The Law HQ

California Consumer Privacy Act – a Guide to the CCPA

The California Consumer Privacy Act (CCPA) is California’s main consumer privacy law. It gives California residents rights over how businesses collect, use, share and sell their personal information. Since 2023, the CCPA has been expanded by the California Privacy Rights Act (CPRA), but California regulators generally refer to the amended law simply as the CCPA.

For businesses, the CCPA is one of the most important US privacy laws to understand. It affects not only companies based in California, but many businesses elsewhere in the US and overseas that collect personal information from California residents.

 

1. What is the CCPA?

The CCPA is a state privacy law that gives California consumers more control over their personal information. It requires covered businesses to be transparent about what data they collect, why they collect it, who they share it with, whether they sell or share it for advertising purposes, and how consumers can exercise their privacy rights.

The law originally took effect in 2020. It was later strengthened by the CPRA, which added new rights including the right to correct inaccurate personal information and the right to limit the use and disclosure of sensitive personal information.

 

2. Who does the CCPA protect?

The CCPA protects California residents. This includes natural persons who reside in California, even if they are temporarily outside the state. It does not protect companies, organisations or other legal entities in their own right.

In practical terms, a business outside California may still need to comply if it offers goods or services to California residents, tracks their online activity, markets to them, sells to them, or otherwise collects their personal information.

 

3. Which businesses must comply?

The CCPA applies to for-profit businesses that do business in California and meet at least one of the following thresholds:

  • Have gross annual revenue of more than $25 million.
  • Buy, sell or share the personal information of 100,000 or more California residents or households.
  • Derive 50% or more of annual revenue from selling California residents’ personal information.

The law does not generally apply directly to non-profits or government agencies, although some organisations may still be affected through contracts, supply chains, data-sharing arrangements, or related laws.

 

4. What counts as personal information?

Under the CCPA, personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a consumer or household.

Examples include:

  • Name, postal address, email address and phone number.
  • IP address, device identifiers and online identifiers.
  • Purchase history and transaction records.
  • Internet browsing and search history.
  • Geolocation data.
  • Biometric information.
  • Employment-related information.
  • Education information.
  • Inferences used to create profiles about preferences, behaviour, characteristics or interests.

The CCPA also recognises sensitive personal information, which includes information such as Social Security numbers, financial account details, precise geolocation, genetic data, biometric data used for identification, health information, racial or ethnic origin, religious or philosophical beliefs, union membership, and the contents of certain communications.

 

5. Consumer rights under the CCPA

Right to know

Consumers can ask a business what personal information it has collected about them, including the categories of information, sources of that information, purposes for collection or use, categories of third parties it has been shared with, and whether it has been sold or disclosed. Businesses must usually provide this information for the 12-month period before the request.

Right to access specific pieces of information

Consumers can request access to the specific pieces of personal information a business holds about them. Businesses must verify the consumer’s identity before providing this information and must avoid disclosing highly sensitive information in an unsafe way.

Right to delete

Consumers can ask businesses to delete personal information collected from them. Businesses must also instruct service providers or contractors to delete the information where required, although there are exceptions, such as where the data is needed to complete a transaction, comply with legal obligations, detect security incidents, or exercise legal rights.

Right to correct

Consumers can ask a business to correct inaccurate personal information it holds about them. The business must take into account the nature of the information and the purpose for which it is processed.

Right to opt out of sale or sharing

Consumers can tell a business not to sell or share their personal information. “Sharing” is especially important in digital marketing because it can include sharing personal information for cross-context behavioural advertising. The CCPA also recognises opt-out signals such as the Global Privacy Control.

Right to limit the use of sensitive personal information

Consumers can direct a business to use or disclose sensitive personal information only for limited permitted purposes, such as providing requested goods or services, preventing security incidents, or other allowed operational purposes.

Right to non-discrimination

Businesses cannot discriminate against consumers for exercising their CCPA rights. For example, they cannot deny goods or services, charge a different price, or provide a different level of service simply because a consumer exercised a privacy right. However, businesses may offer certain financial incentives if they meet the CCPA’s requirements and the incentive is reasonably related to the value of the data.

 

6. Main business obligations

Provide a notice at collection

Businesses must tell consumers, at or before the point of collection, what categories of personal information they collect and the purposes for which they use it. This notice should be easy to find and understand. For websites, it is often linked near forms, account creation pages, checkout pages, cookie banners and footer privacy links.

Maintain a compliant privacy policy

A CCPA privacy policy should explain the business’s collection, use, disclosure, sale and sharing of personal information. It should also explain consumer rights and how to exercise them. The policy should be reviewed regularly and updated when business practices change.

Offer clear request methods

Businesses must provide designated methods for consumers to submit privacy requests. For many businesses, this means a web form, email address and/or toll-free number. Online-only businesses may have different requirements. Businesses generally must respond to requests within 45 calendar days, with a possible 45-day extension if the consumer is notified.

Honour opt-out requests

If a business sells or shares personal information, it must provide a clear way for consumers to opt out. This typically includes a “Do Not Sell or Share My Personal Information” link or a compliant alternative mechanism. Businesses must also avoid manipulative or confusing opt-out flows.

Recognise Global Privacy Control signals

The CCPA recognises user-enabled global privacy controls, such as Global Privacy Control, as a way for consumers to communicate opt-out preferences. Businesses involved in online advertising, analytics, remarketing or data-sharing should pay particular attention to this.

Manage service providers, contractors and third parties

Businesses should have appropriate contracts with service providers, contractors and third parties. These contracts should restrict how personal information can be used, disclosed, retained and transferred. This is particularly important for marketing platforms, analytics tools, CRM systems, cloud providers, payment processors, customer support software, AI tools and data enrichment services.

Apply data minimisation and purpose limitation

Businesses should collect, use, retain and share personal information only in ways that are reasonably necessary and proportionate to disclosed purposes. This means avoiding unnecessary data collection, reducing retention periods, and ensuring new uses of data are properly assessed and disclosed.

Protect personal information

The CCPA includes a limited private right of action for certain data breaches involving nonencrypted and nonredacted personal information where a business failed to maintain reasonable security procedures and practices.

 

7. Sale, sharing and targeted advertising

One of the most important CCPA issues for many businesses is whether their website, app or marketing stack involves the sale or sharing of personal information.

Under the CCPA, “sale” does not only mean selling a customer list for money. It can include disclosing personal information to another party for monetary or other valuable consideration. “Sharing” is especially relevant where personal information is used for cross-context behavioural advertising.

Common areas to review include:

  • Advertising pixels.
  • Retargeting tools.
  • Cookie-based advertising.
  • Lookalike audience tools.
  • Data clean rooms.
  • Affiliate marketing platforms.
  • Lead generation partners.
  • Data brokers.
  • Customer data platforms.
  • Analytics tools that use data for their own purposes.

A business may need to provide opt-out rights even where it does not think of itself as “selling data” in the ordinary commercial sense.

 

8. Sensitive personal information

Sensitive personal information attracts additional compliance obligations. Businesses should identify whether they collect or process sensitive data, why they need it, whether the use is necessary, and whether consumers must be given the right to limit its use.

Examples of higher-risk sensitive data include:

  • Precise location data.
  • Health information.
  • Biometric identifiers.
  • Government ID numbers.
  • Financial account access details.
  • Race, ethnicity, religion or union membership.
  • Contents of private communications.
  • Data about children or teenagers.

Businesses should be especially careful when sensitive personal information is used for profiling, targeted advertising, automated decision-making, fraud detection, identity verification or AI-driven personalisation.

 

9. Children and minors

The CCPA has stricter rules for minors. Businesses cannot sell or share the personal information of a child they know is under 16 unless they receive affirmative authorisation. For children under 13, that authorisation must come from a parent or guardian. For consumers aged 13 to 15, the minor can provide the opt-in themselves.

Any business likely to collect data from minors should review its age-screening, consent, parental authorisation, advertising and data retention practices.

 

10. Newer 2026 compliance developments

The California Privacy Protection Agency has finalised updated CCPA regulations that took effect on January 1, 2026, with extra time for some requirements relating to cybersecurity audits, risk assessments and automated decision-making technologies.

Cybersecurity audits

Some businesses must complete cybersecurity audits and submit certifications to the CPPA. The deadlines depend on business revenue, with certifications due from April 1, 2028 for businesses making over $100 million, April 1, 2029 for businesses making between $50 million and $100 million, and April 1, 2030 for businesses making less than $50 million.

Risk assessments

Businesses subject to risk assessment requirements must begin compliance from January 1, 2026. By April 1, 2028, they must submit an attestation that required risk assessments were completed and provide summary risk assessment information to the CPPA.

Automated decision-making technology

Businesses using automated decision-making technology to make significant decisions must comply with the relevant requirements from January 1, 2027.

These areas are particularly relevant for businesses using AI, profiling, automated eligibility decisions, personalised pricing, fraud scoring, recruitment tools, credit assessments, insurance tools, or customer segmentation technologies.

 

11. Enforcement and penalties

The CCPA is enforced by the California Privacy Protection Agency and the California Attorney General. The CPPA is responsible for implementing and enforcing the CCPA, and the Attorney General also provides consumer guidance and enforcement support.

Potential penalties can be significant. Businesses may face civil penalties for violations, with higher penalties for intentional violations and violations involving minors. Consumers generally cannot sue businesses for most CCPA violations, but they may have a limited private right of action for certain data breaches caused by a failure to maintain reasonable security.

 

12. CCPA compared with GDPR

The CCPA is often compared with the EU and UK GDPR, but they are not the same.

The GDPR is broader in some respects because it applies to controllers and processors across many types of organisations, has a lawful-basis framework, and covers a wide range of processing activities. The CCPA is more focused on consumer rights, transparency, sale/sharing opt-outs and business accountability for California residents’ data.

For businesses already subject to GDPR, CCPA compliance may feel familiar, but it still requires specific California-focused notices, opt-out mechanisms, treatment of sale/sharing, Global Privacy Control recognition, and consumer request workflows.

 

13. Practical CCPA compliance checklist

Scope and data mapping

  • Confirm whether the business meets the CCPA thresholds.
  • Identify whether the business collects personal information from California residents.
  • Map categories of personal information collected.
  • Map categories of sensitive personal information collected.
  • Identify sources of personal information.
  • Identify purposes for collection, use and disclosure.
  • Identify service providers, contractors and third parties.
  • Identify whether personal information is sold or shared.

Privacy notices

  • Create or update the CCPA privacy policy.
  • Provide a notice at or before collection.
  • Explain consumer rights clearly.
  • Explain how consumers can submit requests.
  • Include required disclosures about sale, sharing and sensitive personal information.
  • Review cookie banners, web forms, app screens and checkout flows.

Consumer rights

  • Create a process for requests to know.
  • Create a process for access requests.
  • Create a process for deletion requests.
  • Create a process for correction requests.
  • Create a process for opt-out requests.
  • Create a process for limitation of sensitive personal information.
  • Train staff to recognise and route privacy requests.
  • Keep records of requests and responses.

Website and marketing compliance

  • Audit cookies, pixels and tracking technologies.
  • Check whether advertising tools involve sale or sharing.
  • Add a compliant “Do Not Sell or Share My Personal Information” mechanism where required.
  • Honour Global Privacy Control signals.
  • Avoid dark patterns in cookie banners and opt-out flows.
  • Review retargeting, lookalike audiences and data enrichment tools.

Contracts and vendors

  • Review service provider and contractor agreements.
  • Restrict vendors from using personal information for unauthorised purposes.
  • Confirm deletion, retention and security obligations.
  • Review AI, analytics, CRM, marketing automation and cloud vendors.
  • Check whether any vendors act as third parties rather than service providers.

Security and governance

  • Maintain reasonable security procedures and practices.
  • Apply access controls and encryption where appropriate.
  • Review incident response plans.
  • Set data retention periods.
  • Delete data that is no longer needed.
  • Assess higher-risk processing, including sensitive data and automated decision-making.
  • Prepare for risk assessment, cybersecurity audit and automated decision-making requirements where applicable.

 

14. Common CCPA mistakes

Common problem areas include:

  • Assuming the CCPA only applies to California-based businesses.
  • Treating cookie-based advertising as low risk.
  • Failing to recognise Global Privacy Control signals.
  • Using confusing opt-out processes.
  • Saying “we do not sell data” without analysing “sharing” for advertising.
  • Having a privacy policy that does not match actual data practices.
  • Failing to update notices when new tools are added.
  • Keeping personal information for longer than necessary.
  • Not having a reliable process for consumer rights requests.
  • Using AI tools without checking whether personal information is being retained, reused or used for model training.

 

15. Why CCPA matters

The CCPA has become a benchmark for US privacy compliance. Even for businesses that are not physically located in California, it can affect website tracking, ecommerce, SaaS platforms, digital advertising, customer databases, AI tools, analytics, vendor contracts and cybersecurity governance.

For businesses, the safest approach is not to treat the CCPA as a one-off privacy policy exercise. It should be managed as an ongoing privacy governance programme covering data mapping, notices, consumer rights, marketing technology, contracts, security, retention, AI and accountability.

 

Useful resources for further reference

Scroll to Top