What is CCPA? California Consumer Privacy Act Explained (2026)

The California Consumer Privacy Act (CCPA), effective January 1, 2020, and substantially amended by the California Privacy Rights Act (CPRA) effective January 1, 2023, gives California residents broad rights over their personal information and imposes significant compliance obligations on businesses that collect it.

Unlike GDPR, which is triggered by processing EU resident data, CCPA is triggered by specific business thresholds — meaning it applies to some companies but not others. This guide explains who must comply, what the law requires, and what you need on your website.

What is CCPA?

Definition: The California Consumer Privacy Act (CCPA) is a state-level privacy law that gives California residents the right to know what personal information businesses collect about them, the right to delete it, the right to opt out of its sale or sharing, and the right not to be discriminated against for exercising their privacy rights.

CCPA was enacted in 2018 and took effect in 2020, making California the first US state with a comprehensive consumer privacy law. The CPRA amendment, passed by California voters in 2020 and effective from 2023, significantly expanded the law's scope and created a dedicated enforcement agency.

Who Does CCPA Apply To?

CCPA applies to for-profit businesses that collect personal information from California residents AND meet at least one of the following thresholds:

Annual gross revenues exceeding $25 million
Annually buys, sells, receives, or shares for commercial purposes the personal information of 100,000 or more consumers or households
Derives 50% or more of annual revenues from selling or sharing consumers' personal information

Crucially, CCPA applies regardless of where the business is located. A company based in Texas, the UK, or Australia must comply if it meets these thresholds and has California customers.

Who is Exempt?

Non-profit organizations
Businesses that do not meet any of the three thresholds above
Certain data covered by other laws (e.g., HIPAA health data, GLBA financial data)
Employee and B2B data (with some limitations — these exemptions have changed over time)

What Personal Information Does CCPA Cover?

CCPA's definition of "personal information" is intentionally broad. It includes:

Identifiers: name, alias, postal address, email, IP address, account name, SSN, driver's license number
Commercial information: products purchased, purchasing histories
Internet activity: browsing history, search history, interactions with websites or ads
Geolocation data
Audio, electronic, visual, or similar information
Professional or employment-related information
Education information
Inferences drawn from any of the above to create a profile

The CPRA added a new category: sensitive personal information, which includes Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, health information, and sexual orientation. Consumers have additional rights to limit the use of this data.

California Consumer Rights Under CCPA/CPRA

California residents have the following rights under the combined CCPA/CPRA framework:

Right to Know: The right to know what personal information is collected, used, disclosed, and sold about them — both categories and specific pieces.
Right to Delete: The right to request deletion of their personal information (with some exceptions for legal, security, or transactional purposes).
Right to Correct: The right to correct inaccurate personal information (added by CPRA).
Right to Opt Out of Sale/Sharing: The right to opt out of the sale or sharing of their personal information, including for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: The right to limit use of sensitive PI to only what is necessary to provide the service (added by CPRA).
Right to Non-Discrimination: Businesses cannot deny service, charge different prices, or provide inferior quality to consumers who exercise their privacy rights.
Right to Data Portability: The right to receive their personal information in a portable format.

The "Do Not Sell or Share My Personal Information" Requirement

If your business sells or shares personal information — including sharing for cross-context behavioral advertising (e.g., Facebook Pixel, Google remarketing) — you must:

Post a clear and conspicuous link on your homepage titled "Do Not Sell or Share My Personal Information"
Honor opt-out requests within 15 business days
Not re-sell personal information of a consumer who has opted out for 12 months without re-obtaining consent

Many businesses are surprised to learn that using advertising pixels constitutes "sharing" personal information under CPRA — triggering this requirement even without a traditional "sale" of data.

Generate Your CCPA Privacy Policy Free

Create a fully CCPA/CPRA-compliant privacy policy covering all required disclosures and consumer rights. Free + No Signup required.

✨ Generate Free Now →

What Your Privacy Policy Must Include Under CCPA

CCPA requires your privacy policy to include:

Categories of personal information collected in the past 12 months
The purposes for which each category is used
Categories of personal information sold or shared in the past 12 months
Categories of third parties to whom personal information is disclosed
The rights California consumers have and how to exercise them
Contact information for submitting privacy requests
If you sell to minors under 16: details about the opt-in consent process

Your privacy policy must be updated at least once every 12 months.

CCPA vs CPRA: Key Differences

The CPRA, which amended CCPA effective January 1, 2023, introduced several important changes:

Raised the data processing threshold from 50,000 to 100,000 consumers/households
Created the California Privacy Protection Agency (CPPA) as an independent regulator
Added the right to correct inaccurate information
Added protections for sensitive personal information
Introduced data minimization and purpose limitation requirements (similar to GDPR)
Required data retention disclosures
Extended employee and B2B data protections

Frequently Asked Questions

CCPA applies to for-profit businesses that collect personal information from California residents AND meet at least one of these thresholds: annual gross revenue over $25 million; buying, selling, or sharing personal information of 100,000 or more consumers or households per year; or deriving 50% or more of annual revenue from selling or sharing consumers' personal information.

Businesses subject to CCPA that sell or share personal information must provide a clear and conspicuous link on their homepage titled "Do Not Sell or Share My Personal Information." Clicking this link must allow California residents to opt out of the sale or sharing of their data, including for cross-context behavioral advertising.

The CPRA (California Privacy Rights Act) is an amendment to CCPA that took effect January 1, 2023. It added new rights (right to correct, right to limit use of sensitive personal information), created the California Privacy Protection Agency (CPPA) as an independent enforcement body, and introduced the concept of "sharing" data for cross-context behavioral advertising.

CCPA penalties are up to $2,500 per unintentional violation and $7,500 per intentional violation. For data breaches, consumers have a private right of action for statutory damages of $100 to $750 per consumer per incident. The California Privacy Protection Agency can also impose additional civil penalties.