CCPA Compliance Requirements: What California Privacy Law Means

If your business collects personal information from California residents, the California Consumer Privacy Act almost certainly applies to you, even if your company is headquartered elsewhere. The CCPA, now operating under the expanded California Privacy Rights Act (CPRA) amendments, sets some of the toughest privacy rules in the United States. The California Privacy Protection Agency is actively enforcing them in 2026, and the fines are substantial.

This guide covers the CCPA compliance requirements you actually need to know: who must comply, what consumer rights you must honor, what to publish in your privacy notices, what enforcement looks like in 2026, and the practical steps to build a compliance program that survives an audit or complaint.

What Is the CCPA?

The California Consumer Privacy Act, originally signed in 2018 and operational on January 1, 2020, was the first comprehensive U.S. state privacy law. The California Privacy Rights Act (CPRA), passed by ballot initiative in 2020 and fully operational since July 1, 2023, significantly expanded the original CCPA.

When people say "CCPA" today, they usually mean the CCPA as amended by CPRA. The combined law:

• Applies to for-profit businesses that process California residents' personal information above certain thresholds
• Grants California consumers a set of individual rights over their data
• Creates a dedicated regulator (the California Privacy Protection Agency, or CPPA) with rulemaking and enforcement authority
• Establishes statutory penalties and a limited private right of action for specific breaches

The CCPA is enforced by both the California Attorney General and the CPPA. Both agencies have issued enforcement actions in 2024 and 2025, setting real precedents for how the law applies.

Who Must Comply with the CCPA?

The CCPA applies to any for-profit entity that does business in California, collects California residents' personal information, and meets at least one of three thresholds:

1. Annual gross revenue over $25 million (in the preceding calendar year)
2. Annual processing of personal information of 100,000 or more consumers or households (buys, sells, receives for commercial purposes, or shares)
3. Derives 50 percent or more of annual revenue from selling or sharing California consumers' personal information

Only one threshold needs to be met. Companies headquartered outside California still qualify if they do business in the state, which is interpreted broadly to include online services available to Californians.

Nonprofits, government agencies, and businesses that fall entirely below all three thresholds are not directly covered, though they may become covered when acting as service providers to covered businesses.

Personal Information Under the CCPA

CCPA's definition of "personal information" is broader than the U.S. sectoral laws most companies are used to. It covers any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a particular consumer or household.

Categories of personal information explicitly listed in the statute include:

• Identifiers (names, emails, IP addresses, account IDs, customer numbers)
• Customer records (financial information, physical characteristics, bank account numbers)
• Characteristics of protected classifications (race, religion, gender)
• Commercial information (purchase history, consuming tendencies)
• Biometric information (fingerprints, voiceprints, retinal scans)
• Internet or network activity (browsing history, search history, interactions with a website)
• Geolocation data
• Sensory data (audio, electronic, visual, thermal, olfactory)
• Professional or employment information
• Education information
• Inferences drawn from any of the above

The CPRA added a subset called "sensitive personal information" (SPI), which includes government identifiers, precise geolocation, genetic data, racial or ethnic origin, religious beliefs, union membership, mail/email/text message contents, and health and sexuality information. Sensitive personal information triggers additional rights and restrictions.

CCPA Consumer Rights

The CCPA gives California residents nine rights over their personal information. Your business must be able to receive, verify, and honor each of these requests within the specified timeframes.

| Right | What it means | Required response time | |-------|---------------|------------------------| | Right to know | Access specific pieces and categories of personal information collected | 45 days (one 45-day extension permitted) | | Right to delete | Delete personal information, subject to specified exceptions | 45 days | | Right to correct | Correct inaccurate personal information | 45 days | | Right to opt out of sale | Stop the business from selling personal information | Honor immediately upon valid request | | Right to opt out of sharing | Stop the business from sharing personal information for cross-context behavioral advertising | Honor immediately | | Right to limit use of SPI | Restrict use and disclosure of sensitive personal information | Honor immediately | | Right to non-discrimination | Cannot be penalized for exercising CCPA rights | Ongoing | | Right to opt in for minors | Affirmative opt-in required for sale or sharing of minors' data | Ongoing | | Right to data portability | Receive personal information in a portable, usable format | 45 days |

Businesses must provide at least two methods for consumers to submit requests, including a toll-free number (or, for online-only businesses, an email address) and an online form. Businesses that sell or share personal information must also honor the Global Privacy Control (GPC) browser signal as a universal opt-out.

Required Privacy Notices

The CCPA requires three distinct types of notices:

1. At-Collection Notice

Displayed at or before the point of collection. Must list the categories of personal information collected, the purposes for collection, and a link to the full privacy policy.

2. Privacy Policy

A comprehensive document published on your website that must be updated at least every 12 months. It must include:

• The categories of personal information collected in the past 12 months
• The sources from which personal information is collected
• The business or commercial purpose for collection
• Categories of third parties with whom personal information is shared
• The specific pieces of personal information collected (in the abstract, not individual records)
• Whether the business sells or shares personal information, and to which categories of third parties
• Descriptions of each CCPA right and how to exercise them
• Retention periods or criteria for each category of personal information
• A "Do Not Sell or Share My Personal Information" link, if applicable
• A "Limit the Use of My Sensitive Personal Information" link, if applicable
• Contact information for privacy inquiries

3. Notice of Financial Incentive

Required if your business offers financial incentives, price differences, or service differences tied to the collection or sale of personal information (loyalty programs, for example).

CCPA Penalties and Enforcement

CCPA enforcement comes from two tracks: regulator actions and private lawsuits.

Regulator Penalties

• $2,500 per unintentional violation
• $7,500 per intentional violation or per violation involving a minor under 16

Penalties are per-consumer and per-violation. A single compliance gap affecting 100,000 consumers can theoretically trigger penalties in the hundreds of millions of dollars. In practice, settlements have been lower but still substantial.

Notable 2024 and 2025 enforcement actions included a $1.2 million settlement with Sephora for failing to disclose the sale of personal information and not processing opt-out requests correctly, and a $375,000 settlement with DoorDash for similar violations. In early 2025, the CPPA finalized enforcement actions against several advertising technology vendors for failing to honor Global Privacy Control signals.

Private Right of Action

Consumers have a private right of action only for certain data breaches involving specific categories of personal information (name plus Social Security number, driver's license number, financial account number, medical information, biometrics, or account credentials) and only where the breach resulted from failure to implement "reasonable security."

Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. Class actions routinely pursue damages for five to seven figures.

This is where cyber insurance and a robust security program matter most. Preventing the kind of breach that triggers the private right of action is cheaper than defending the class action that follows.

CCPA vs Other Privacy Laws

The CCPA is one of many state privacy laws. Here is how it compares with the other major regimes.

| Law | Jurisdiction | Key distinction from CCPA | |-----|--------------|----------------------------| | CCPA (CPRA) | California | Broadest scope, strictest enforcement, dedicated regulator | | Colorado Privacy Act | Colorado | Requires data protection assessments, narrower on minors | | Virginia CDPA | Virginia | No private right of action, narrower definition of sale | | Connecticut CTDPA | Connecticut | Similar to Virginia, adds consent for SPI | | Utah UCPA | Utah | Lightest of state laws, no private right of action | | Texas TDPSA | Texas | Applies to any business doing business in Texas without revenue threshold | | GDPR | EU/EEA | Lawful basis requirement, stricter cross-border transfer rules |

If you comply with CCPA at the highest level, you are already most of the way to Colorado, Virginia, Connecticut, and Utah compliance. Our GDPR compliance guide for US companies covers the EU regime separately.

As of April 2026, roughly 20 U.S. states have comprehensive privacy laws in force, and the number continues to grow. The strategic move for most businesses is to build a CCPA-grade program and extend it to cover the incremental differences in each state.

How to Comply with the CCPA: Step-by-Step

A practical implementation sequence for a company building CCPA compliance from scratch.

1. Data Mapping

Inventory every system that touches California consumer data. For each system, record the categories of personal information, the source, the purpose, the retention period, and the third parties with whom data is shared. A complete data map is the foundation of every compliance control that follows.

2. Privacy Policy and Notices

Update or draft a CCPA-compliant privacy policy, at-collection notices, and (if applicable) financial incentive notices. Post them at the required locations on your website, in mobile apps, and at physical points of collection.

3. Rights Request Workflow

Build a ticketing or workflow system that can receive, verify, triage, and respond to consumer rights requests within 45 days. The workflow must include:

• A published toll-free number and online form (and email for online-only businesses)
• A verification process that confirms the requester's identity without requesting unnecessary additional data
• Internal routing to the teams that can locate, export, delete, or correct data
• Response tracking and audit logs
• Quarterly metrics on request volume, types, and completion rates

4. Opt-Out Mechanisms

If you sell or share personal information, you must:

• Publish a "Do Not Sell or Share My Personal Information" link on every page
• Honor Global Privacy Control signals from browsers
• Pass opt-out signals to third parties within 15 business days
• Provide a "Limit the Use of My Sensitive Personal Information" link if you process SPI for purposes beyond those permitted by default

5. Vendor and Contract Management

Every service provider, contractor, and third party that processes personal information on your behalf must sign a CCPA-compliant data processing agreement. Contracts must include the statutory restrictions on the service provider's use of personal information and the mechanisms to enforce those restrictions.

6. Employee Training

Train employees who handle personal information or rights requests on CCPA requirements at hire and annually thereafter. Require a signed acknowledgment. Document training completion for audit defense. Our security awareness training guide covers what to include.

7. Data Protection Assessments

The CPRA expanded CCPA to require data protection assessments for high-risk processing. Conduct and document assessments before initiating processing that involves sensitive personal information, automated decision-making, or large-scale profiling.

8. Retention and Deletion

Establish and publish data retention periods for each category of personal information. Build automated deletion workflows that trigger at the end of the retention period or upon receiving a valid deletion request.

9. Security Controls

The CCPA requires "reasonable security procedures and practices." There is no checklist, but the California Attorney General has repeatedly cited the Center for Internet Security (CIS) Critical Security Controls as a reasonable baseline. A security program aligned to NIST CSF, ISO 27001, or SOC 2 will typically satisfy the reasonableness standard.

10. Monitoring and Audit

Assign ownership of CCPA compliance to a named individual (often the privacy officer or general counsel), schedule annual reviews of the privacy policy, and maintain an audit trail of requests, training completion, vendor contracts, and data protection assessments.

Common CCPA Compliance Mistakes

The CPPA's 2024 and 2025 enforcement actions revealed the same set of mistakes repeatedly:

• Failing to treat behavioral advertising as a "sale" or "share." Most use of third-party advertising pixels qualifies as a sale or share under CCPA and requires an opt-out.
• Not honoring Global Privacy Control. This has been the single most common violation in recent enforcement actions.
• Incomplete privacy policies. Missing retention periods, missing categories of personal information, or outdated disclosures trigger enforcement in nearly every audit.
• Over-verification of rights requests. Asking for more personal information than necessary to verify a consumer's identity is itself a violation.
• Weak service provider contracts. Failing to include the statutory restrictions in vendor contracts shifts liability back to the business.
• No data protection assessment for high-risk processing. Especially around AI, automated decision-making, and employee monitoring.

Frequently Asked Questions

Does the CCPA apply to my business if I'm not based in California? Yes, if you process California residents' personal information and meet one of the three thresholds. Physical location in California is not required. Most of the largest CCPA penalties so far have been against companies headquartered outside California.

What is the difference between CCPA and CPRA? CCPA is the original 2018 law. CPRA is a 2020 ballot initiative that amended CCPA. When people say "CCPA compliance requirements" today, they mean the combined CCPA/CPRA framework as currently enforced.

Do I need a privacy officer to comply with the CCPA? The CCPA does not explicitly require a privacy officer, but it expects someone to be accountable for compliance. Small businesses and agencies typically assign the role to a founder or general counsel. Companies over $25 million in revenue usually designate a Data Protection Officer or Privacy Officer, and the CPPA has signaled that accountable ownership is a reasonableness factor in enforcement decisions.

How long do I have to respond to a CCPA rights request? 45 calendar days from receipt, with one 45-day extension permitted for complex requests. You must acknowledge receipt within 10 business days.

What counts as "selling" personal information under the CCPA? Disclosing personal information to a third party for monetary or other valuable consideration. This includes most third-party advertising arrangements, even if no money changes hands. The "sharing" definition covers cross-context behavioral advertising specifically.

Can I charge consumers for exercising their CCPA rights? No. The right to non-discrimination prohibits charging different prices or providing different service quality based on whether a consumer exercises their rights. A narrow exception exists for bona fide financial incentive programs, which must be disclosed in a notice of financial incentive.

Is CCPA compliance enough for other states? It is a strong starting point. A CCPA-grade program covers most Colorado, Virginia, Connecticut, and Utah requirements with minor adjustments. Texas, Oregon, and other states that have passed laws since 2023 have slightly different triggers and thresholds but the operational requirements are broadly aligned. A startup or SMB that builds to CCPA can usually extend to the other states with minimal incremental effort.

Bottom Line

CCPA compliance is not optional if you process California residents' personal information at scale. Build a defensible program around a complete data map, published notices, a verified rights request workflow, honored opt-out signals, vendor contracts with the required clauses, and reasonable security controls. Assign accountable ownership and document everything. The CPPA is enforcing actively in 2026, the state privacy landscape is expanding, and the cost of a preventable enforcement action is far higher than the cost of a credible compliance program.

Treat CCPA as the baseline for your broader privacy posture. It is the most demanding U.S. state law today and the most likely template for the federal privacy law that continues to be debated in Congress.