as of March 2026
⚠️
CPRA is now in full effect. The California Privacy Rights Act (CPRA) took full effect January 1, 2023, expanding CCPA rights and creating the California Privacy Protection Agency (CPPA) with independent enforcement authority. Businesses must comply with both CCPA as amended by CPRA. (CPPA)
What Is CCPA / CPRA?
The California Consumer Privacy Act (CCPA) (Cal. Civ. Code §§ 1798.100–1798.199) became effective January 1, 2020. It was the first comprehensive consumer privacy law in the United States, granting California residents fundamental rights over their personal information held by businesses. (CA AG)
The California Privacy Rights Act (CPRA) was approved by California voters in November 2020 (Proposition 24) and took full effect January 1, 2023. CPRA significantly expanded CCPA by adding new consumer rights, creating a new category of sensitive personal information, establishing the California Privacy Protection Agency (CPPA), and extending opt-out rights to cover data "sharing" for advertising purposes.
$7,500
Max fine per intentional violation
$2,500
Max fine per unintentional violation
$1.2M
Sephora settlement (first enforcement, Aug 2022)
45 days
Response window for consumer requests
$25M
Annual revenue threshold for applicability
$750
Private right of action per consumer per data breach incident
Who Must Comply with CCPA / CPRA?
CCPA applies to for-profit businesses that collect personal information from California residents AND meet at least one of the following thresholds: (Cal. Civ. Code § 1798.140(d))
- Revenue threshold: Annual gross revenues over $25 million (as of January 1 of the prior calendar year)
- Data volume threshold: Annually buys, sells, receives, or shares personal information of 100,000 or more consumers or households for commercial purposes (raised from 50,000 by CPRA)
- Revenue from data threshold: Derives 50% or more of annual revenues from selling or sharing consumers' personal information
Also subject to CCPA obligations:
- Service providers: Businesses that process personal information on behalf of a CCPA-covered business under a written contract
- Contractors: Persons to whom a business makes personal information available for a business purpose (CPRA addition)
- Third parties: Entities that receive personal information for their own purposes beyond a service relationship
ℹ️
Geographic scope: CCPA protects California residents regardless of where the business is located. A business in Texas, New York, or Europe that collects data from California residents must comply. Unlike GDPR, CCPA does not require a "targeting" element — simply collecting data from a California resident triggers obligations if the business thresholds are met.
Consumer Rights Under CCPA / CPRA
CCPA grants California residents seven enforceable rights. Businesses must respond to verifiable consumer requests within 45 days (extendable once by another 45 days for complex requests). (Cal. Civ. Code § 1798.100)
Sensitive Personal Information (CPRA Addition)
CPRA created a new category of Sensitive Personal Information (SPI) that carries heightened protections. Consumers have the right to limit the use and disclosure of SPI to only what is necessary to perform requested services. (Cal. Civ. Code § 1798.140(ae))
Categories of Sensitive Personal Information:
- Social security, driver's license, state identification card, or passport number
- Account log-in, financial account, debit/credit card number in combination with any required access code
- Precise geolocation (within 1,850 feet / 1/4 mile radius)
- Racial or ethnic origin, religious or philosophical beliefs, or union membership
- Contents of mail, email, and text messages (unless the business is the intended recipient)
- Genetic data
- Biometric information for uniquely identifying a consumer
- Personal information collected and analyzed concerning health
- Personal information collected and analyzed concerning sex life or sexual orientation
Business Obligations
Notice Requirements
- Notice at collection (§ 1798.100(b)): Before or at the time of collection, inform consumers about categories of personal information collected and purposes for use
- Privacy policy (§ 1798.130): Must be updated annually; include all CCPA disclosures; post conspicuously online
- "Do Not Sell or Share" link: Must appear on the homepage if business sells or shares personal information; consumers can opt out without creating an account
- Global Privacy Control (GPC): Businesses must honor GPC browser signals as valid opt-out requests (CPPA enforcement position)
Request Handling
- Designate at least two methods for submitting requests (toll-free number + website form, for businesses operating primarily online)
- Verify consumer identity before disclosing or deleting data (without creating a mandatory account)
- Respond to requests within 45 days; extend once by 45 days with notice
- Do not charge a fee for complying with requests (subject to excessive/unfounded request exceptions)
- Maintain records of consumer requests and responses for 24 months
Service Provider / Contractor Contracts
- Written contracts with service providers must prohibit them from selling/sharing data, retaining/using/disclosing data beyond the business purpose, or combining data with other sources outside the service relationship
- CPRA requires equivalent contracts with "contractors" (a new CPRA-defined category)
Enforcement & Penalties
CCPA enforcement is split between the California Attorney General (AG) and the California Privacy Protection Agency (CPPA), which has rulemaking and enforcement authority as of July 2023. (CA AG CCPA)
| Violation Type | Penalty | Enforcer |
|---|
| Unintentional violation | Up to $2,500 per violation | AG / CPPA |
| Intentional violation | Up to $7,500 per violation | AG / CPPA |
| Violation involving minors' data (under 16) | Up to $7,500 per violation (same as intentional — CPPA treats as intentional) | AG / CPPA |
| Data breach (private right of action) | $100–$750 per consumer per incident, or actual damages if greater; injunctive/declaratory relief | Private plaintiff |
Notable CCPA Enforcement Actions
| Company | Fine/Settlement | Date | Violation |
|---|
| Sephora | $1.2M | Aug 2022 | Selling consumer data without disclosing; failing to process opt-out requests; not honoring Global Privacy Control signals — first CCPA enforcement action |
| DoorDash | $375K | Feb 2024 | Sharing personal information with a marketing cooperative without proper disclosure or right to opt out |
Source: California Attorney General Office (oag.ca.gov)
CCPA vs. GDPR: Key Differences
| Feature | CCPA / CPRA | GDPR |
|---|
| Jurisdiction | California residents only | EU/EEA residents globally |
| Applies to | For-profit businesses meeting size thresholds | Any organization processing EU data (no size threshold) |
| Legal basis required? | No — focus on transparency and opt-out | Yes — one of 6 lawful bases required |
| Opt-out vs. Opt-in | Opt-out model (consent not required for most processing) | Opt-in consent required for most processing |
| Max fine | $7,500 per intentional violation (no global turnover calculation) | €20M or 4% of global annual turnover |
| DPO required? | No | Yes (for certain organizations) |
| Breach notification | No dedicated timeline; California breach law requires expedient notice | 72 hours to supervisory authority |
| Private right of action | Yes — for data breaches ($100–$750/consumer) | Yes — for GDPR violations (damages) |
CCPA / CPRA Compliance Checklist
- Determine applicability: revenue > $25M, or data on 100K+ consumers/households, or 50%+ revenue from selling/sharing data
- Complete data mapping: document all personal information collected, sources, purposes, and third-party sharing
- Update privacy policy to include all required CCPA disclosures; post conspicuously at homepage
- Add "Do Not Sell or Share My Personal Information" link to homepage (if business sells or shares PI)
- Implement Global Privacy Control (GPC) signal honoring for opt-out requests
- Designate two request submission methods (toll-free number + web form for primarily online businesses)
- Build consumer request workflow: receive, verify identity, fulfill/deny within 45 days
- Implement "Limit the Use of My Sensitive Personal Information" link if SPI is used beyond permitted purposes
- Update all service provider and contractor contracts to include required CPRA contractual provisions
- Do not discriminate against consumers exercising CCPA rights
- For financial incentive programs (loyalty): provide separate opt-in consent and explain material terms
- Implement age-gating: do not sell data of consumers under 13 without opt-in consent; under 16 requires opt-in (not opt-out)
- Maintain records of all consumer requests and responses for 24 months
- Conduct annual compliance review; update privacy policy at least once every 12 months
(CPPA Regulations)
Related Tools & Resources
Related Compliance Guides
Stay ahead of U.S. privacy law developments
CCPA/CPRA enforcement updates, state privacy law changes, and compliance guides — free weekly.