The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents significant rights over their personal information. Businesses meeting certain thresholds must comply regardless of where they're located—if you serve California consumers, these rules may apply to you.
Who Must Comply?
The CCPA applies to for-profit businesses that collect California residents' personal information AND meet any of these thresholds: annual gross revenue exceeding $25 million, buy, sell, or share personal information of 100,000+ California residents, or derive 50% or more of revenue from selling personal information.
"Doing business in California" is broadly interpreted—online businesses serving California consumers can trigger compliance requirements.
What Is Personal Information?
The CCPA defines personal information broadly—any information that identifies, relates to, or could reasonably be linked with a consumer or household. This includes names, addresses, IP addresses, purchase history, browsing data, and much more.
The law distinguishes "sensitive personal information"—Social Security numbers, financial account details, precise geolocation, and similar data—which receives additional protections.
Consumer Rights Under CCPA
Right to know: Consumers can request what personal information you've collected, its sources, purposes for collection, and who received it.
Right to delete: Consumers can request deletion of their personal information, with some exceptions.
Right to correct: Consumers can request correction of inaccurate information.
Right to opt-out: Consumers can opt out of sales or sharing of their information.
Right to limit sensitive information use: Consumers can restrict how you use sensitive personal information.
You must respond to these requests within 45 days.
Privacy Policy Requirements
Your privacy policy must disclose categories of personal information collected in the past 12 months, purposes for collection, categories of third parties receiving the information, consumer rights and how to exercise them, whether you sell or share personal information, and contact information.
Update your policy at least annually. Include the date of last update.
"Do Not Sell or Share" Requirements
If you sell or share personal information, you must provide a clear "Do Not Sell or Share My Personal Information" link on your website. "Sharing" includes providing data to third parties for cross-context behavioral advertising—common in digital advertising.
Honor opt-out requests promptly and without penalizing consumers.
Service Provider Agreements
When you share data with service providers, contracts must restrict them from using data beyond providing services to you. Include required CCPA clauses in vendor agreements.
Non-Discrimination
You cannot discriminate against consumers who exercise CCPA rights. This means no denying goods or services, charging different prices, or providing different quality based on privacy choices.
Financial incentives for data collection are allowed but must be disclosed and reasonably related to the data's value.
Training and Record-Keeping
Train employees who handle consumer inquiries about CCPA requirements. Keep records of consumer requests and responses for 24 months. Document your compliance program.
Enforcement
The California Attorney General and California Privacy Protection Agency enforce the CCPA. Violations can result in penalties of $2,500 per violation or $7,500 for intentional violations. Consumers can sue for data breaches resulting from failure to maintain reasonable security.
Steps Toward Compliance
Start with data mapping—understand what information you collect and how it flows. Update privacy policies. Implement processes for handling consumer requests. Review vendor agreements. Train employees. Monitor ongoing compliance.
Getting Legal Help
Privacy attorneys can assess whether CCPA applies to your business and help implement compliant programs. They draft policies, review data practices, and ensure you're prepared for regulatory inquiries.