA rights. However, you can offer financial incentives for data collection if properly disclosed.
Business Obligations Under CCPA
If CCPA applies to your business, you must:
1. Provide a Privacy Policy
Your privacy policy must include:
- Categories of personal information collected
- Sources of personal information
- Business purposes for collection
- Categories of third parties with whom you share data
- Consumer rights under CCPA
- How to exercise those rights
- Categories of information sold or shared (if applicable)
- Categories of sensitive personal information collected
2. Add Required Links
You must provide:
- A clear, conspicuous link titled "Do Not Sell or Share My Personal Information" (if you sell/share data)
- A link to "Limit the Use of My Sensitive Personal Information" (if applicable under CPRA)
- Links in your privacy policy to request data access/deletion
3. Honor Consumer Requests
Establish a process to:
- Verify consumer identity
- Respond to requests within 45 days
- Provide data in a portable, readily usable format
- Maintain records of requests for 24 months
4. Train Employees
Ensure employees who handle consumer inquiries or requests are trained on CCPA requirements and consumer rights.
5. Update Contracts with Service Providers
Service provider contracts must:
- Prohibit sale of personal information
- Prohibit retention or use outside the contract
- Require certification of compliance
6. Conduct Risk Assessments (CPRA)
For high-risk processing activities, conduct and submit cybersecurity audits and risk assessments to the CPPA.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowReady to comply? Generate a CCPA-compliant privacy policy that covers all required disclosures.
CCPA Penalties and Enforcement
CCPA has both regulatory and private right of action enforcement:
Administrative Penalties
The California Attorney General (and now the CPPA under CPRA) can impose:
- Up to $2,500 per violation
- Up to $7,500 per intentional violation
Regulators typically provide a 30-day cure period for first violations before imposing fines.
Private Right of Action (Data Breaches)
Consumers can sue directly for data breaches involving:
- Unencrypted or unredacted personal information
- Statutory damages of $100 to $750 per consumer, per incident
- Actual damages if higher
Notable CCPA Enforcement Actions
- Sephora - $1.2 million settlement for failing to disclose sale of personal information and honor opt-out requests
- DoorDash - Settlement for inadequate notice of data sales
- Retailers - Multiple settlements for missing "Do Not Sell" links
The CPPA began active enforcement in 2023 and has signaled more aggressive action going forward.
How to Comply with CCPA
Here's a practical roadmap to CCPA compliance:
Step 1: Determine If CCPA Applies
Calculate:
- Annual revenue
- Number of California consumers whose data you process
- Revenue percentage from data sales
Step 2: Data Mapping
Conduct a data inventory:
- What personal information do you collect?
- From what sources?
- For what purposes?
- With whom do you share it?
- How long do you keep it?
Step 3: Update Your Privacy Policy
Ensure your policy includes:
- All required CCPA disclosures
- Clear, plain language
- Easy-to-find location (footer link)
- 12-month update cycle
Step 4: Implement Consumer Rights Mechanisms
Set up:
- Webform for access/deletion requests
- Toll-free phone number (for businesses with online presence)
- Email contact for requests
- Identity verification process
- Response workflow with 45-day deadline tracking
Step 5: Add Required Links
On your website:
- "Do Not Sell or Share My Personal Information" link (if applicable)
- "Limit the Use of My Sensitive Personal Information" link (if applicable)
- Privacy policy link in footer
Step 6: Review Third-Party Relationships
For service providers:
- Update contracts with CCPA language
- Obtain certifications of compliance
- Audit data sharing practices
Step 7: Train Your Team
Ensure staff understand:
- What CCPA is and who it applies to
- Consumer rights under CCPA
- How to handle requests
- What constitutes a "sale" of data
Step 8: Implement Technical Controls
Set up:
- Cookie consent management (for opt-out of sales)
- Data deletion workflows
- Data portability tools
- Opt-out signal recognition (Global Privacy Control)
Need help with cookies? Create a cookie policy that explains your tracking practices and honors opt-out requests.
CCPA vs. GDPR: Key Differences
While both laws protect consumer privacy, they have important differences:
| Aspect | CCPA | GDPR |
|---|---|---|
| Scope | California residents | EU residents |
| Business Size | Revenue/data thresholds | All businesses processing EU data |
| Consent Model | Opt-out (except minors) | Opt-in required |
| Data Sale | Must allow opt-out | Generally prohibited |
| Penalties | Up to $7,500/violation | Up to 4% global revenue |
| Data Protection Officer | Not required | Required for some |
| Legal Basis | Not required | Must establish for each purpose |
| Enforcement | State AG, CPPA, consumers | Supervisory authorities |
Key Takeaway
GDPR is generally more comprehensive and stricter. If you're already GDPR compliant, you're well on your way to CCPA compliance - but you'll still need to address CCPA-specific requirements like the "Do Not Sell" link and CCPA disclosure language.
Common CCPA Compliance Mistakes
Avoid these frequent errors:
- Missing the "Do Not Sell" link - Required even if you claim you don't "sell" data in the traditional sense
- Inadequate privacy policy - Must include all 11 required categories of disclosures
- No verification process - Must verify consumer identity before responding to requests
- Charging for requests - Cannot charge fees for the first two requests per year
- Discriminating against requesters - Cannot deny service or charge different prices to consumers who exercise rights
- Ignoring authorized agents - Must honor requests from consumer-authorized agents
- Not honoring Global Privacy Control - CPRA requires recognizing browser-based opt-out signals
- Missing contract updates - Service provider agreements must include specific CCPA language
CCPA and Other State Privacy Laws
CCPA inspired similar laws across the United States:
- Virginia (VCDPA) - Effective January 1, 2023
- Colorado (CPA) - Effective July 1, 2023
- Connecticut (CTDPA) - Effective July 1, 2023
- Utah (UCPA) - Effective December 31, 2023
- Iowa, Montana, Oregon, Tennessee, Texas - Various 2024-2025 effective dates
Many businesses adopt a nationwide approach using CCPA as the baseline to avoid maintaining separate compliance programs for each state.
Getting Started with CCPA Compliance
The most important first step is creating a compliant privacy policy that:
- Discloses your data practices clearly - What you collect, why, and how
- Explains consumer rights - All rights available under CCPA/CPRA
- Provides contact mechanisms - How consumers can exercise their rights
- Lists data sales/sharing - If applicable, what categories you sell or share
- Updates annually - Review and update at least once per 12 months
From there, implement the technical and operational processes to honor consumer rights and maintain compliance.
Frequently Asked Questions
What does CCPA stand for?
CCPA stands for California Consumer Privacy Act. It is a comprehensive data privacy law that took effect on January 1, 2020, giving California residents control over their personal information.
Who does CCPA apply to?
CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds: annual revenue over $25 million, buy/sell personal information of 100,000+ California consumers, or derive 50%+ revenue from selling personal information.
What are the penalties for CCPA violations?
CCPA violations can result in fines up to $2,500 per violation or $7,500 per intentional violation. Data breach violations can lead to consumer lawsuits with damages of $100-$750 per incident, per consumer.
What is the difference between CCPA and CPRA?
CPRA (California Privacy Rights Act) is an amendment to CCPA that took effect on January 1, 2023. It expands consumer rights, creates the California Privacy Protection Agency, and introduces stricter requirements for sensitive personal information.
Do I need to comply with both CCPA and GDPR?
If you serve both California residents and EU residents, you need to comply with both laws. CCPA is generally less strict than GDPR, so if you're already GDPR compliant, you're likely close to CCPA compliance.
Conclusion
CCPA represents a significant shift in US privacy law, giving California consumers meaningful control over their personal information. While compliance requires effort - updating policies, implementing request mechanisms, training staff - the core principle is straightforward: be transparent about data practices and respect consumer choices.
For most businesses, the biggest lift is the initial compliance work. Once you've updated your privacy policy, implemented request workflows, and added required links, ongoing compliance becomes routine.
The key is to start now. With the CPPA actively enforcing and consumers increasingly aware of their rights, CCPA compliance is no longer optional for businesses serving California residents.
Ready to create your CCPA-compliant privacy policy? Use our free generator to create a comprehensive policy that covers all CCPA requirements in minutes.