The California Consumer Privacy Act has been in force since 2020, and its successor — the California Privacy Rights Act — expanded it significantly in 2023. Yet a surprising number of businesses that are clearly in scope still haven’t built a proper compliance programme. The California Privacy Protection Agency is actively enforcing, fines are accumulating, and “we’re working on it” is no longer an acceptable posture.
If your company has California customers and meets any of the relevant thresholds, this guide tells you exactly what you’re required to do — and how to build a programme that holds up under scrutiny.
What Is the CCPA — and What Is the CPRA?
The California Consumer Privacy Act (CCPA) was signed into law in 2018 and took effect on January 1, 2020. It was the first comprehensive consumer privacy law in the United States, giving California residents meaningful rights over how businesses collect, use, and sell their personal information.
The California Privacy Rights Act (CPRA) — passed by ballot initiative in November 2020 and effective January 1, 2023 — significantly expanded the CCPA. It created a new enforcement agency (the California Privacy Protection Agency, or CPPA), added new consumer rights, introduced the concept of “sensitive personal information,” strengthened opt-out rights, and imposed stricter obligations on businesses that share data with third parties.
When people say “CCPA compliance” today, they almost always mean compliance with the CCPA as amended by the CPRA. The two laws are now effectively integrated into a single regulatory framework, enforced by both the CPPA and the California Attorney General.
Who Does the CCPA Apply To?
The CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenues exceeding $25 million; annual buying, selling, or receiving for commercial purposes the personal information of 100,000 or more consumers or households; or deriving 50 percent or more of annual revenues from selling or sharing consumers’ personal information.
The critical phrase is “does business in California.” This doesn’t mean you need to have a physical presence in the state. If you have California customers or website visitors whose data you collect, and you meet one of the thresholds, you’re almost certainly in scope — regardless of where your company is incorporated or headquartered. A company based in New York, London, or Toronto that sells to California residents and generates more than $25 million annually needs to comply with the CCPA.
Nonprofit organisations and government agencies are generally not subject to the CCPA, though there are nuances. Businesses subject to certain other federal privacy laws (like HIPAA for health data or GLBA for financial data) may find that some CCPA requirements don’t apply to data already covered by those laws — but only to that specific data, not their broader data practices.
What Rights Does CCPA Give Consumers?
The CCPA, as amended by the CPRA, grants California consumers six core privacy rights. Understanding these rights in concrete terms is essential because each right generates corresponding operational obligations for businesses.
The right to know requires businesses to disclose what personal information they collect, the purposes for which it’s used, the categories of third parties with whom it’s shared, and whether it’s sold or shared. This right has two components: the right to receive a privacy notice at or before collection, and the right to request specific information about the data collected about a particular consumer.
The right to delete allows consumers to request that a business delete their personal information, subject to certain exceptions. Exceptions include data needed to complete a transaction, data required for legal compliance, data used to detect security incidents, and data used for certain research purposes. When a consumer submits a deletion request, the business must also instruct its service providers and contractors to delete the same data.
The right to opt out of sale or sharing is one of the most operationally significant rights. Consumers can direct a business not to sell their personal information or share it with third parties for cross-context behavioural advertising. This right must be supported by a prominent “Do Not Sell or Share My Personal Information” link on the business’s homepage and any page that collects personal information.
The right to correct, added by the CPRA, allows consumers to request correction of inaccurate personal information. Businesses must make reasonable efforts to correct the information and direct service providers and contractors to make the same corrections.
The right to limit use of sensitive personal information, also added by the CPRA, allows consumers to restrict how businesses use certain categories of sensitive data — including precise geolocation, racial or ethnic origin, health information, financial account details, biometric data, and sexual orientation — to only the uses necessary to provide the requested service.
The right to non-discrimination prohibits businesses from discriminating against consumers who exercise their CCPA rights — for example, by denying service, charging higher prices, or providing a lower quality of service.
What Counts as “Personal Information” Under CCPA?
The CCPA’s definition of personal information is deliberately broad. It covers information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household.
This includes the obvious categories — names, email addresses, postal addresses, phone numbers, social security numbers, passport numbers, and financial account information. But it goes considerably further. IP addresses are personal information. Browsing history and search history are personal information. Inferences drawn from other data to create a profile about a consumer — their preferences, behaviour, attitudes, abilities — are personal information. Commercial information, including purchase history and products considered, is personal information.
Sensitive personal information receives additional protection under the CPRA. This category includes social security numbers, driver’s licence numbers, and passport numbers; financial account information combined with credentials; precise geolocation data; racial or ethnic origin; religious beliefs; union membership; contents of mail, email, and text messages; genetic data; biometric data used to identify a person; health information; and information about sexual orientation or sex life.
The practical implication is that almost any data you collect about consumers — including data you might not have considered “personal” in a traditional sense — falls within the CCPA’s scope.
What Counts as “Selling” Data?
The CCPA’s definition of “selling” is one of its most misunderstood provisions. It covers not just traditional data sales (exchanging personal information for money) but also disclosing personal information to a third party “for valuable consideration.” Valuable consideration doesn’t mean cash — it can include reciprocal data sharing, access to services, or other non-monetary benefits.
The CPRA added “sharing” as a separate concept covering disclosures of personal information to third parties for cross-context behavioural advertising, even if no money changes hands. This is specifically designed to capture the common practice of sharing data with advertising networks and data brokers in exchange for targeted advertising services.
The combined effect is that if you run advertising pixels, share data with analytics partners, use third-party ad targeting, or participate in any kind of data co-op or data exchange, you are almost certainly selling or sharing personal information under the CCPA’s definitions — and consumers have the right to opt out.
CCPA Technical and Operational Requirements
Complying with the CCPA requires building operational capabilities across several areas, not just updating your privacy policy.
Your privacy notice must disclose, at or before the point of collection, the categories of personal information you collect, the purposes for collecting it, the categories of third parties with whom you share it, the consumer rights available to California residents, and how to exercise those rights. The notice must be clear, accessible, and written in plain language.
The “Do Not Sell or Share My Personal Information” opt-out mechanism must be easy to find and genuinely functional. When a consumer opts out, you must stop selling or sharing their data within 15 business days. You must also pass the opt-out signal to all service providers and contractors who have received their data. The CPRA also requires businesses to recognise opt-out preference signals (like the Global Privacy Control) transmitted by consumers’ browsers or devices.
Data subject request handling requires a verifiable process for receiving and responding to consumer requests. You must provide at least two methods for submitting requests: for businesses with an online presence, this means a web form or interactive technology, plus a toll-free phone number. You have 45 days to respond to requests, with a one-time 45-day extension if you notify the consumer. For deletion and correction requests, you must also notify your service providers and contractors.
Vendor contracts — called data processing agreements — are required with all service providers, contractors, and third parties that receive personal information. These contracts must include specific CCPA-mandated terms, including the nature and purpose of the processing, restrictions on using the data for other purposes, and requirements to flow down obligations to subcontractors.
Data inventory and mapping is foundational. You can’t respond to consumer requests, comply with opt-out obligations, or manage vendor relationships without knowing what personal information you collect, where it comes from, where it goes, and how long you keep it.
CPRA Additions: What Changed in 2023
The most significant practical change introduced by the CPRA is the creation of the California Privacy Protection Agency — a dedicated enforcement body with subpoena power, rulemaking authority, and the ability to audit businesses proactively, not just in response to complaints.
The CPRA also introduced data minimisation and purpose limitation requirements, borrowed from GDPR. Businesses must not collect more personal information than is reasonably necessary for the disclosed purpose, and must not retain it longer than necessary.
Cybersecurity audits and risk assessments became required for businesses whose processing activities present significant risks to consumers — a requirement that the CPPA continues to develop detailed regulations around.
The rules on automated decision-making technology are also evolving. The CPPA has proposed regulations that would give consumers rights to opt out of automated decision-making that significantly affects them — rights that parallel, though don’t perfectly replicate, GDPR’s restrictions on automated processing.
CCPA Enforcement and Fines
The California Attorney General handled CCPA enforcement from 2020 through 2022, with a grace period that ended in July 2020. The CPPA took over rulemaking and enforcement authority in 2023 and has moved more aggressively.
Fines under the CCPA are $2,500 per unintentional violation and $7,500 per intentional violation. The “per violation” framing matters: a business that fails to honour opt-out requests from 50,000 consumers could theoretically face $125 million in fines. High-profile enforcement actions have targeted companies in advertising technology, retail, and the mobile app ecosystem.
The CCPA also contains a private right of action for data breaches involving certain categories of personal information. Consumers whose non-encrypted, non-redacted personal information is exposed in a breach resulting from a failure to implement reasonable security can sue for statutory damages of $100 to $750 per consumer per incident, or actual damages if greater.
CCPA vs. GDPR: Key Differences and Overlaps
The CCPA and GDPR cover similar territory — consumer privacy rights, transparency obligations, data security — but they approach the problem differently in important ways.
GDPR is opt-in by design: businesses generally need a lawful basis (like consent or legitimate interest) before processing personal data. The CCPA is opt-out by design: businesses can collect and use most personal information freely, but consumers have the right to direct them to stop selling or sharing it.
GDPR applies to any organisation that processes EU residents’ data, regardless of size. The CCPA applies only to for-profit businesses meeting specific revenue or data processing thresholds — many small businesses are not in scope.
GDPR’s requirements for data subject rights are broader: it requires responses within 30 days (versus 45 under CCPA), and its right of erasure and right to object cover more ground. CCPA’s private right of action for breaches is more limited than GDPR’s complaint mechanism, but it’s direct litigation — more immediate and expensive when it applies.
For companies that need to comply with both, building a programme that meets GDPR’s higher standard on most issues will substantially satisfy CCPA requirements, with some CCPA-specific additions (the “Do Not Sell or Share” mechanism, the dual submission channels for requests) required on top.
CCPA Compliance Checklist: Where to Start
The first step is determining whether you’re in scope — and being honest about it. If your revenues are close to $25 million or your consumer data volumes are near 100,000 records, get a definitive answer before deciding the CCPA doesn’t apply to you.
The second step is a data inventory. Map what personal information you collect, from whom, for what purpose, who you share it with, and how long you keep it. This exercise is foundational to everything else.
The third step is updating your privacy notice to meet CCPA disclosure requirements and ensuring it’s accessible at or before collection on all channels.
The fourth step is building your consumer rights programme: intake mechanisms, verification processes, response workflows, and documentation. Test these end-to-end before you go live.
The fifth step is auditing your vendor relationships and updating contracts to include CCPA-required terms with all service providers and contractors.
The sixth step is implementing the “Do Not Sell or Share” mechanism and ensuring it actually works — technically and operationally — including passing opt-out signals to downstream partners.
The seventh step is an ongoing privacy governance programme: training, annual reviews, incident response, and keeping pace with the CPPA’s evolving regulations.
Need help building a CCPA compliance programme? Soter Advisory works with companies at every stage — from initial data mapping through to programme implementation and ongoing support. Book a free consultation →