TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. What is CCPA? California Privacy Law Explained
CCPA

What is CCPA? California Privacy Law Explained

Learn what CCPA means for your business. Complete guide covering CCPA requirements, consumer rights, CPRA updates, and how to create a compliant privacy policy.

TermsBox Team|January 16, 202512 min read

If you run a business that serves California residents, the California Consumer Privacy Act (CCPA) could apply to you. This landmark privacy law has reshaped how businesses handle personal data in the United States, and understanding it is crucial for compliance.

In this guide, we'll explain everything you need to know about CCPA in clear, practical terms - from who it applies to, to what rights it grants consumers, to how you can ensure compliance.

What is CCPA?

The California Consumer Privacy Act (CCPA) is a state-level data privacy law that gives California residents greater control over the personal information that businesses collect about them. It took effect on January 1, 2020, with enforcement beginning on July 1, 2020.

CCPA is often called the "GDPR of the United States" because it was the first comprehensive privacy law in America, though it has significant differences from its European counterpart.

CCPA vs. CPRA: What Changed?

In November 2020, California voters approved Proposition 24, which created the California Privacy Rights Act (CPRA). CPRA is essentially CCPA 2.0 - it amends and expands the original law.

Key CPRA changes that took effect on January 1, 2023:

  • Created a new enforcement agency: the California Privacy Protection Agency (CPPA)
  • Introduced the category of "sensitive personal information" with additional protections
  • Expanded the right to correct inaccurate data
  • Increased the lookback period for data requests from 12 to 15 months
  • Tripled the revenue threshold from $25 million to $25 million (adjusted for inflation)
  • Added new restrictions on automated decision-making
  • Introduced risk assessments for high-risk data processing

When people refer to "CCPA" today, they typically mean the law as amended by CPRA.

Who Does CCPA Apply To?

CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds:

Revenue Threshold

Annual gross revenues exceeding $25 million (adjusted annually for inflation - currently $26.45 million for 2025)

Consumer Data Threshold

Buy, sell, or share the personal information of 100,000 or more California consumers or households per year

Revenue from Data Sales

Derive 50% or more of annual revenue from selling or sharing consumers' personal information

Not sure if CCPA applies to you? Create a CCPA-compliant privacy policy to ensure you're covered regardless of your business size.

Important Notes

  • You don't need to be located in California - serving California residents is enough
  • Non-profit organizations are generally exempt
  • Service providers and contractors have different obligations
  • The law applies to personal information collected both online and offline

What Personal Information Does CCPA Protect?

CCPA has a broad definition of personal information. It covers any information that identifies, relates to, or could reasonably be linked with a particular California consumer or household.

Categories of Personal Information

  1. Identifiers

    • Real name, alias, postal address, email, phone number
    • Unique personal identifier, IP address, account name
    • Social security number, driver's license, passport number
  2. Customer Records

    • Purchase history, payment information
    • Employment information
    • Education information
  3. Protected Classifications

    • Age, race, gender, sexual orientation
    • Marital status, veteran status
    • Disability status
  4. Commercial Information

    • Products or services purchased
    • Purchasing or consuming histories
    • Tendencies or preferences
  5. Biometric Information

    • Fingerprints, facial recognition data
    • Voiceprints, iris scans
    • Behavioral patterns
  6. Internet Activity

    • Browsing history, search history
    • Information on consumer interaction with websites or apps
    • Clickstream data
  7. Geolocation Data

    • Precise location data
    • Movement patterns
  8. Sensory Data

    • Audio, electronic, visual, or similar information
  9. Professional Information

    • Current or past job history
    • Performance evaluations
  10. Inferences

    • Profile reflecting preferences, characteristics, behavior, attitudes

Sensitive Personal Information (Under CPRA)

CPRA created a special category requiring additional protections:

  • Social security, driver's license, passport numbers
  • Account credentials with passwords
  • Precise geolocation
  • Racial or ethnic origin, religious beliefs, union membership
  • Contents of mail, email, and text messages
  • Genetic data
  • Biometric data for identification
  • Health information
  • Sex life or sexual orientation

Consumer Rights Under CCPA

CCPA grants California consumers several enforceable rights:

Right to Know

Consumers can request:

  • What categories of personal information you've collected
  • Specific pieces of personal information you hold
  • Sources of that information
  • Business purposes for collection
  • Third parties with whom you've shared data

You must respond within 45 days (with a possible 45-day extension).

Right to Delete

Consumers can request deletion of their personal information, with certain exceptions (e.g., completing transactions, legal obligations, security purposes).

Right to Opt-Out of Sale/Sharing

Consumers can opt out of the sale or sharing of their personal information. You must provide a clear "Do Not Sell or Share My Personal Information" link on your website.

Right to Correct

Under CPRA, consumers can request correction of inaccurate personal information.

Right to Limit Use of Sensitive Personal Information

CPRA allows consumers to limit the use and disclosure of their sensitive personal information to what's necessary to provide goods or services.

Right to Non-Discrimination

Businesses cannot discriminate against consumers for exercising their CCPA rights. However, you can offer financial incentives for data collection if properly disclosed.

Business Obligations Under CCPA

If CCPA applies to your business, you must:

1. Provide a Privacy Policy

Your privacy policy must include:

  • Categories of personal information collected
  • Sources of personal information
  • Business purposes for collection
  • Categories of third parties with whom you share data
  • Consumer rights under CCPA
  • How to exercise those rights
  • Categories of information sold or shared (if applicable)
  • Categories of sensitive personal information collected

2. Add Required Links

You must provide:

  • A clear, conspicuous link titled "Do Not Sell or Share My Personal Information" (if you sell/share data)
  • A link to "Limit the Use of My Sensitive Personal Information" (if applicable under CPRA)
  • Links in your privacy policy to request data access/deletion

3. Honor Consumer Requests

Establish a process to:

  • Verify consumer identity
  • Respond to requests within 45 days
  • Provide data in a portable, readily usable format
  • Maintain records of requests for 24 months

4. Train Employees

Ensure employees who handle consumer inquiries or requests are trained on CCPA requirements and consumer rights.

5. Update Contracts with Service Providers

Service provider contracts must:

  • Prohibit sale of personal information
  • Prohibit retention or use outside the contract
  • Require certification of compliance

6. Conduct Risk Assessments (CPRA)

For high-risk processing activities, conduct and submit cybersecurity audits and risk assessments to the CPPA.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Ready to comply? Generate a CCPA-compliant privacy policy that covers all required disclosures.

CCPA Penalties and Enforcement

CCPA has both regulatory and private right of action enforcement:

Administrative Penalties

The California Attorney General (and now the CPPA under CPRA) can impose:

  • Up to $2,500 per violation
  • Up to $7,500 per intentional violation

Regulators typically provide a 30-day cure period for first violations before imposing fines.

Private Right of Action (Data Breaches)

Consumers can sue directly for data breaches involving:

  • Unencrypted or unredacted personal information
  • Statutory damages of $100 to $750 per consumer, per incident
  • Actual damages if higher

Notable CCPA Enforcement Actions

  • Sephora - $1.2 million settlement for failing to disclose sale of personal information and honor opt-out requests
  • DoorDash - Settlement for inadequate notice of data sales
  • Retailers - Multiple settlements for missing "Do Not Sell" links

The CPPA began active enforcement in 2023 and has signaled more aggressive action going forward.

How to Comply with CCPA

Here's a practical roadmap to CCPA compliance:

Step 1: Determine If CCPA Applies

Calculate:

  • Annual revenue
  • Number of California consumers whose data you process
  • Revenue percentage from data sales

Step 2: Data Mapping

Conduct a data inventory:

  • What personal information do you collect?
  • From what sources?
  • For what purposes?
  • With whom do you share it?
  • How long do you keep it?

Step 3: Update Your Privacy Policy

Ensure your policy includes:

  • All required CCPA disclosures
  • Clear, plain language
  • Easy-to-find location (footer link)
  • 12-month update cycle

Step 4: Implement Consumer Rights Mechanisms

Set up:

  • Webform for access/deletion requests
  • Toll-free phone number (for businesses with online presence)
  • Email contact for requests
  • Identity verification process
  • Response workflow with 45-day deadline tracking

Step 5: Add Required Links

On your website:

  • "Do Not Sell or Share My Personal Information" link (if applicable)
  • "Limit the Use of My Sensitive Personal Information" link (if applicable)
  • Privacy policy link in footer

Step 6: Review Third-Party Relationships

For service providers:

  • Update contracts with CCPA language
  • Obtain certifications of compliance
  • Audit data sharing practices

Step 7: Train Your Team

Ensure staff understand:

  • What CCPA is and who it applies to
  • Consumer rights under CCPA
  • How to handle requests
  • What constitutes a "sale" of data

Step 8: Implement Technical Controls

Set up:

  • Cookie consent management (for opt-out of sales)
  • Data deletion workflows
  • Data portability tools
  • Opt-out signal recognition (Global Privacy Control)

Need help with cookies? Create a cookie policy that explains your tracking practices and honors opt-out requests.

CCPA vs. GDPR: Key Differences

While both laws protect consumer privacy, they have important differences:

Aspect CCPA GDPR
Scope California residents EU residents
Business Size Revenue/data thresholds All businesses processing EU data
Consent Model Opt-out (except minors) Opt-in required
Data Sale Must allow opt-out Generally prohibited
Penalties Up to $7,500/violation Up to 4% global revenue
Data Protection Officer Not required Required for some
Legal Basis Not required Must establish for each purpose
Enforcement State AG, CPPA, consumers Supervisory authorities

Key Takeaway

GDPR is generally more comprehensive and stricter. If you're already GDPR compliant, you're well on your way to CCPA compliance - but you'll still need to address CCPA-specific requirements like the "Do Not Sell" link and CCPA disclosure language.

Common CCPA Compliance Mistakes

Avoid these frequent errors:

  1. Missing the "Do Not Sell" link - Required even if you claim you don't "sell" data in the traditional sense
  2. Inadequate privacy policy - Must include all 11 required categories of disclosures
  3. No verification process - Must verify consumer identity before responding to requests
  4. Charging for requests - Cannot charge fees for the first two requests per year
  5. Discriminating against requesters - Cannot deny service or charge different prices to consumers who exercise rights
  6. Ignoring authorized agents - Must honor requests from consumer-authorized agents
  7. Not honoring Global Privacy Control - CPRA requires recognizing browser-based opt-out signals
  8. Missing contract updates - Service provider agreements must include specific CCPA language

CCPA and Other State Privacy Laws

CCPA inspired similar laws across the United States:

  • Virginia (VCDPA) - Effective January 1, 2023
  • Colorado (CPA) - Effective July 1, 2023
  • Connecticut (CTDPA) - Effective July 1, 2023
  • Utah (UCPA) - Effective December 31, 2023
  • Iowa, Montana, Oregon, Tennessee, Texas - Various 2024-2025 effective dates

Many businesses adopt a nationwide approach using CCPA as the baseline to avoid maintaining separate compliance programs for each state.

Getting Started with CCPA Compliance

The most important first step is creating a compliant privacy policy that:

  1. Discloses your data practices clearly - What you collect, why, and how
  2. Explains consumer rights - All rights available under CCPA/CPRA
  3. Provides contact mechanisms - How consumers can exercise their rights
  4. Lists data sales/sharing - If applicable, what categories you sell or share
  5. Updates annually - Review and update at least once per 12 months

From there, implement the technical and operational processes to honor consumer rights and maintain compliance.

Frequently Asked Questions

What does CCPA stand for?

CCPA stands for California Consumer Privacy Act. It is a comprehensive data privacy law that took effect on January 1, 2020, giving California residents control over their personal information.

Who does CCPA apply to?

CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds: annual revenue over $25 million, buy/sell personal information of 100,000+ California consumers, or derive 50%+ revenue from selling personal information.

What are the penalties for CCPA violations?

CCPA violations can result in fines up to $2,500 per violation or $7,500 per intentional violation. Data breach violations can lead to consumer lawsuits with damages of $100-$750 per incident, per consumer.

What is the difference between CCPA and CPRA?

CPRA (California Privacy Rights Act) is an amendment to CCPA that took effect on January 1, 2023. It expands consumer rights, creates the California Privacy Protection Agency, and introduces stricter requirements for sensitive personal information.

Do I need to comply with both CCPA and GDPR?

If you serve both California residents and EU residents, you need to comply with both laws. CCPA is generally less strict than GDPR, so if you're already GDPR compliant, you're likely close to CCPA compliance.

Conclusion

CCPA represents a significant shift in US privacy law, giving California consumers meaningful control over their personal information. While compliance requires effort - updating policies, implementing request mechanisms, training staff - the core principle is straightforward: be transparent about data practices and respect consumer choices.

For most businesses, the biggest lift is the initial compliance work. Once you've updated your privacy policy, implemented request workflows, and added required links, ongoing compliance becomes routine.

The key is to start now. With the CPPA actively enforcing and consumers increasingly aware of their rights, CCPA compliance is no longer optional for businesses serving California residents.

Ready to create your CCPA-compliant privacy policy? Use our free generator to create a comprehensive policy that covers all CCPA requirements in minutes.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Cookie Policy Generator

Create a cookie policy for GDPR compliance

Related Articles

CCPA

CCPA Regulations: What Businesses Must Know in 2026

Guide to California Consumer Privacy Act regulations, covering final rules, opt-out requirements, enforcement updates, and compliance steps for businesses.

April 4, 202614 min read
CCPA

California Data Privacy Law: A Complete Guide for 2026

Understand California data privacy law requirements, consumer rights, and business obligations under CCPA and CPRA. A practical compliance guide.

April 4, 202613 min read
CCPA

California Privacy Law: What Businesses Need to Know

Understand California privacy law requirements including CCPA and CPRA. Learn who must comply, consumer rights, penalties, and how to meet obligations.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What is CCPA?
  • CCPA vs. CPRA: What Changed?
  • Who Does CCPA Apply To?
  • Revenue Threshold
  • Consumer Data Threshold
  • Revenue from Data Sales
  • Important Notes
  • What Personal Information Does CCPA Protect?
  • Categories of Personal Information
  • Sensitive Personal Information (Under CPRA)
  • Consumer Rights Under CCPA
  • Right to Know
  • Right to Delete
  • Right to Opt-Out of Sale/Sharing
  • Right to Correct
  • Right to Limit Use of Sensitive Personal Information
  • Right to Non-Discrimination
  • Business Obligations Under CCPA
  • 1. Provide a Privacy Policy
  • 2. Add Required Links
  • 3. Honor Consumer Requests
  • 4. Train Employees
  • 5. Update Contracts with Service Providers
  • 6. Conduct Risk Assessments (CPRA)
  • CCPA Penalties and Enforcement
  • Administrative Penalties
  • Private Right of Action (Data Breaches)
  • Notable CCPA Enforcement Actions
  • How to Comply with CCPA
  • Step 1: Determine If CCPA Applies
  • Step 2: Data Mapping
  • Step 3: Update Your Privacy Policy
  • Step 4: Implement Consumer Rights Mechanisms
  • Step 5: Add Required Links
  • Step 6: Review Third-Party Relationships
  • Step 7: Train Your Team
  • Step 8: Implement Technical Controls
  • CCPA vs. GDPR: Key Differences
  • Key Takeaway
  • Common CCPA Compliance Mistakes
  • CCPA and Other State Privacy Laws
  • Getting Started with CCPA Compliance
  • Frequently Asked Questions
  • Conclusion
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.