Compliance & Regulations
What is the CCPA?
CCPA (California Consumer Privacy Act) is a comprehensive state-level data privacy law enacted in 2018 that gives California residents broad rights over their personal information and imposes obligations on businesses that collect and process this data.
CCPA (California Consumer Privacy Act) is a comprehensive state-level data privacy law enacted in 2018 that gives California residents broad rights over their personal information and imposes obligations on businesses that collect and process this data. Significantly amended by the California Privacy Rights Act (CPRA) in 2020 with most provisions effective January 1, 2023, the CCPA establishes consumer rights to know, delete, access, correct, and opt out of the sale or sharing of their personal information. The law applies to for-profit businesses processing California residents' data that meet revenue, data volume, or revenue-dependency thresholds, with updated regulations introducing cybersecurity audits and automated decision-making requirements effective January 1, 2026.
How does the CCPA work?
CCPA applies to for-profit businesses meeting specific thresholds and grants California residents five core privacy rights.
Applicability thresholds determine coverage. Businesses must comply if they meet ANY of these criteria: gross annual revenues exceeding $26.625 million (as of January 1, 2025) for the preceding calendar year, buy, sell, or share personal information of 100,000 or more California residents or households, or derive 50% or more of annual revenue from selling or sharing California residents' personal information. Nonprofit organizations, government agencies, and certain federally regulated entities (HIPAA-covered, GLBA-regulated) are exempt.
The right to know allows consumers to request businesses disclose what personal information is collected, categories of sources, business purposes for collection, and categories of third parties with whom information is shared. Businesses must confirm receipt within 10 business days and substantively respond within 45 calendar days. Request methods cannot require account creation; businesses must provide practical, accessible submission mechanisms.
The right to delete enables consumers to request deletion of personal information collected from them. Deletion exceptions permit retention for information necessary for legal compliance, security, internal uses reasonably aligned with consumer expectations, or enabling solely internal uses lawfully compatible with the context of collection. Businesses must confirm receipt within 10 business days and complete deletion within 45 calendar days. A two-step confirmation process is allowed to verify deletion requests.
The right to correct, added by CPRA effective January 1, 2023, allows consumers to request correction of inaccurate personal information. Businesses must confirm receipt within 10 business days and substantively respond within 45 calendar days. The limitation is that it applies only to inaccurate information; consumers cannot compel deletion of accurate information through correction requests.
The right to opt out enables consumers to prevent businesses from selling or sharing personal information with third parties. Sale is defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to another business or third party for valuable consideration. Sharing, added by CPRA, means sharing personal information for cross-context behavioral advertising. Businesses must provide "Do Not Sell My Personal Information" or "Do Not Share My Personal Information" links on homepages and mobile apps. Compliance must occur as soon as feasible, with a maximum 15 business days from receipt. Effective January 1, 2026, businesses must provide written confirmation that opt-out requests were processed.
The right to limit use of sensitive personal information, added by CPRA, allows consumers to limit business use and disclosure of sensitive personal information to what is reasonably necessary. Sensitive personal information includes Social Security numbers, financial account information, precise geolocation, health data, genetic information, and biometric information for identification. The updated definition effective January 1, 2026 includes personal information of consumers the business has actual knowledge are under 16 years old. Businesses must comply as soon as feasible with a maximum 15 business days.
How does the CCPA differ from GDPR?
Feature | CCPA | GDPR |
|---|---|---|
Jurisdiction | California residents | EU residents (global application) |
Legal basis requirement | No explicit legal basis framework | Six lawful bases required for all processing |
Consent model | Opt-out for sales/sharing | Opt-in consent required for most processing |
Consumer rights | Know, delete, correct, opt-out, limit | Access, rectification, erasure, restrict, portability, object |
Age protections | Enhanced for under 16 (selling/sharing prohibited without consent) | Enhanced for under 16 (parental consent required) |
Scope of "personal information" | Broadly defined; excludes publicly available information | Broadly defined; includes any identifiable information |
Data Protection Officer | Not required | Required for certain organizations |
Penalties | Up to $7,500 per intentional violation | Up to €20 million or 4% global revenue |
Private right of action | Yes, for data breaches ($100-$750 per incident) | No general private right |
Enforcement | California Attorney General, CPPA, consumers (breach only) | National data protection authorities |
Applicability threshold | Revenue/data volume/revenue dependency | Any processing of EU residents' data |
Ideal for | California-focused businesses; U.S. organizations building privacy programs | Organizations with EU operations; global privacy framework |
Neither is universally better. CCPA provides opt-out model and narrower scope suitable for U.S.-focused businesses with California customers. GDPR requires comprehensive data protection with opt-in consent, appropriate for organizations with EU operations or global privacy commitments. Organizations serving both markets must comply with both, typically implementing GDPR's stricter opt-in consent as the baseline.
Why does the CCPA matter?
Organizations implement CCPA compliance for four primary drivers, each with significant operational challenges.
State enforcement creates financial risk. The California Attorney General and California Privacy Protection Agency enforce CCPA through civil penalties up to $7,500 per intentional violation and $2,500 per unintentional violation. Cumulative penalties have reached tens of millions since enforcement began, with individual company penalties up to $1.35 million. However, enforcement is selective; major tech companies face significant penalties while many smaller businesses operate with minimal oversight, creating uneven compliance incentives.
Private right of action for data breaches establishes consumer litigation risk. Consumers can sue businesses and service providers for data breaches of unencrypted or unredacted personal information, recovering statutory damages of $100-$750 per consumer per incident or actual damages, whichever is greater. This creates significant exposure for organizations experiencing breaches affecting thousands of California residents. However, recovery standards remain uncertain; courts are still developing jurisprudence around what constitutes actionable harm and adequate security, leaving organizations unclear on litigation risk thresholds.
Market access requirements enable California operations. Businesses cannot legally process California residents' personal information without CCPA compliance, effectively requiring compliance for any organization serving California customers. Major customers and partners increasingly require CCPA compliance as contractual prerequisites. However, compliance costs burden small organizations; implementing request-handling systems, consent management, and vendor oversight requires resources that smaller companies above the threshold struggle to afford.
The 2026 regulatory expansion increases compliance scope. New regulations effective January 1, 2026 require cybersecurity audits for certain business categories, risk assessments for automated decision-making technology, enhanced consumer request capabilities allowing access requests back to January 1, 2022, and treating personal information about consumers under 16 as sensitive with enhanced protections. However, implementation guidance remains limited; organizations preparing for 2026 requirements face uncertainty about audit scope, automated decision-making standards, and youth data handling procedures.
What are the limitations of the CCPA?
CCPA's evolving requirements and implementation complexities create compliance challenges.
Threshold complexity creates moving compliance targets. The $26.625 million revenue threshold (adjusted annually for inflation) changes each year, requiring organizations to reassess applicability. Organizations near the threshold face uncertainty about whether they must comply. The 100,000 consumer threshold requires accurate tracking of California residents whose information is processed, which many organizations lack systems to measure. Revenue dependency calculations require detailed accounting of revenue sources attributable to selling/sharing personal information.
Request handling timelines create operational pressure. The 45-day timeline for substantively responding to know, delete, and correct requests pressures organizations to implement rapid verification and retrieval systems. Organizations must balance adequate authentication (preventing fraudulent requests) against consumer privacy (not requiring excessive information for verification). High-volume request handling strains resources, especially for smaller businesses receiving hundreds of requests monthly.
Deletion exceptions require case-by-case judgment. Determining whether retention is "reasonably necessary" for legal compliance, security, or internal uses requires nuanced analysis. Organizations must balance consumer deletion rights against data retention requirements under other regulations (tax law, employment law, financial reporting). Some deletion requests conflict with legal holds, creating compliance dilemmas where satisfying CCPA violates other obligations.
Sensitive personal information definition changes create implementation challenges. The 2026 amendment adding "personal information of consumers the business has actual knowledge are under 16 years old" to the sensitive personal information definition requires organizations to implement age verification or age inference systems. What constitutes "actual knowledge" of minor status is subjective; organizations must determine when they have sufficient information to trigger enhanced protections without creating barriers to service access.
Automated decision-making technology (ADMT) requirements lack clarity. The 2026 regulations require risk assessments for ADMT producing legal or similarly significant effects and allow consumers to request human review. However, what constitutes "automated decision-making" versus permitted analytics is not precisely defined. Organizations using AI and machine learning struggle to determine when ADMT requirements apply and what human review processes satisfy regulatory expectations.
Cybersecurity audit requirements lack specificity. The 2026 regulations mandate regular cybersecurity audits for certain business categories, but audit scope, frequency, and standards are not defined. Organizations must determine appropriate audit approaches without regulatory guidance on what constitutes adequate security assessment.
FAQs
Does CCPA apply to my business?
CCPA applies if you are a for-profit business that meets ANY of these criteria: annual revenues over $26.625 million (as of 2025), buy or sell personal information of 100,000 or more California residents or households, or derive 50% or more of revenue from selling or sharing California residents' personal information. If you don't meet any threshold, CCPA doesn't apply. Nonprofit organizations and government agencies are exempt. Healthcare data covered by HIPAA and financial data covered by GLBA have exemptions for certain provisions. Organizations must assess applicability annually as revenue thresholds adjust for inflation.
What is the difference between "sale" and "sharing" under CCPA?
Sale means transferring personal information to another business or third party for money or other valuable consideration, even if no money changes hands; barter arrangements and reciprocal data exchanges can constitute sales. Sharing, added by CPRA, means transferring personal information for cross-context behavioral advertising where businesses don't necessarily receive direct payment. Both trigger consumer opt-out rights, but sharing has broader reach and includes free data exchanges for advertising purposes. Organizations must provide separate opt-out mechanisms for sales and sharing, or a combined "Do Not Sell or Share" option covering both.
How long do businesses have to respond to consumer requests?
Businesses must confirm receipt of "right to know," "right to delete," and "right to correct" requests within 10 business days. Substantive responses must be provided within 45 calendar days. For complex requests, businesses can request one extension of up to 45 additional days; the extension request must be communicated before the initial 45 days expires. For "right to opt-out" and "right to limit use of sensitive personal information" requests, businesses must comply as soon as feasibly possible with a maximum 15 business days from receipt. The timeline restarts if businesses ask for additional information to verify requestor identity.
What should businesses include when responding to deletion requests?
Businesses should provide written confirmation that they received the deletion request, then delete (or direct service providers to delete) the personal information unless a legal exception applies. Legal exceptions include retention necessary for completing transactions, detecting security incidents, debugging, complying with legal obligations, enabling solely internal uses aligned with consumer expectations, or other lawful purposes specified in the statute. If an exception applies, businesses must explain which exception prevents deletion and why retention is necessary. Businesses should document the deletion process, including dates, systems affected, and verification that information was removed from all systems including backups where technically feasible.
What are the new 2026 changes to CCPA and when do they take effect?
Starting January 1, 2026, businesses must comply with several new requirements: provide written confirmation of opt-out request processing, treat personal information about consumers under 16 as "sensitive" with enhanced protections requiring businesses to implement age verification or inference systems, allow access requests going back to January 1, 2022 for organizations retaining data more than 12 months, conduct cybersecurity audits for certain business categories (standards and scope still being defined), and perform risk assessments for automated decision-making technology that could produce legal or similarly significant effects, allowing consumers to request human review of automated decisions. Organizations should begin implementation planning in 2025 to meet January 2026 deadlines.
