California Consumer Privacy Act (CCPA): up to date overview

The California Consumer Privacy Act (CCPA) is the first and most influential consumer privacy law passed in the U.S. Since coming into effect in 2020, it has been influential on subsequent privacy legislation in other states.

Navigating the CCPA’s requirements can be complex. It does or will intersect with a variety of other California laws passed since, like the California Age-Appropriate Design Code Act, California Delete Act, and California Opt-Out Preference Signal / Opt Me Out Act, as well as federal regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA). 

However, the CCPA has its own unique guidelines that you need to be aware of if you do business in California and meet the compliance thresholds.

In this article, we explore the CCPA’s obligations for businesses, including all 2025 updates. We unpack when the law applies, what it means in practice, and best practices to achieve and maintain compliance.

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a U.S. state-level consumer privacy law that was passed in 2018 and came into effect on January 1, 2020. It applies exclusively to California residents, known as ”consumers” under the law, and regulates the protection of their personal information. 

Under the CCPA, a resident is any individual:

• Who is in the State for other than a temporary or transitory purpose
• Who is domiciled in the state and outside the state for a temporary or transitory purpose

Although the CCPA is a state law, it has a considerable influence. This is largely due to California being both the most populous U.S. state, with almost 40 million residents, the world’s fifth-largest economy, and the headquarters for many global tech companies. 

The CCPA was amended and expanded by the California Privacy Rights Act (CPRA), which took effect on January 1, 2023. It granted additional rights to consumers and established the California Privacy Protection Agency (CPPA, also known as CalPrivacy), among other things.

What’s new to the CCPA? 2025 updates

In July 2025, the CPPA voted to adopt new regulations to update existing regulations and add more requirements for businesses. Implementation will be staggered over two years, starting in January 2026 and ending in April 2028.

Here’s what you need to be aware of. 

Automated Decision-Making Technology (ADMT)

Effective from January 1 2027, you are required to provide a clear disclosure before using ADMT to make a significant decision about a consumer. You must include:

• The fact you’re using ADMT
• How the ADMT works
• The reasons why ADMT is being used
• Consumers’ rights regarding ADMT use under the CCPA

You must also give consumers the ability to opt out of ADMT and appeal any decisions made by the technology. As part of your ongoing responsibilities, you must keep detailed records of notices, consumer preferences, and decisions. 

Cybersecurity audits

The CCPA states that any business whose data processing activities pose a significant risk to consumers must conduct an annual cybersecurity audit. The regulations clarify that “significant risk” entails processing either:

• Personal data of 250,000 or more consumers
• Sensitive personal data of 50,000 or more consumers

A professional must conduct these annual audits using recognized standards. They should evaluate how well your cybersecurity program protects consumers from threats using measures like access controls, encryption, and vulnerability scanning. 

Afterward, they must issue a report describing any potential issues and the steps your business will take to address them.

Effective dates for this rule are based on your gross annual revenue:

• Over USD 100 million: April 1, 2028
• USD 50–100 million: April 1, 2029
• Under USD 50 million: April 1, 2030

Risk assessments

The new rules state that you must conduct an assessment before initiating any high-risk data practices as of April 1, 2028. A data processing activity counts as a high risk when it involves either:

• Selling or sharing of personal information
• Collection, use, or storage of sensitive personal information

Risk assessments must weigh the proposed benefits to consumers of the data processing activity against the potential risks. You can’t frame the benefits in generic terms, such as ‘to improve our service’.

In addition to conducting these assessments before new initiatives, you must be able to submit them to the CPPA or the Attorney General upon request.

Insurance company clarifications

The updates to the CCPA also clarified when insurance companies must comply with the CCPA. 

Any personal information collected by insurance companies outside of an insurance transaction is subject to CCPA requirements, given that the insurer meets one of the CCPA’s thresholds. Personal information collected within the scope of an insurance transaction is subject to compliance with the California Insurance Code (CIC). 

Definitions under the California Consumer Privacy Act (CCPA) data privacy law

The CCPA defines several terms that cover the information it protects and data processing activities. 

Personal information

The CCPA/CPRA law defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Here are examples of information that could identify individuals under the law:

Sensitive personal information

Sensitive personal information is any private data that could lead to harm, such as discrimination or identity theft, if exposed. The CCPA defines it as any details that reveal a consumer’s:

Unique identifier

The CCPA/CPRA law defines a unique identifier or “unique personal identifier” as “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services.”

The law specifies that a family means a parent or guardian and any children under 18 years of age who are in their custody.

Examples of unique identifiers are:

Consent

The law defines consent as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.“

The following does not constitute valid consent under the CCPA/CPRA:

Sale

The law defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.”

The following activities are not considered to be sales under the CCPA:

• A consumer uses or directs the business to intentionally disclose or interact with third parties 
• The business uses or shares an identifier for the purpose of informing others that the consumer has opted out of the sale of or limited the use of their personal information
• The business transfers personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business

Who must comply with the California Consumer Privacy Act (CCPA)?

The CCPA applies to for-profit businesses that operate in California and collect the personal information of the state’s residents, if they meet any one of the following thresholds:

• Have a gross annual, global revenue exceeding USD 25 million for the previous calendar year (adjusted to the Consumer Price Index)
• Receive, buy, sell, or share personal information of 100,000 or more consumers or households
• Earn more than half of their annual revenue from the sale of California residents’ personal information

All companies that meet one of these thresholds must meet CCPA obligations if they are doing business with California residents, regardless of where in the world they are based. 

What are consumers’ rights under the California Consumer Privacy Act (CCPA) laws?

The CCPA grants consumers rights that enable them to protect their personal information and control how it’s used. Additional rights were added when the CPRA came into effect.

Right to access

Personal information collected before the CPRA’s look-back period (the 12 months prior to January 1, 2023) as long as it’s possible or not unreasonably difficult to provide

Right to opt out

Of the sharing and sale of personal information to third parties

Right to delete

Any personal data the controller and third parties have about or from the consumer, with some exceptions

Right to portability

Obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions

Right to correction

Any inaccurate or outdated information the controller has that was provided by the consumer

Right to restrict sensitive personal information

To limit access to and use of data categorized as sensitive

Right for minors’ personal information not to be shared or sold without explicit consent

And for them not to be asked for consent within 12 months of declining a company’s consent request

Right to access information about automated decision-making

To request information about automated decision-making and the likely outcomes of using such processes, specifically with regards to profiling

Right to opt-out of automated decision-making technology

Regarding the use of automated decision-making technology with regard to personal information

Right not to be discriminated against

Controllers cannot unlawfully discriminate against consumers, including for exercising their rights

Obligations under the California Consumer Privacy Act (CCPA) rules

Businesses have specific CCPA/CPRA obligations. These aim to protect California residents’ personal information by ensuring transparency and accountability in data handling practices.

Notices required under the CCPA/CPRA

The CCPA/CPRA requires businesses to provide two distinct notices to consumers: a notice at collection and a privacy policy.

You must display a notice at collection before you collect or use a California consumer’s personal information. This must clearly list:

The notice at collection should contain a link to your privacy policy and include a link with the specific words “Do Not Sell or Share My Personal Information”, which enables consumers to easily opt out of such activities. 

A CCPA privacy policy must include:

Make your privacy policy easily accessible on your websites. For example, include a link at the footer of every page so that consumers can easily find and review it.

Consent requirements under the CCPA/CPRA

In most cases, the CCPA/CPRA doesn’t require you to obtain explicit consent from consumers to process their personal information, though they do have the right to opt out of specific uses at any time. California privacy laws operate on an opt-out model where you assume consumers have consented unless they indicate otherwise. 

There is an exception for personal information belonging to minors:

• Aged 13 to 16: You must obtain explicit, opt-in consent from a minor before selling or sharing their personal information
• Under 13: You must obtain explicit consent from a parent or guardian before collecting or selling a minor’s personal information

Opt-out requests under the CCPA/CPRA

You must provide options for consumers to:

• Opt out of the sale or sharing of their personal information, as well as targeted advertising and profiling
• Limit the use or disclosure of their sensitive personal information for unauthorized purposes

The law mandates specific ways to provide consumers with opt-out options.

1. A clear and conspicuous link on your homepage titled “Do Not Sell or Share My Personal Information” that directs consumers to a page where they can opt out of the sale or sharing of their personal information.
2. A clear and conspicuous link titled “Limit the Use of My Sensitive Personal Information,” which enables consumers to limit the use or disclosure of their sensitive personal information.

Alternatively, you can provide a single link that combines both functions and enables consumers to opt out of the relevant uses and disclosures of their personal information.

You must also respect universal opt-out mechanisms, such as Global Privacy Control (GPC) signals, through which consumers can set their consent preferences once and communicate them automatically across various websites and online services.

Under the California Opt Me Out Act, effective from January 2027, browsers used in California must include a setting that enables consumers to send an opt-out preference signal (OOPS) to websites, which must be honored. 

This Act, which supplements the CCPA, also requires browser developers to make clear to consumers how the opt-out preference signal works and the intended effect of the opt-out preference signal.

Consumer requests for right to know, correct, and delete

As we mentioned above, consumers have the right to request information about the personal data collected about them, as well as to correct inaccuracies or to delete that data.

The law requires businesses to provide at least two designated methods for consumers to submit requests, like a toll-free number and a website form. But if you operate exclusively online, you only need to provide an email address. If you have a website, you must enable consumers to submit requests directly through the site. 

Consumers can request data that was collected up to 12 months prior to the date of their request. Businesses have 45 days from the date of the request to disclose the requested information, and they may seek an extension of an additional 45 days under certain circumstances.

Contracts under the CCPA/CPRA

Businesses that collect consumers’ personal information sometimes share this data with a third party, such as an advertising network or data analytics provider. 

The CCPA/CPRA requires you to establish third-party agreements with the following requirements:

• The personal information is sold, shared, or disclosed only for limited and specific purposes.
• The third party, service provider, or contractor must comply with the CCPA/CPRA obligations applicable to them.
• The third party, service provider, or contractor must provide the level of data privacy protection required by the law.
• The business is entitled to take “reasonable and appropriate steps” to ensure that any third party, service provider, or contractor uses the personal information shared in a way that aligns with the business’s CCPA/CPRA obligations.
• The third party, service provider, or contractor must inform the business if it cannot meet its legal obligations.
• The business has the right to take reasonable and appropriate steps to stop and remedy any unauthorized use of personal information, after providing notice.

Contracts with service providers and contractors must also prohibit them from:

• Selling or sharing personal information
• Retaining, using, or disclosing personal information for any purpose other than that specified in the contract
• Combining the personal information received from the business with personal information received by any other means, except for purposes exempted under the law

Data security under the CCPA/CPRA

Under the CCPA, you must maintain reasonable security procedures to safeguard personal information from: 

• Unauthorized or illegal access
• Destruction
• Unauthorized use
• Modification
• Disclosure

Previously, businesses had more flexibility over how to handle safeguarding. The 2025 updates to the CCPA mean you must now evaluate your cybersecurity program against specific standards and identify any weaknesses in your data protection practices.

Data minimization under the CCPA/CPRA

Under the CCPA/CPRA, businesses can collect, use, store, and share consumers’ personal information only to the extent needed to achieve the original purpose for collecting the information, or for another compatible purpose. The personal information must not be processed in ways that conflict with the original purposes.

This requirement is a key aspect of data minimization, which means that companies must limit their handling of personal data to what is essential for the intended purposes.

The CPPA’s Enforcement Advisory No. 2024-1 highlighted the principle of data minimization by prohibiting businesses from requiring consumers to share additional information “beyond what is necessary”.

As part of your risk assessments, you must now provide clear reasons for processing the information you collect. This helps to prove you’re upholding the CCPA principle for data minimization.

Enforcement and penalties under the California Consumer Privacy Act (CCPA)

The Attorney General and the CPPA are both responsible for enforcing California’s data privacy laws and applying CCPA penalties. However, the CPPA can’t limit the Attorney General’s authority and must halt proceedings when requested. 

Violations of the CCPA/CPRA attract fines of up to:

• USD 2,500 per non-intentional violation
• USD 7,500 per intentional violation or violation involving minors

Like the revenue threshold, fines are adjusted to the Consumer Price Index.

Under the CCPA, consumers have a private right of action, meaning they can sue businesses in the event of a data breach involving certain categories of personal information or personal security information breach. 

They can do so only when the breach occurred because the business failed to implement reasonable security measures to protect the personal information, resulting in non-encrypted or non-redacted data being stolen.

In order for this condition to apply, the consumer’s first name (or first initial) and last name must have been stolen in combination with at least one of the following:

Consumers must give businesses 30 days to cure the violation and ensure no future violations will occur before they can bring legal action against the business.

They can otherwise make a claim:

• To recover damages between USD 100 and USD 750 per incident, or actual damages suffered, whichever is greater
• For injunctive or declaratory relief

Like the revenue compliance threshold and fines, damages consumers can recover are also adjusted to the Consumer Price Index.

If a consumer believes that their rights, other than those arising out of a data breach, have been violated, they may file a complaint with the Attorney General or the CPPA.

What does the CCPA/CPRA mean for your business?

If your business meets one of the CCPA/CPRA thresholds and has an online property, it must take several steps to meet its obligations. Here’s a quick CCPA compliance checklist to get you started on your compliance journey. 

• Your website must present visitors with a notice at collection that lists the categories and purposes of the personal data collected, whether personal information is sold or shared, and how long the business will retain the personal information. 
• You must provide a new notice at collection whenever you start to collect additional categories of personal information or intend to use the data for additional purposes.
• Your website must include a privacy policy that informs consumers of their privacy rights and how to exercise them, as well as your privacy practices in more detail.
• If you sell or share personal data, you must present a link titled “Do Not Sell Or Share My Personal Information” to enable users to opt out of the sale of their personal data. 
• If you process sensitive data, you must include a link titled “Limit The Use of My Sensitive Personal Information” to enable users to limit the processing of this information to specific purposes.
• For personal information of minors, you must obtain explicit consent from the consumer (between 13 and 16 years) or their parent or guardian (when the minor is below 13 years) before their personal information can be shared or sold.
• If you meet specific revenue or risk thresholds, you must arrange independent cybersecurity audits to evaluate your system and demonstrate that you can safeguard the personal information you collect from consumers.
• If you use Automated Decision-Making Technology, you must provide a pre-use notice and enable consumers to opt out of ADMT (unless you use an approved human review process) or request information about how ADMT impacted them, as well as conduct and submit a risk assessment before using ADMT for significant decisions or processing sensitive personal information for profiling.  

Achieve CCPA compliance with Usercentrics

A CCPA compliance tool like Usercentrics CMP makes it easier to comply with the California privacy law’s requirements while building trust with consumers. 

The Usercentrics CMP provides geolocation functionality that detects when a California resident visits your site. It then displays the relevant banner and access to the privacy policy with straightforward links or buttons that enable users to manage their data processing preferences. 

The result is automated, straightforward privacy compliance functionality that helps you build trust with customers, maintain the data you need for marketing efforts, and comply with CCPA/CPRA requirements. 

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

William Newmark

Read bio

Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Newsletter

Email address

Subscribe

By subscribing to the Usercentrics Newsletter, you agree that your data may be used for information related to the products and services offered by Usercentrics. You can revoke your consent by using the unsubscribe link in a newsletter email or by sending your request to unsubscribe@usercentrics.com. See Privacy Policy