$25M+
Annual gross revenue
The business has annual gross revenue over $25 million.
Compliance guide · ~11 min read · Updated June 2026
What is the CCPA?
The CCPA (California Consumer Privacy Act) is a state law, effective 1 January 2020, that gives California residents rights over the personal information businesses collect about them: to know it, delete it, and opt out of its sale or sharing. It was expanded by the CPRA in 2023 and is enforced by the California Privacy Protection Agency and the state Attorney General.
- Jurisdiction
- California
- Effective
- Jan 2020
- Expanded by
- CPRA, 2023
- Regulator
- CPPA
01 · Definition
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a state privacy law that gives California residents control over the personal information that businesses collect about them. Signed in 2018 and effective on 1 January 2020, it was the first comprehensive consumer privacy law in the United States and has shaped the wave of state privacy laws that followed.
In 2020, California voters passed the California Privacy Rights Act (CPRA), which amended and strengthened the CCPA, took full effect on 1 January 2023, and created a dedicated regulator, the California Privacy Protection Agency (CPPA). When people refer to the CCPA today, they generally mean the law as amended by the CPRA.
"The CCPA gives consumers more control over the personal information that businesses collect about them."
Consumer
A California resident whose personal information a business collects. The CCPA exists to protect them.
Business
A for-profit entity that meets a threshold and decides the purposes and means of processing personal information.
Personal information
Information that identifies or could reasonably be linked to a California consumer or household. Broadly defined.
02 · Scope
Who must comply with the CCPA
The CCPA applies to a for-profit business that does business in California, collects residents' personal information, and meets at least one of three thresholds. You do not need an office in California to be covered.
100,000+
Consumers or households
It buys, sells, or shares the personal information of 100,000 or more California consumers or households (raised by the CPRA from 50,000).
50%+
Revenue from data
It derives 50% or more of its annual revenue from selling or sharing consumers' personal information.
Meeting any one threshold brings you in scope. The CCPA also reaches entities that control or are controlled by a covered business and share branding, and it imposes obligations on service providers, contractors, and third parties that receive personal information.
03 · Consumer rights
The rights the CCPA gives consumers
California residents hold a set of enforceable rights over their personal information. The opt-out of sale or sharing is the CCPA's defining feature, and the CPRA added two more.
Right to know
Consumers can request the categories and specific pieces of personal information a business has collected, the sources, the purposes, and the third parties it is shared with.
Right to delete
Consumers can request deletion of personal information a business has collected from them, subject to a set of statutory exceptions.
Right to opt out of sale or sharing
Consumers can direct a business not to sell or share their personal information, including for cross-context behavioural advertising. This is the CCPA's signature right.
Right to correct
Added by the CPRA: consumers can request correction of inaccurate personal information a business holds about them.
Right to limit sensitive data use
Added by the CPRA: consumers can limit the use and disclosure of sensitive personal information (such as precise geolocation, race, health, or account credentials) to specified purposes.
Right to non-discrimination
A business cannot deny goods or services, charge different prices, or provide a different level of quality because a consumer exercised their CCPA rights.
04 · The CPRA
How the CPRA changed the CCPA
The California Privacy Rights Act, effective 1 January 2023, is the most important amendment to the CCPA. If you are building a programme today, you are really complying with the CCPA as the CPRA rewrote it.
- Created the category of "sensitive personal information" and the right to limit its use
- Added the right to correct inaccurate personal information
- Extended obligations to "sharing" for cross-context behavioural advertising, not just "selling"
- Established the California Privacy Protection Agency (CPPA) as a dedicated regulator and rule-maker
- Removed the automatic 30-day right to cure before enforcement in many cases
- Introduced risk-assessment and cybersecurity-audit expectations for higher-risk processing
05 · Obligations
What businesses must do
The rights above translate into concrete operational obligations for a covered business.
Notice at collection
Tell consumers, at or before collection, what personal information you collect and the purposes, plus a link to your privacy policy.
"Do Not Sell or Share" link
Provide a clear, conspicuous opt-out link, plus a way to limit the use of sensitive personal information, and honour browser opt-out signals.
Respond to requests
Handle verifiable consumer requests to know, delete, correct, and opt out, generally within 45 days, through at least two methods.
Contract with vendors
Put CCPA-compliant terms in place with service providers, contractors, and third parties that receive personal information.
06 · Comparison
CCPA vs GDPR
The two most-referenced privacy laws share goals but differ in mechanism. If you comply with the GDPR you are well ahead on the CCPA, but they are not interchangeable.
| Aspect | CCPA (with CPRA) | GDPR |
|---|---|---|
| Scope | For-profit businesses meeting a threshold | Almost any organisation processing EU personal data |
| Model | Opt-out of sale or sharing | Lawful basis required, often opt-in consent |
| Lawful basis | Not required to process | One of six bases required |
| Penalties | Up to $2,500 / $7,500 per violation | Up to €20M or 4% of global turnover |
For the full picture on the European side, see our guide to what GDPR is.
07 · Enforcement
CCPA penalties
The California Attorney General and the California Privacy Protection Agency enforce the CCPA. They can seek civil penalties of up to $2,500 per violation, or up to $7,500 per intentional violation or for violations involving the personal information of consumers under 16.
Separately, consumers have a limited private right of action for certain data breaches caused by a failure to maintain reasonable security, with statutory damages of $100 to $750 per consumer per incident, or actual damages if greater. Because each affected individual can count, breach exposure can scale quickly.
$2,500 per violation
$7,500 intentional / minors
$100–$750 per consumer (breach)
08 · Implementation
How to comply with the CCPA
Six steps that move a business from exposed to defensible. The throughline is the same as every modern privacy law: know your data, honour the rights, and keep the evidence.
- 1
Confirm you are in scope
Check the three thresholds (revenue, volume of consumers, or revenue from selling/sharing data). If you meet any one and do business in California, you are covered.
- 2
Map personal information
Inventory the personal and sensitive personal information you collect, the sources, the business and commercial purposes, and every third party you disclose, sell, or share it with.
- 3
Update privacy notices
Publish a compliant privacy policy and notices at collection that disclose categories, purposes, retention, and consumer rights, refreshed at least every 12 months.
- 4
Add opt-out and limit mechanisms
Provide a clear "Do Not Sell or Share My Personal Information" link and a "Limit the Use of My Sensitive Personal Information" mechanism, and honour opt-out preference signals.
- 5
Operationalise consumer requests
Stand up verifiable request handling for know, delete, correct, and opt-out, generally responding within 45 days, with at least two designated request methods.
- 6
Govern contracts and stay audit-ready
Put CCPA-compliant terms in contracts with service providers, contractors, and third parties, and keep records that demonstrate compliance. The CPRA adds risk assessment and audit expectations for higher-risk processing.
Manage privacy with the rest of your risk
Run CCPA as a scored, audit-ready assessment.
RiskWatch maps CCPA and CPRA obligations to a shared control library, runs data-protection risk assessments, tracks remediation to closure, and keeps a timestamped record, with privacy sitting alongside your other compliance frameworks.
09 · Frequently asked
CCPA, answered
The questions people search most when they first encounter the law.
What is the CCPA?
The CCPA is the California Consumer Privacy Act, a state law that gives California residents rights over the personal information that businesses collect about them. Enacted in 2018 and effective on 1 January 2020, it was the first comprehensive consumer privacy law in the United States. It lets consumers know what data is collected, delete it, opt out of its sale or sharing, and not be discriminated against for exercising those rights.
What does CCPA stand for?
CCPA stands for the California Consumer Privacy Act. It was significantly amended and expanded by the California Privacy Rights Act (CPRA), sometimes called "CCPA 2.0," which took full effect on 1 January 2023 and created a dedicated regulator, the California Privacy Protection Agency (CPPA).
Who has to comply with the CCPA?
A for-profit business that does business in California, collects California residents' personal information, and meets at least one of three thresholds: (1) annual gross revenue over $25 million; (2) buys, sells, or shares the personal information of 100,000 or more California consumers or households; or (3) derives 50% or more of its annual revenue from selling or sharing consumers' personal information. A business does not need a physical presence in California to be covered.
What rights does the CCPA give consumers?
Californians have the right to know what personal information is collected and how it is used and shared, the right to delete it, the right to opt out of its sale or sharing, and the right not to be discriminated against for exercising their rights. The CPRA added the right to correct inaccurate information and the right to limit the use and disclosure of sensitive personal information.
What is the difference between the CCPA and the CPRA?
The CCPA is the original 2018 law. The CPRA (California Privacy Rights Act) is a 2020 ballot measure that amended and strengthened it, effective 1 January 2023. The CPRA added the rights to correct and to limit sensitive data, created the category of "sensitive personal information," extended obligations to "sharing" for advertising, established the California Privacy Protection Agency, and removed the automatic 30-day cure period in many cases. When people say "CCPA" today, they usually mean the law as amended by the CPRA.
What is the difference between the CCPA and GDPR?
Both protect personal data and grant access and deletion rights, but they differ in approach. The GDPR applies broadly to almost any organisation processing EU personal data and requires a lawful basis (often opt-in consent) before processing. The CCPA applies to businesses meeting size or data-volume thresholds, does not require a lawful basis to process, and centres on an opt-out model for the sale or sharing of personal information. GDPR fines scale to global turnover; CCPA penalties are per-violation.
What are the penalties for violating the CCPA?
The California Attorney General and the California Privacy Protection Agency can seek civil penalties of up to $2,500 per violation, or up to $7,500 per intentional violation or violations involving the personal information of consumers under 16. In addition, consumers have a limited private right of action for certain data breaches, with statutory damages of $100 to $750 per consumer per incident, or actual damages if greater.
Does the CCPA apply to businesses outside California?
Yes. The CCPA applies to any qualifying for-profit business that collects the personal information of California residents and does business in California, regardless of where the business is located. A company based in another state or country can be covered if it meets a threshold and serves Californians.
From the statute to a defensible program
Turn CCPA obligations into provable evidence.
CCPA and CPRA obligations mapped to a shared control library, data-protection risk assessments, remediation tracking, and a timestamped audit trail. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime