CCPA Compliance Requirements: What California Privacy Law Requires
TL;DR
- The CCPA, as amended by the CPRA (fully in force since July 1, 2023), applies to for-profit businesses with over $25 million in annual revenue, those processing personal information of 100,000 or more California residents, or those deriving 50 percent or more of revenue from selling or sharing personal information.
- California consumers have nine rights over their data, including rights to know, delete, correct, opt out of sale, and limit use of sensitive personal information. Businesses must respond to most requests within 45 calendar days.
- Penalties reach $2,500 per unintentional violation and $7,500 per intentional violation, with amounts calculated per consumer and per incident.
- The California Privacy Protection Agency (CPPA) is the dedicated enforcement regulator. In 2025 alone, it reached settlements with Tractor Supply Company ($1.35 million), American Honda ($632,500), and Todd Snyder ($345,178), among others.
- A defensible program requires: a data map, published privacy notices, a working rights-request workflow, opt-out mechanisms that honor the Global Privacy Control signal, and signed vendor contracts with the statutory restrictions.
Who This Is For
This guide is for privacy leads, general counsel, and compliance managers at for-profit businesses that collect personal information from California residents. It covers the current law (CCPA as amended by CPRA), recent enforcement actions through 2025, and a practical implementation sequence. If you are already compliant and want to track regulatory updates, see the CPPA's active rulemaking page.
What Is the CCPA?
The California Consumer Privacy Act, signed in 2018 and operational on January 1, 2020, was the first U.S. state privacy law to grant California residents broad rights over their personal information. The California Privacy Rights Act (CPRA), passed by ballot initiative in November 2020 and fully operational since July 1, 2023, significantly expanded the original law.
When practitioners say "CCPA compliance" today, they mean the combined CCPA/CPRA framework as currently enforced. The combined law:
- Applies to for-profit businesses processing California residents' personal information above certain thresholds
- Grants California consumers nine individual rights over their data
- Created a dedicated enforcement agency, the California Privacy Protection Agency (CPPA), with independent rulemaking and enforcement authority
- Establishes civil penalties and a limited private right of action for specific data breaches
- Introduced a new category of "sensitive personal information" with stricter controls
Both the California Attorney General and the CPPA have enforcement authority. The AG has brought cases since 2022; the CPPA has been issuing enforcement actions since 2024 and has accelerated its pace in 2025.
Who Must Comply
The CCPA applies to any for-profit entity that does business in California, collects California residents' personal information, and meets at least one of three thresholds:
- Annual gross revenues exceeding $25 million in the preceding calendar year
- Annual buying, selling, receiving, or sharing personal information of 100,000 or more consumers or households for commercial purposes
- Derives 50 percent or more of annual revenues from selling or sharing California consumers' personal information
Physical location in California is not required. An online retailer headquartered in New York that ships to California and meets any threshold must comply. Most of the significant enforcement actions to date have been against companies headquartered outside California.
Nonprofits and government agencies are not directly covered. Service providers processing data on behalf of a covered business are bound by contractual restrictions but are not themselves covered businesses, unless they independently cross a threshold.
Personal Information Under the CCPA
The CCPA definition of "personal information" covers any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a particular consumer or household. This is broader than most U.S. sectoral privacy laws.
Explicitly listed categories include:
- Identifiers: names, email addresses, IP addresses, account IDs, customer numbers
- Customer records: financial information, bank account numbers, physical characteristics
- Characteristics of protected classifications: race, religion, gender, age
- Commercial information: purchase history, products considered
- Biometric information: fingerprints, voiceprints, facial recognition data
- Internet or network activity: browsing history, search history, interactions with a website or app
- Geolocation data
- Sensory data: audio, visual, thermal, electronic
- Professional or employment information
- Education information
- Inferences drawn from any of the above
Sensitive Personal Information
The CPRA added a subset called "sensitive personal information" (SPI). SPI triggers additional consumer rights and limits on business use. The SPI categories are:
- Social Security number, driver's license, state ID card, passport number
- Financial account numbers combined with access credentials
- Precise geolocation
- Racial or ethnic origin, religious beliefs, union membership
- Contents of mail, email, or text messages (unless the business is the intended recipient)
- Genetic data
- Biometric information processed to identify a specific person
- Health information
- Information about sexual orientation or sex life
Consumers may direct businesses to limit the use and disclosure of SPI to purposes permitted by default under the statute, and businesses must provide a mechanism to exercise this right.
The Nine Consumer Rights
California residents have nine rights under the CCPA/CPRA framework. Businesses must provide at least two methods for consumers to submit requests, must not require account creation to submit a request, and must verify the requester's identity without collecting unnecessary additional data.
| Right | What it requires | Required response time |
|---|---|---|
| Right to know | Disclose specific pieces and categories of personal information collected in the preceding 12 months | 45 calendar days; one 45-day extension for complexity |
| Right to delete | Delete personal information, subject to statutory exceptions | 45 calendar days; one 45-day extension |
| Right to correct | Correct inaccurate personal information (added by CPRA) | 45 calendar days; one 45-day extension |
| Right to opt out of sale or sharing | Stop the sale of personal information and stop sharing for cross-context behavioral advertising | Honor immediately upon valid request |
| Right to limit use of SPI | Restrict use and disclosure of sensitive personal information to default permitted purposes | Honor immediately |
| Right to non-discrimination | Cannot penalize consumers for exercising CCPA rights via price differences, service degradation, or denial | Ongoing obligation |
| Right to opt in for minors | Affirmative opt-in required before selling or sharing personal information of consumers under 16 | Ongoing obligation |
| Right to data portability | Receive personal information in a portable, usable format | 45 calendar days; one 45-day extension |
| Right to know about automated decision-making | Access information about automated decision-making technology and opt out of certain uses (effective under CPPA regulations finalized September 2025) | Per CPPA regulations |
Global Privacy Control
Businesses that sell or share personal information must honor the Global Privacy Control (GPC) browser signal as a legally valid opt-out request. Failure to honor GPC has been the most frequently cited violation in recent CPPA enforcement actions. The GPC requirement applies automatically when the signal is received — no separate consumer request is required.
Required Notices
The CCPA requires three distinct types of notices.
1. At-Collection Notice
Displayed at or before the point of collecting personal information. Must identify the categories of personal information collected, the purposes for each category, and a link to the full privacy policy. For online properties, this notice is typically presented in a cookie banner or at account registration.
2. Privacy Policy
A detailed policy published on your website, updated at least every 12 months. Required contents:
- Categories of personal information collected in the past 12 months
- Sources from which personal information is collected
- Business or commercial purpose for collecting or selling each category
- Categories of third parties to whom personal information is disclosed
- Whether personal information is sold or shared, and the categories of recipients
- Each consumer right and how to exercise it
- Retention period or the criteria used to determine retention for each category
- "Do Not Sell or Share My Personal Information" link, if the business sells or shares
- "Limit the Use of My Sensitive Personal Information" link, if applicable
- Contact information for privacy requests
3. Notice of Financial Incentive
Required when a business offers price differences, service differences, or financial incentives tied to the collection or sale of personal information — loyalty programs being the most common example. The notice must explain the material terms of the incentive and the consumer's right to withdraw.
Penalties and Enforcement
Civil Penalties
California Civil Code § 1798.155 sets civil penalty amounts:
- $2,500 per unintentional violation
- $7,500 per intentional violation, or for any violation involving a consumer under 16
Penalties are calculated per consumer and per violation. A gap affecting 100,000 consumers in a single incident can theoretically produce nine-figure exposure. In practice, settlements to date have ranged from the low hundreds of thousands to the low millions, depending on the scope of the gap and the business's cooperation.
Recent Enforcement Actions
The CPPA and the California AG have collectively reached several significant settlements. Confirmed figures from oag.ca.gov and cppa.ca.gov:
| Company | Amount | Date | Primary violations |
|---|---|---|---|
| Tractor Supply Company | $1,350,000 | September 30, 2025 | No effective opt-out for GPC signals; missing privacy policy for job applicants; no contracts with third parties handling data |
| Healthline Media | $1,550,000 | July 1, 2025 | Tracking without opt-out; sharing health-related data without required disclosures |
| American Honda Motor Co. | $632,500 | March 12, 2025 | Requiring excessive information for opt-out requests; asymmetric privacy choices; inadequate authorized-agent procedures |
| Jam City | $1,400,000 | November 21, 2025 | No in-app opt-out mechanisms; processing children's data without required protections |
| Todd Snyder, Inc. | $345,178 | May 6, 2025 | Opt-out portal non-functional for 40 days; requiring identity verification before opt-out |
| DoorDash | $375,000 | February 21, 2024 | Selling customer data through marketing co-operatives without disclosure or opt-out |
| Sephora | $1,200,000 | August 24, 2022 | Failing to disclose sale of personal information; not processing GPC opt-out signals |
The pattern across these cases is consistent: GPC non-compliance, inadequate opt-out mechanisms, missing or outdated privacy policies, and failure to put proper contracts in place with third-party data recipients.
Private Right of Action
Consumers have a private right of action only for data breaches involving specific categories of personal information: name plus Social Security number, driver's license, financial account credentials, medical information, biometric data, or account login credentials — and only where the breach resulted from a failure to implement "reasonable security."
Statutory damages range from $100 to $750 per consumer per incident, or actual damages if higher. Class actions under this provision can reach seven or eight figures depending on the size of the affected population.
A security program that meets a recognized standard — NIST CSF, ISO 27001, or the CIS Critical Security Controls — substantially reduces the risk of a breach that meets the private right of action threshold. The California AG's enforcement history has repeatedly pointed to CIS Controls as a reasonable baseline for the CCPA's "reasonable security" standard.
How CCPA Differs from Other State Privacy Laws
The CCPA/CPRA framework is stricter than most other U.S. state laws in three ways: a dedicated enforcement agency with independent rulemaking authority, a private right of action for certain breaches, and the broadest definition of "sale" (including cross-context behavioral advertising as a "share").
| Law | Jurisdiction | Key difference from CCPA |
|---|---|---|
| CCPA (CPRA) | California | Dedicated regulator; GPC as legal opt-out; private right of action for breach; SPI category |
| Colorado Privacy Act | Colorado | Requires data protection assessments; narrower on minors; no private right of action |
| Virginia CDPA | Virginia | No private right of action; narrower definition of "sale" (excludes advertising) |
| Connecticut CTDPA | Connecticut | Similar to Virginia; adds consent requirement for SPI processing |
| Utah UCPA | Utah | Narrowest U.S. state law; no private right of action; no data protection assessment requirement |
| Texas TDPSA | Texas | No revenue threshold; applies to any business doing business in Texas |
| GDPR | EU/EEA | Lawful basis requirement for all processing; stricter cross-border transfer rules; higher penalties (up to 4% of global annual revenue) |
A program built to CCPA standards provides a strong baseline for Colorado, Virginia, Connecticut, and Utah with incremental adjustments. Our GDPR compliance guide for US companies covers the differences for companies also subject to EU law.
As of 2026, more than 20 U.S. states have enacted consumer privacy laws. The CPPA has noted in its regulatory communications that it expects covered businesses to monitor the expanding state landscape and adapt their programs accordingly.
Building a CCPA Compliance Program
The following sequence is appropriate for a company starting from scratch or conducting a gap assessment. The steps are not fully sequential — several can run in parallel once the data map is complete.
Step 1: Data Mapping
Inventory every system, database, and third-party integration that touches California consumer data. For each, document:
- The categories of personal information collected or processed
- The source of the data
- The purpose of collection
- Retention period
- Third parties with access and the legal basis for that access (service provider, contractor, or third party)
The data map drives every downstream obligation. Without it, you cannot write an accurate privacy policy, cannot answer rights requests reliably, and cannot identify which vendor contracts need updating.
Step 2: Privacy Notices
Draft or update the at-collection notice, the full privacy policy, and (if applicable) the notice of financial incentive. The privacy policy must reflect the actual data practices in the data map — not a generic template. Post the policy at a clearly accessible link in the footer of every page of your website and in every mobile application.
Step 3: Rights Request Workflow
Build a system that can receive, verify, triage, and fulfill consumer rights requests within 45 calendar days. The workflow must include:
- At minimum, a toll-free phone number and a web form (or email for online-only businesses)
- An identity verification step that confirms the requester without collecting unnecessary personal information
- Internal routing to the teams that can locate, export, correct, or delete data across all systems identified in the data map
- Tracking of request receipt, acknowledgment, and completion dates
- A documented process for honoring authorized agent requests
The CPPA has specifically cited "over-verification" as a violation — requiring consumers to submit more information than needed to confirm their identity is itself a CCPA violation, as the Honda settlement illustrates.
Step 4: Opt-Out Mechanisms
If your business sells or shares personal information:
- Post a "Do Not Sell or Share My Personal Information" link on every page of the website
- Honor Global Privacy Control signals automatically without requiring an additional request
- Pass opt-out signals to service providers and third parties within 15 business days
- Post a "Limit the Use of My Sensitive Personal Information" link if you process SPI beyond the default permitted purposes
The GPC requirement is not optional. It has appeared in every major CPPA enforcement action to date.
Step 5: Vendor Contracts
Every service provider, contractor, and third party that processes personal information on your behalf must sign a CCPA-compliant data processing agreement before data is shared. The contract must include the statutory restrictions on the service provider's use of personal information and must prohibit the service provider from selling or sharing that data.
Failure to execute these contracts before sharing data was the central violation in the DoorDash, Sephora, and Tractor Supply settlements.
Step 6: Training
Train employees who handle personal information or rights requests at hire and at least annually. Document training completion. The CPPA noted in the Todd Snyder settlement that the company was required to implement CCPA training as a remedial measure — treating training as remedial rather than preventive is more expensive.
Step 7: Data Protection Assessments
The CPRA requires data protection assessments before initiating processing that involves sensitive personal information, large-scale profiling, automated decision-making, or processing that presents a significant risk to consumers. Document assessments before starting new processing of this type, not after.
The CPPA finalized regulations on automated decision-making technology in September 2025. These regulations introduce specific assessment and disclosure requirements for automated decision-making that affects consumers significantly.
Step 8: Retention and Deletion
Set and publish retention periods for each category of personal information. Build deletion workflows that trigger at the end of the retention period and in response to valid deletion requests. Retention periods must be disclosed in the privacy policy.
Step 9: Security Controls
The CCPA requires "reasonable security procedures and practices appropriate to the nature of the personal information." The California AG has pointed to the Center for Internet Security Critical Security Controls as a reasonable baseline in enforcement communications. A program aligned to NIST CSF, ISO 27001, or SOC 2 will satisfy the reasonableness standard in most enforcement contexts.
This matters because the CCPA's private right of action is only available for breaches of specific data categories resulting from a failure of reasonable security. A documented, auditable security program substantially reduces that exposure.
Step 10: Assign Ownership and Schedule Reviews
Name an individual responsible for CCPA compliance — often a privacy officer, general counsel, or compliance manager. Schedule annual reviews of the privacy policy, the data map, and vendor contracts. Maintain audit logs of rights requests, training completions, data protection assessments, and contract execution dates.
What Enforcement Has Revealed
Across the enforcement actions brought by the CPPA and the AG between 2022 and 2025, the same set of gaps appears repeatedly:
GPC non-compliance. The single most common cited violation. Businesses implemented cookie banners but failed to honor the GPC browser signal as a separate, automatic opt-out channel. The signal must be treated as a valid opt-out request without requiring any additional consumer action.
Behavioral advertising treated as non-sale. Most use of third-party advertising pixels, retargeting networks, and data co-operatives qualifies as a "sale" or "share" under CCPA. The DoorDash settlement involved data disclosed through marketing co-operatives that the company did not treat as a sale.
Missing or outdated privacy policies. Missing retention periods, missing categories, and policies that reflected past practices rather than current data flows.
Over-verification. Requiring consumers to submit a driver's license, account credentials, or other sensitive information before exercising opt-out rights. The CCPA requires the verification step to be proportionate to the sensitivity of the request.
Unsigned vendor contracts. Data shared with a third party before a compliant data processing agreement is in place creates direct liability for the disclosing business.
No data protection assessments. Particularly around AI-driven personalization, employee monitoring, and automated scoring or decisioning tools.
Frequently Asked Questions
Does the CCPA apply if our company is not based in California?
Yes, if you collect personal information from California residents and meet any one of the three thresholds. Physical presence in California is not required. The Sephora and DoorDash settlements both involved companies headquartered outside California.
What is the difference between CCPA and CPRA?
CCPA is the 2018 statute that took effect January 1, 2020. CPRA is a 2020 ballot initiative (Proposition 24) that amended and expanded the CCPA. The CPRA added the right to correct, the sensitive personal information category and related rights, data protection assessment requirements, and created the CPPA as a dedicated enforcement agency. When practitioners refer to "CCPA compliance" today, they mean the combined framework.
Do we need a privacy officer?
The statute does not require a dedicated privacy officer, but it expects accountable ownership of compliance. The CPPA has indicated in enforcement decisions that a named, accountable individual responsible for privacy is a factor in assessing reasonableness. Companies under the revenue threshold often assign the role to a general counsel; larger organizations typically have a designated Data Protection Officer or Privacy Officer.
How long do we have to respond to a consumer rights request?
45 calendar days from receipt of a verifiable consumer request, with one extension of up to 45 additional days for complex or high-volume requests. You must acknowledge receipt within 10 business days and notify the consumer of any extension.
What counts as selling personal information?
Under the CCPA, a "sale" is the disclosure of personal information to a third party for monetary or other valuable consideration. This includes most third-party advertising arrangements — including arrangements where no money changes hands but the third party receives the data as something of value. A "share" (added by CPRA) covers disclosures for cross-context behavioral advertising even without consideration. Most programmatic advertising and retargeting arrangements qualify as a sale or share.
Can we charge consumers for submitting rights requests?
No. The right to non-discrimination bars price differences, service degradation, or denial based on the exercise of CCPA rights. A narrow exception applies to bona fide financial incentive programs, which must be disclosed in a notice of financial incentive and which the consumer may withdraw from at any time.
Is CCPA compliance enough for other state privacy laws?
For Colorado, Virginia, Connecticut, and Utah: a CCPA-grade program covers the majority of requirements. The incremental differences are specific — Colorado requires data protection assessments; Virginia and Utah have narrower definitions of "sale." For Texas, the difference is the absence of a revenue threshold. For GDPR, the gap is more substantial: GDPR requires a lawful basis for all processing, has stricter cross-border transfer rules, and carries higher maximum penalties.
Sources
- California Attorney General, CCPA Overview. Accessed 2026-05-12. https://oag.ca.gov/privacy/ccpa
- California Privacy Protection Agency, Regulations and Rulemaking. Accessed 2026-05-12. https://cppa.ca.gov/regulations/
- California Attorney General, CCPA Enforcement Actions. Accessed 2026-05-12. https://oag.ca.gov/privacy/privacy-enforcement-actions
- CPPA, Enforcement Announcement: Tractor Supply Company, September 30, 2025. Accessed 2026-05-12. https://cppa.ca.gov/announcements/2025/20250930.html
- CPPA, Enforcement Announcement: American Honda Motor Co., March 12, 2025. Accessed 2026-05-12. https://cppa.ca.gov/announcements/2025/20250312.html
- CPPA, Enforcement Announcement: Todd Snyder, Inc., May 6, 2025. Accessed 2026-05-12. https://cppa.ca.gov/announcements/2025/20250506.html
- California Civil Code § 1798.155 (civil penalties). Accessed 2026-05-12. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.155.
- California Civil Code § 1798.150 (private right of action). Accessed 2026-05-12. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.150.
- Center for Internet Security, CIS Critical Security Controls. Accessed 2026-05-12. https://www.cisecurity.org/controls/
- Global Privacy Control specification. Accessed 2026-05-12. https://globalprivacycontrol.org/
Sources used
- $2,500 per unintentional violation and $7,500 per intentional violation — accessed 2026-05-12
- CPPA's active rulemaking page — accessed 2026-05-12
- California Privacy Protection Agency (CPPA) — accessed 2026-05-12
- Global Privacy Control (GPC) — accessed 2026-05-12
- California Civil Code § 1798.155 — accessed 2026-05-12
- oag.ca.gov — accessed 2026-05-12
- cppa.ca.gov — accessed 2026-05-12
- $100 to $750 per consumer per incident — accessed 2026-05-12
- Center for Internet Security Critical Security Controls — accessed 2026-05-12
Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.
