The California Consumer Privacy Act (CCPA) is the first and most influential consumer privacy law passed in the U.S. Since coming into effect in 2020, it has been influential on subsequent privacy legislation in other states.
Navigating the CCPA’s requirements can be complex. It does or will intersect with a variety of other California laws passed since, like the California Age-Appropriate Design Code Act, California Delete Act, and California Opt-Out Preference Signal / Opt Me Out Act, as well as federal regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA).
However, the CCPA has its own unique guidelines that you need to be aware of if you do business in California and meet the compliance thresholds.
In this article, we explore the CCPA’s obligations for businesses, including all 2025 updates. We unpack when the law applies, what it means in practice, and best practices to achieve and maintain compliance.
At a glance
- The CCPA, as amended by the CPRA, regulates how certain for-profit businesses collect, use, share, and sell Californians’ personal information.
- The CCPA covers personal information linked to a consumer or household and provides additional protections for sensitive personal information.
- The law follows an opt-out model for adults, requires opt-in for minors under 16, and mandates clear opt-out and limitation mechanisms.
- Businesses must provide a notice at collection, a clear privacy policy, and honor consumer rights requests.
- New regulations phased in from 2026 to 2028 add requirements for automated decision-making disclosures, cybersecurity audits, and risk assessments.
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a U.S. state-level consumer privacy law that was passed in 2018 and came into effect on January 1, 2020. It applies exclusively to California residents, known as ”consumers” under the law, and regulates the protection of their personal information.
Under the CCPA, a resident is any individual:
- Who is in the State for other than a temporary or transitory purpose
- Who is domiciled in the state and outside the state for a temporary or transitory purpose
Although the CCPA is a state law, it has a considerable influence. This is largely due to California being both the most populous U.S. state, with almost 40 million residents, the world’s fourth- or fifth-largest economy, and the headquarters for many global tech companies.
California’s influence now extends beyond legislation: CalPrivacy has established a bipartisan Consortium of Privacy Regulators in collaboration with eight other states across the country, creating an active interstate mechanism for coordinating privacy enforcement.
Businesses that assume CCPA exposure is limited to California-specific regulators should be aware that investigations increasingly involve multiple states acting in concert.
The CCPA was amended and expanded by the California Privacy Rights Act (CPRA), which took effect on January 1, 2023. It granted additional rights to consumers and established the California Privacy Protection Agency (CPPA, also known as CalPrivacy), among other things.
CCPA regulatory updates
In July 2025, the CPPA voted to adopt new regulations to update existing regulations and adding obligations for businesses. Some changes took effect on January 1, 2026; others are being phased in through 2028 and beyond.
Here’s what you need to be aware of.
Automated Decision-Making Technology (ADMT)
Effective from January 1 2027, you are required to provide a clear disclosure before using ADMT to make a significant decision about a consumer. You must include:
- The fact you’re using ADMT
- How the ADMT works
- The reasons why ADMT is being used
- Consumers’ rights regarding ADMT use under the CCPA
You must also give consumers the ability to opt out of ADMT and appeal any decisions made by the technology. As part of your ongoing responsibilities, you must keep detailed records of notices, consumer preferences, and decisions.
Cybersecurity audits
The CCPA requires any business whose data processing activities pose a significant risk to consumers to conduct an annual cybersecurity audit. The regulations clarify that “significant risk” entails processing either:
- Personal data of 250,000 or more consumers
- Sensitive personal data of 50,000 or more consumers
A professional must conduct these annual audits using recognized standards. They should evaluate how well your cybersecurity program protects consumers from threats using measures like access controls, encryption, and vulnerability scanning.
Afterward, they must issue a report describing any potential issues and the steps your business will take to address them.
The deadline for submitting your first certification to CalPrivacy is based on your gross annual revenue:
- Over USD 100 million: April 1, 2028
- USD 50–100 million: April 1, 2029
- Under USD 50 million: April 1, 2030
Risk assessments
The new rules require you to conduct an assessment before initiating any high-risk data processing activity. A data processing activity counts as high risk when it involves either:
- Selling or sharing of personal information
- Collection, use, or storage of sensitive personal information
Risk assessments must weigh the proposed benefits to consumers of the data processing activity against the potential risks. You cannot frame the benefits in generic terms, such as “to improve our service.”
The obligation applies in two phases depending on when the processing activity began:
- New processing activities initiated on or after January 1, 2026: assessments must be completed before beginning those activities.
- Processing activities that began before January 1, 2026 and continue after that date: assessments must be completed no later than December 31, 2027.
In addition to conducting these assessments, you must be able to submit them to the CPPA or the Attorney General upon request. A summary report covering 2026 and 2027 activities must be submitted to the CalPrivacy by April 1, 2028, signed under penalty of perjury by a member of your executive management team.
Insurance company clarifications
The updates to the CCPA also clarified when insurance companies must comply with it. Any personal information collected by insurance companies outside of an insurance transaction is subject to CCPA requirements, given that the insurer meets one of the CCPA’s thresholds. Personal information collected within the scope of an insurance transaction is subject to compliance with the California Insurance Code (CIC).
Definitions under the California Consumer Privacy Act (CCPA) data privacy law
The CCPA defines several terms that cover the information it protects and data processing activities.
Personal information
The CCPA/CPRA law defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Here are examples of information that could identify individuals under the law:
Names or nicknames
Postal address
Contact details
Purchase and browsing history
Location data
Employment and professional data
Sensitive personal information
Sensitive personal information is any private data that could lead to harm, such as discrimination or identity theft, if exposed. The CCPA defines it as any details that reveal a consumer’s:
Government ID or numbers
Credentials for personal or financial log-in accounts
Precise geolocation
Race or ethnic origin
Immigration status
Religious or philosophical beliefs
Contents of private messages
Genetic data
Unique identifier
The CCPA/CPRA law defines a unique identifier or “unique personal identifier” as “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services.”
The law specifies that a family means a parent or guardian and any children under 18 years of age who are in their custody.
Examples of unique identifiers are:
Device identifier
IP address
Cookies, beacons, pixel tags, mobile ad identifiers, or similar technology
Customer number, unique pseudonym, or user alias
Consent
The law defines consent as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.“
The following does not constitute valid consent under the CCPA/CPRA:
Acceptance of general or broad terms of use
Acceptance of a similar data practice
Hovering over, muting, pausing, or closing a piece of content
Consent obtained through dark patterns
Sale
The law defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.”
The following activities are not considered to be sales under the CCPA:
- A consumer uses or directs the business to intentionally disclose or interact with third parties
- The business uses or shares an identifier for the purpose of informing others that the consumer has opted out of the sale of or limited the use of their personal information
- The business transfers personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business
Who must comply with the California Consumer Privacy Act (CCPA)?
The CCPA applies to for-profit businesses that operate in California and collect the personal information of the state’s residents, if they meet any one of the following thresholds:
- Have a gross annual, global revenue exceeding USD 25 million for the previous calendar year (adjusted biennially for inflation; currently USD 26,625,000)
- Receive, buy, sell, or share personal information of 100,000 or more consumers or households
- Earn more than half of their annual revenue from the sale of California residents’ personal information
All companies that meet one of these thresholds must meet CCPA obligations if they are doing business with California residents, regardless of where in the world they are based.
Keep in mind: Some other U.S. privacy laws, like the Virginia Consumer Data Protection Act (VCDPA), have moved away from revenue-only thresholds. Always check the individual compliance requirements for each state when determining your eligibility.
What are consumers’ rights under the California Consumer Privacy Act (CCPA) laws?
The CCPA grants consumers rights that enable them to protect their personal information and control how it’s used. Additional rights were added when the CPRA came into effect.
- Right to access: personal information collected before the CPRA’s look-back period (the 12 months prior to January 1, 2023) as long as it’s possible or not unreasonably difficult to provide
- Right to opt out: of the sharing and sale of personal information to third parties
- Right to delete: any personal data the controller and third parties have about or from the consumer, with some exceptions
- Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
- Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
- Right to restrict sensitive personal information: to limit access to and use of data categorized as sensitive
- Right for minors’ personal information not to be shared or sold without explicit consent, and for them not to be asked for consent within 12 months of declining a company’s consent request
- Right to access information about automated decision-making: to request information about automated decision-making and the likely outcomes of using such processes, specifically with regards to profiling
- Right to opt-out of automated decision-making technology: regarding the use of automated decision-making technology with regard to personal information
- Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
Obligations under the California Consumer Privacy Act (CCPA) rules
Businesses have specific CCPA/CPRA obligations. These aim to protect California residents’ personal information by ensuring transparency and accountability in data handling practices.
Notices required under the CCPA/CPRA
The CCPA/CPRA requires businesses to provide two distinct notices to consumers: a notice at collection and a privacy policy.
You must display a notice at collection before you collect or use a California consumer’s personal information. This must clearly list:
Categories of personal information collected
Purposes for which the information will be used
Whether you will share or sell personal information
How long you retain this data
Whether the business sells or shares personal information
The notice at collection should contain a link to your privacy policy and include a link with the specific words “Do Not Sell or Share My Personal Information”, which enables consumers to easily opt out of such activities.
A CCPA privacy policy must include:
A description of consumers’ privacy rights and how to exercise them
Categories of personal information collected, sold, or shared in the preceding 12 months
Categories of sources from which personal information is collected
Business or commercial purpose for collecting, selling, or sharing personal information
Categories of third parties to whom personal information is disclosed
Links to any online request forms or portals you offer
An explanation of how your business verifies requests
A contact method for any questions or concerns
The date you last updated your privacy policy
Make your privacy policy easily accessible on your websites. For example, include a link at the footer of every page so that consumers can easily find and review it. If your business operates a mobile app, a link to your privacy policy must also appear in the app settings menu. This is a requirement that became mandatory as of January 1, 2026.
Consent requirements under the CCPA/CPRA
In most cases, the CCPA/CPRA doesn’t require you to obtain explicit consent from consumers to process their personal information, though they do have the right to opt out of specific uses at any time. California privacy laws operate on an opt-out model where you assume consumers have consented unless they indicate otherwise.
There is an exception for personal information belonging to minors:
- Aged 13 to 16: You must obtain explicit, opt-in consent from a minor before selling or sharing their personal information
- Under 13: You must obtain explicit consent from a parent or guardian before collecting or selling a minor’s personal information
Opt-out requests under the CCPA/CPRA
You must provide options for consumers to:
- Opt out of the sale or sharing of their personal information, as well as targeted advertising and profiling
- Limit the use or disclosure of their sensitive personal information for unauthorized purposes
The law mandates specific ways to provide consumers with opt-out options.
- A clear and conspicuous link on your homepage titled “Do Not Sell or Share My Personal Information” that directs consumers to a page where they can opt out of the sale or sharing of their personal information.
- A clear and conspicuous link titled “Limit the Use of My Sensitive Personal Information,” which enables consumers to limit the use or disclosure of their sensitive personal information.
Alternatively, you can provide a single link that combines both functions and enables consumers to opt out of the relevant uses and disclosures of their personal information.
You must also respect universal opt-out mechanisms, such as Global Privacy Control (GPC) signals, through which consumers can set their consent preferences once and communicate them automatically across various websites and online services.
GPC compliance is an active enforcement priority: in September 2025, California, Colorado, and Connecticut conducted a coordinated multi-state enforcement sweep specifically targeting businesses that were not honoring GPC signals. Businesses operating across multiple states should treat GPC signal recognition as a baseline requirement, not an optional implementation.
GPC compliance is an active enforcement priority: in September 2025, California, Colorado, and Connecticut conducted a coordinated multi-state enforcement sweep specifically targeting businesses that were not honoring GPC signals. Businesses operating across multiple states should treat GPC signal recognition as a baseline requirement, not an optional implementation.
California is the first state in the U.S. to require browsers to offer a built-in opt-out preference signal. Under the California Opt Me Out Act, effective January 1, 2027, any business that develops or maintains a browser must include an easy-to-find setting that enables consumers to send an opt-out preference signal to websites, automatically communicating their preference not to have their personal information sold or shared.
Browser developers that offer this functionality are granted a liability shield. The obligation to detect and honor those signals rests with websites, not browsers. Businesses that fail to honor a consumer’s opt-out preference signal will remain exposed to enforcement under the CCPA regardless of whether the browser has complied.
The Act also requires browser developers to clearly disclose to consumers how the opt-out preference signal works and its intended effect.
As of January 1, 2026, businesses must also confirm to consumers that their opt-out preference signal has been processed. Previously discretionary, this is now a mandatory requirement under the revised CCPA regulations.
In practice, this means displaying a clear acknowledgment on your website — for example, “Opt-Out Request Honored” — when a consumer’s signal is received and acted on, such as through a toggle or radio button in their privacy settings. Simply honoring the signal behind the scenes is no longer sufficient; the confirmation must be visible to the consumer.
Consumer requests for right to know, correct, and delete
As we mentioned above, consumers have the right to request information about the personal data collected about them, as well as to correct inaccuracies or to delete that data.
The law requires businesses to provide at least two designated methods for consumers to submit requests, like a toll-free number and a website form. But if you operate exclusively online, you only need to provide an email address. If you have a website, you must enable consumers to submit requests directly through the site.
Consumers can request data that was collected up to 12 months prior to the date of their request. Businesses have 45 days from the date of the request to disclose the requested information, and they may seek an extension of an additional 45 days under certain circumstances.
Contracts under the CCPA/CPRA
Businesses that collect consumers’ personal information sometimes share this data with a third party, such as an advertising network or data analytics provider.
The CCPA/CPRA requires you to establish third-party agreements with the following requirements:
- The personal information is sold, shared, or disclosed only for limited and specific purposes.
- The third party, service provider, or contractor must comply with the CCPA/CPRA obligations applicable to them.
- The third party, service provider, or contractor must provide the level of data privacy protection required by the law.
- The business is entitled to take “reasonable and appropriate steps” to ensure that any third party, service provider, or contractor uses the personal information shared in a way that aligns with the business’s CCPA/CPRA obligations.
- The third party, service provider, or contractor must inform the business if it cannot meet its legal obligations.
- The business has the right to take reasonable and appropriate steps to stop and remedy any unauthorized use of personal information, after providing notice.
Contracts with service providers and contractors must also prohibit them from:
- Selling or sharing personal information
- Retaining, using, or disclosing personal information for any purpose other than that specified in the contract
- Combining the personal information received from the business with personal information received by any other means, except for purposes exempted under the law
Data security under the CCPA/CPRA
Under the CCPA, you must maintain reasonable security procedures to safeguard personal information from:
- Unauthorized or illegal access
- Destruction
- Unauthorized use
- Modification
- Disclosure
Previously, businesses had more flexibility over how to handle safeguarding. The 2025 updates to the CCPA mean you must now evaluate your cybersecurity program against specific standards and identify any weaknesses in your data protection practices.
Data minimization under the CCPA/CPRA
Under the CCPA/CPRA, businesses can collect, use, store, and share consumers’ personal information only to the extent needed to achieve the original purpose for collecting the information, or for another compatible purpose. The personal information must not be processed in ways that conflict with the original purposes.
This requirement is a key aspect of data minimization, which means that companies must limit their handling of personal data to what is essential for the intended purposes.
The CPPA’s Enforcement Advisory No. 2024-1 highlighted the principle of data minimization by prohibiting businesses from requiring consumers to share additional information “beyond what is necessary”.
As part of your risk assessments, you must now provide clear reasons for processing the information you collect. This helps to prove you’re upholding the CCPA principle for data minimization.
Enforcement and penalties under the California Consumer Privacy Act (CCPA)
The Attorney General and CalPrivacy are both responsible for enforcing California’s data privacy laws and applying CCPA penalties. However, CalPrivacy can’t limit the Attorney General’s authority and must halt proceedings when requested.
Violations of the CCPA/CPRA attract fines of up to:
- USD 2,500 per non-intentional violation
- USD 7,500 per intentional violation or violation involving minors
Like the revenue threshold, fines are adjusted to the Consumer Price Index, and are currently USD 2,663 and USD 7,988 respectively.
Under the CCPA, consumers have a private right of action, meaning they can sue businesses in the event of a data breach involving certain categories of personal information or personal security information breach.
They can do so only when the breach occurred because the business failed to implement reasonable security measures to protect the personal information, resulting in non-encrypted or non-redacted data being stolen.
In order for this condition to apply, the consumer’s first name (or first initial) and last name must have been stolen in combination with at least one of the following:
- Social Security number
- Driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person’s identity
- Financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would enable account access
- Medical or health insurance information
- Fingerprint, retina or iris image, or other unique biometric data used to identify a person’s identity (but not including photographs unless used or stored for facial recognition purposes)
Before bringing a private legal action for a data breach, consumers must give businesses 30 days to cure the violation and confirm no future violations will occur. This cure period applies specifically to the private right of action. It does not apply to enforcement actions brought by the CPPA or the Attorney General, who are not required to provide businesses with an opportunity to cure before proceeding.
They can otherwise make a claim:
- To recover damages between USD 100 and USD 750 per incident, or actual damages suffered, whichever is greater
- For injunctive or declaratory relief
Like the revenue compliance threshold and fines, damages consumers can recover are also adjusted to the Consumer Price Index, and are currently USD 107 and USD 799 respectively.
If a consumer believes that their rights, other than those arising out of a data breach, have been violated, they may file a complaint with the Attorney General or the CPPA.
Enforcement escalation
Enforcement is active and escalating. CalPrivacy and the California Attorney General have concluded a number of significant actions in recent years that illustrate the practical consequences of non-compliance.
Fines issued to date include USD 1.35 million against rural retailer Tractor Supply Company, USD 632,500 against American Honda Motor Co., and USD 345,178 against clothing retailer Todd Snyder — all for CCPA violations relating to data practices and consumer rights failures.
In February 2026, the California Attorney General announced a USD 2.75 million settlement with Disney entities over gaps in opt-out procedures across its streaming ecosystem, the largest CCPA settlement on record to date.
One case with particularly broad implications for businesses is a March 2026 decision against Ford Motor Company, which resulted in a USD 375,000 fine. The violation was not a failure to provide an opt-out mechanism — Ford had one. The problem was requiring consumers to verify their identity before processing an opt-out request.
The CCPA permits identity verification for rights requests such as deletion and access, but not for opt-out of sale or sharing. By applying the same verification step to all request types, Ford created what regulators characterized as unnecessary friction.
The takeaway for any business with a consumer rights workflow: opt-out requests must be processed with minimal steps, and the bar for verification is lower than for other request types.
Delete Request and Opt-Out Platform (DROP)
CalPrivacy also launched the Delete Request and Opt-Out Platform (DROP), which became operational on January 1, 2026. DROP allows California consumers to direct all registered data brokers to delete their personal information through a single centralized request, rather than submitting individual requests to each business.
Data brokers are required to begin processing DROP deletion requests by August 1, 2026. For businesses that meet California’s definition of a data broker, registration with CalPrivacy and readiness to process DROP requests are active compliance obligations, not future requirements.
In November 2025, CalPrivacy launched a dedicated Data Broker Enforcement Strike Force, bringing enforcement actions against multiple unregistered brokers in rapid succession. The definition of data broker is broader than many businesses assume: if your organization collects and sells personal information about consumers with whom you have no direct relationship, you may qualify regardless of how your business is structured or branded.
What does the CCPA/CPRA mean for your business?
If your business meets one of the CCPA/CPRA thresholds and has an online property, it must take several steps to meet its obligations. Here’s a quick CCPA compliance checklist to get you started on your compliance journey.
- Your website must present visitors with a notice at collection that lists the categories and purposes of the personal data collected, whether personal information is sold or shared, and how long the business will retain the personal information.
- You must provide a new notice at collection whenever you start to collect additional categories of personal information or intend to use the data for additional purposes.
- Your website must include a privacy policy that informs consumers of their privacy rights and how to exercise them, as well as your privacy practices in more detail.
- If your business operates a mobile app, you must include a link to your privacy policy in the app settings menu. This was previously optional but became mandatory as of January 1, 2026.
- If you sell or share personal data, you must present a link titled “Do Not Sell Or Share My Personal Information” to enable users to opt out of the sale of their personal data.
- If you process sensitive data, you must include a link titled “Limit The Use of My Sensitive Personal Information” to enable users to limit the processing of this information to specific purposes.
- For personal information of minors, you must obtain explicit consent from the consumer (between 13 and 16 years) or their parent or guardian (when the minor is below 13 years) before their personal information can be shared or sold.
- If you meet specific revenue or risk thresholds, you must arrange independent cybersecurity audits to evaluate your system and demonstrate that you can safeguard the personal information you collect from consumers.
- If you use Automated Decision-Making Technology, you must provide a pre-use notice and enable consumers to opt out of ADMT (unless you use an approved human review process) or request information about how ADMT impacted them, as well as conduct and submit a risk assessment before using ADMT for significant decisions or processing sensitive personal information for profiling.
Achieve CCPA compliance with Usercentrics
A CCPA compliance tool like Usercentrics CMP makes it easier to comply with the California privacy law’s requirements while building trust with consumers.
The Usercentrics CMP provides geolocation functionality that detects when a California resident visits your site. It then displays the relevant banner and access to the privacy policy with straightforward links or buttons that enable users to manage their data processing preferences.
The result is automated, straightforward privacy compliance functionality that helps you build trust with customers, maintain the data you need for marketing efforts, and comply with CCPA/CPRA requirements.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
