What Is CCPA Compliance? A Complete Guide for Businesses
Learn what CCPA compliance means, who it applies to, the key requirements, and how to make your business compliant with the California Consumer Privacy Act.
Understanding what CCPA compliance means is essential for any business that collects personal information from California residents. The California Consumer Privacy Act, along with its amendment the California Privacy Rights Act (CPRA), establishes specific rights for consumers and corresponding obligations for businesses that meet the law's applicability thresholds.
This guide explains the core requirements of CCPA compliance, who the law applies to, the rights it grants consumers, and the practical steps your business needs to take. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.
What Is CCPA Compliance?
CCPA compliance means meeting all requirements of the California Consumer Privacy Act (Cal. Civ. Code Sections 1798.100 through 1798.199.100), as amended by the California Privacy Rights Act (CPRA) that took effect on January 1, 2023. The law gives California residents specific rights over their personal information and requires businesses to implement processes, disclosures, and technical measures to honor those rights.
At its core, CCPA compliance requires businesses to:
- Inform consumers about what personal information is collected and why
- Honor consumer requests to access, delete, correct, and port their data
- Provide a clear mechanism for consumers to opt out of the sale or sharing of their personal information
- Implement reasonable security measures to protect personal information
- Avoid discriminating against consumers who exercise their privacy rights
The CPRA amendment strengthened these requirements by creating the California Privacy Protection Agency (CPPA), adding the right to correct inaccurate information, introducing the concept of "sensitive personal information" with additional protections, and expanding opt-out rights to cover both the sale and sharing of personal data.
Who Must Comply with the CCPA?
The CCPA does not apply to every business. It targets for-profit entities that do business in California and meet at least one of three thresholds.
Applicability Thresholds
A for-profit business must comply with the CCPA if it collects consumers' personal information and meets any one of these criteria:
- Revenue threshold: Annual gross revenue exceeding $25 million in the preceding calendar year
- Data volume threshold: Annually buys, sells, or shares the personal information of 100,000 or more California consumers, households, or devices
- Revenue source threshold: Derives 50% or more of annual revenue from selling or sharing consumers' personal information
Who Is Exempt
Several categories of entities fall outside the CCPA's scope:
- Nonprofit organizations
- Government agencies
- Businesses that do not meet any of the three thresholds
- Entities already regulated under certain federal privacy laws (HIPAA-covered entities and financial institutions subject to the Gramm-Leach-Bliley Act receive partial exemptions for data covered by those laws)
Note that the data volume threshold of 100,000 consumers or households is relatively low for any business with a website that receives meaningful traffic from California. Website analytics, cookies, and advertising pixels can push a business past this threshold even without direct customer relationships.
Consumer Rights Under the CCPA
The CCPA grants California residents a set of specific, enforceable rights. Achieving CCPA compliance requires your business to honor each of these rights within the timelines prescribed by the law.
Right to Know (Section 1798.100)
Consumers can request that a business disclose the categories and specific pieces of personal information it has collected, the sources of that information, the business or commercial purpose for collecting it, and the categories of third parties with whom it is shared. Businesses must respond to verified requests within 45 days.
Right to Delete (Section 1798.105)
Consumers can request the deletion of personal information a business has collected from them. The business must also direct its service providers and contractors to delete the information. Exceptions apply when retention is necessary for completing a transaction, detecting security incidents, exercising free speech, complying with a legal obligation, or conducting internal research.
Right to Correct (Section 1798.106)
Added by the CPRA, this right allows consumers to request correction of inaccurate personal information. Businesses must use commercially reasonable efforts to correct the information upon receiving a verified request.
Right to Opt Out of Sale or Sharing (Section 1798.120)
Consumers have the right to direct a business not to sell or share their personal information. The CPRA expanded this right to cover "sharing," which the law defines as making personal information available to third parties for cross-context behavioral advertising. Businesses must provide a "Do Not Sell or Share My Personal Information" link on their website.
Right to Limit Use of Sensitive Personal Information (Section 1798.121)
The CPRA introduced the category of "sensitive personal information," which includes Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, biometric data, health information, and contents of mail or communications. Consumers can direct businesses to limit the use of sensitive personal information to purposes necessary for providing the requested goods or services.
Right to Non-Discrimination (Section 1798.125)
Businesses cannot discriminate against consumers for exercising their CCPA rights. This means a business cannot deny goods or services, charge different prices, provide a different quality of service, or suggest any of these consequences as a result of a consumer exercising their rights.
What Personal Information Does the CCPA Cover?
The CCPA defines personal information broadly as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." This definition is intentionally expansive.
Categories of personal information under the CCPA include:
- Identifiers: Name, postal address, email address, IP address, account name, Social Security number, driver's license number, passport number
- Commercial information: Records of purchases, products or services considered, purchasing histories
- Internet activity: Browsing history, search history, information about interactions with a website or advertisement
- Geolocation data: Precise physical location derived from GPS, Wi-Fi, or cellular data
- Biometric information: Fingerprints, facial recognition data, voiceprints
- Professional or employment information: Current or past job history, performance evaluations
- Education information: Records maintained by educational institutions
- Inferences: Consumer profiles reflecting preferences, characteristics, behavior, aptitudes
This broad scope means that website cookies, analytics data, advertising identifiers, and device fingerprints all qualify as personal information under the CCPA when they can be linked to a consumer or household.
CCPA Compliance Requirements: What Businesses Must Do
Achieving CCPA compliance requires changes to your disclosures, processes, technical infrastructure, and vendor relationships. The following sections cover each major requirement.
Update Your Privacy Policy
The CCPA requires businesses to maintain a privacy policy that includes specific disclosures. Section 1798.130(a)(5) mandates that the privacy policy describe:
- The categories of personal information collected in the preceding 12 months
- The purposes for which each category is collected and used
- The categories of sources from which personal information is collected
- The categories of third parties to whom personal information is disclosed
- The categories of personal information sold or shared, and the categories of third parties to whom it was sold or shared
- Consumer rights and how to exercise them
- Contact information for submitting requests
The privacy policy must be updated at least once every 12 months. Using a privacy policy generator helps ensure your policy covers all CCPA-required disclosures alongside requirements from other applicable laws like the GDPR.
Implement Consumer Request Processes
Businesses must provide at least two methods for consumers to submit requests, including a toll-free phone number and an online method (such as a web form or email address). The process must allow consumers to:
- Submit requests to know, delete, correct, and opt out
- Receive a response within 45 days (extendable by an additional 45 days with notice)
- Verify their identity through a reasonable process before personal information is disclosed or deleted
Provide Opt-Out Mechanisms
If your business sells or shares personal information, you must:
- Display a clear "Do Not Sell or Share My Personal Information" link on your website homepage
- Honor Global Privacy Control (GPC) signals as valid opt-out requests, as required by CPPA regulations
- Process opt-out requests without requiring the consumer to create an account
For businesses that use cookies or tracking technologies for cross-context behavioral advertising, a cookie consent banner is an important part of honoring opt-out preferences. TermsBox provides a cookie consent management platform that detects trackers on your site and helps manage opt-out compliance alongside your privacy disclosures.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowTrain Employees
Section 1798.135(a)(3) requires businesses to ensure that all individuals responsible for handling consumer inquiries about privacy practices are informed of CCPA requirements. Training should cover how to recognize consumer requests, verification procedures, response timelines, and escalation processes.
Implement Reasonable Security
While the CCPA does not prescribe specific security measures, Section 1798.150 creates a private right of action for consumers whose "nonencrypted and nonredacted personal information" is exposed in a breach resulting from a business's failure to "implement and maintain reasonable security procedures." This provision creates significant litigation exposure and effectively requires:
- Encryption of personal information at rest and in transit
- Access controls and authentication measures
- Regular security assessments and vulnerability testing
- Incident response planning
Manage Service Providers and Contractors
The CCPA requires businesses to enter into written contracts with service providers and contractors that process personal information on their behalf. These contracts must restrict the service provider from using the personal information for any purpose other than the specific business purpose outlined in the agreement.
CCPA Compliance Checklist
Use this checklist to assess your organization's readiness. Each item corresponds to a specific CCPA requirement.
Disclosures and Notices
- Privacy policy includes all CCPA-required categories and disclosures
- Privacy policy has been updated within the past 12 months
- "Do Not Sell or Share My Personal Information" link is visible on the homepage (if applicable)
- Notice at collection is provided at or before the point of data collection
- Financial incentive notices are provided for any loyalty programs or data-for-discount arrangements
Consumer Rights Infrastructure
- At least two methods for submitting consumer requests are available
- Identity verification process is documented and implemented
- Requests are tracked and responded to within 45 days
- Deletion requests are forwarded to service providers and contractors
- Opt-out requests are processed without requiring account creation
- GPC browser signals are recognized and honored
Internal Processes
- Personal information inventory is current and documented
- Data retention schedule is defined and enforced
- Employees handling consumer inquiries have received CCPA training
- Service provider contracts include CCPA-compliant data processing terms
- Security measures are reasonable and documented
Technical Measures
- Personal information is encrypted at rest and in transit
- Access to personal information is restricted by role
- Website tracking and cookies are inventoried and categorized
- Opt-out preferences are propagated to downstream data recipients
CCPA Enforcement and Penalties
The California Privacy Protection Agency (CPPA) is the primary enforcement body for the CCPA, though the California Attorney General retains enforcement authority as well.
Administrative Fines
The CPPA can impose administrative fines of:
- $2,500 per unintentional violation
- $7,500 per intentional violation
These fines are assessed per violation per consumer, which means a single non-compliant practice affecting thousands of consumers can result in penalties reaching millions of dollars. There is no statutory cap on total fine amounts.
Private Right of Action
Section 1798.150 gives consumers a private right of action specifically for data breaches resulting from a business's failure to implement reasonable security measures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. This provision has generated significant class action litigation.
Enforcement Activity
The California Attorney General has pursued enforcement actions against major businesses since the CCPA took effect in 2020. The CPPA began its own enforcement in 2024. Notable actions have targeted:
- Businesses that failed to honor opt-out requests
- Companies that collected personal information from minors without affirmative consent
- Organizations with inadequate privacy policies or consumer request processes
CCPA Compliance and Your Website
Website compliance is a significant component of CCPA compliance because websites collect personal information through cookies, analytics tools, advertising pixels, and form submissions.
Cookie and Tracking Compliance
Every cookie and tracking technology on your website that collects personal information from California consumers must be disclosed in your privacy policy. If any of these technologies constitute a "sale" or "sharing" of personal information, consumers must be able to opt out.
Common tracking technologies that may trigger CCPA obligations include:
- Google Analytics and similar analytics platforms
- Facebook Pixel, Google Ads, and other advertising tags
- Third-party cookies set by embedded content or social media widgets
- Customer data platforms and personalization tools
Regularly scanning your website for tracking technologies is important because third-party scripts can add new cookies without your knowledge. A cookie policy generator can help you document the cookies on your site, while automated scanning ensures your disclosures stay current as your technology stack changes.
Privacy Policy Placement
Your CCPA-compliant privacy policy must be accessible from a conspicuous link on your homepage. The link should use the word "Privacy" and be easy to find. If your business sells or shares personal information, the "Do Not Sell or Share My Personal Information" link must also appear on the homepage.
Maintaining accurate legal documents across your website is a continuous process. Tracking technologies change, new vendors are added, and business practices evolve. Keeping your privacy policy generator outputs current with your actual data practices is essential for ongoing CCPA compliance.
Frequently Asked Questions
What is CCPA compliance?
CCPA compliance means meeting the requirements of the California Consumer Privacy Act, which gives California residents the right to know what personal information businesses collect about them, request its deletion, opt out of its sale or sharing, and receive equal service and pricing regardless of exercising their rights. Businesses that meet the law's applicability thresholds must implement processes and disclosures to honor these rights.
Who does the CCPA apply to?
The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of three thresholds: annual gross revenue exceeding $25 million, buying, selling, or sharing the personal information of 100,000 or more California consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing personal information. Nonprofits and government agencies are exempt.
What are the penalties for CCPA non-compliance?
The California Privacy Protection Agency can impose administrative fines of $2,500 per unintentional violation and $7,500 per intentional violation. There is no cap on the total fine amount, so penalties accumulate per violation per consumer. Additionally, consumers can bring private lawsuits for data breaches resulting from a business's failure to implement reasonable security, with statutory damages of $100 to $750 per consumer per incident.
Does the CCPA apply to businesses outside California?
Yes. The CCPA applies to any for-profit business that meets the applicability thresholds and collects personal information from California residents, regardless of where the business is physically located. A company headquartered in New York or operating from outside the United States is subject to the CCPA if it does business in California and meets the revenue, data volume, or revenue-source thresholds.