localwebadvisor
WIKI← Wiki home

What Is CCPA?

By FayUpdated Jul 9, 2026EVERGREEN
⚡ THE ANSWER

CCPA (California Consumer Privacy Act) is a state privacy law giving California residents rights over the personal information businesses collect about them, including the right to know, delete, and opt out of the sale of their data. It applies to for-profit businesses that meet certain size or data thresholds and handle California residents' information, even if the business is based elsewhere. Strengthened by the CPRA, it is the most prominent US state privacy law and a model others follow.

Full name
California Consumer Privacy Act
In effect since
January 1, 2020, strengthened by CPRA in 2023
Applies to
For-profit businesses meeting revenue or data thresholds
Key right
Opt out of the sale or sharing of personal information

What is the CCPA? #

The California Consumer Privacy Act (CCPA) is a state law, effective January 1, 2020, that gives California residents significant control over their personal information. It was strengthened by the California Privacy Rights Act (CPRA), which added protections and created a dedicated enforcement agency, with its main provisions taking effect in 2023. Together they form California's privacy framework, the most comprehensive in the United States. Personal information under the CCPA is broad, covering identifiers like names and emails, browsing history, geolocation, purchasing behavior, and inferences drawn about a person. The law requires covered businesses to be transparent about the data they collect, honor consumer rights over that data, and give consumers the ability to opt out of having their information sold or shared. Because California is so populous and economically influential, the CCPA affects a huge number of businesses nationwide, and it has become the template many other US states follow. Our /wiki/website-privacy-laws-explained reference sets the broader context, and our /services/web-design team builds CCPA-aware data handling into websites that serve California audiences.

Does the CCPA apply to my business? #

The CCPA does not apply to every business; it targets for-profit organizations that meet at least one of a few thresholds and handle California residents' personal information. Generally, a business is covered if it has annual gross revenue above a set threshold (commonly cited around 25 million dollars), or buys, sells, or shares the personal information of a large number of California consumers or households (typically 100,000 or more), or derives half or more of its revenue from selling personal information. Importantly, location does not exempt you: a business based anywhere can be covered if it meets these criteria and handles Californians' data. Many small local businesses fall below all the thresholds and are not directly covered, but those that grow, run large marketing operations, or trade in data may cross the line. Because the exact figures and rules can change, and other state laws are emerging, it is worth assessing your specific situation. Our /services/web-design team helps businesses determine their exposure and build privacy practices that scale as they grow past these thresholds.

What rights does the CCPA give consumers? #

The CCPA grants California residents several important rights over their personal information. The right to know lets consumers request what personal information a business has collected about them, where it came from, why it was collected, and with whom it is shared. The right to delete lets them ask a business to erase personal information it holds, subject to certain exceptions. The right to opt out lets them tell a business to stop selling or sharing their personal information, which is the CCPA's signature protection. The CPRA added the right to correct inaccurate information and the right to limit the use of sensitive personal information, like precise location or health data. Consumers also have the right not to face discrimination for exercising these rights, so a business cannot deny service or charge more simply because someone opted out. Businesses must provide accessible ways to submit these requests and respond within set timeframes. Honoring them requires knowing what data you hold. Our /services/database-services team helps organize data so these requests can be fulfilled accurately and on time.

What does "do not sell my info" mean? #

The CCPA's most visible feature is the requirement to let consumers opt out of the sale or sharing of their personal information, which is why covered business websites display a "Do Not Sell or Share My Personal Information" link. "Sale" under the CCPA is defined broadly and does not require money to change hands; sharing data with third parties for advertising purposes can count. This surprises many businesses that do not think of themselves as selling data but do share it with advertising and analytics partners through tracking technologies. When a consumer opts out, the business must stop these transfers of their information. The CPRA expanded this to cover "sharing" for cross-context behavioral advertising specifically. Practically, this means covered sites need a clear opt-out mechanism, often honoring browser-based signals like the Global Privacy Control automatically. Getting this right has real implications for how advertising and analytics tools operate on your site. Misunderstanding what counts as a "sale" is a common compliance gap. Our /services/web-design and /services/website-security teams implement compliant opt-out mechanisms that properly limit data sharing when consumers request it.

What is a CCPA privacy policy? #

The CCPA requires covered businesses to maintain a privacy policy that discloses specific information and to keep it updated at least annually. The policy must describe the categories of personal information collected, the sources it comes from, the business or commercial purposes for collecting it, and the categories of third parties it is shared with. It must also explain consumers' CCPA rights and how to exercise them, including how to submit a request to know, delete, or opt out. If the business sells or shares personal information, the policy must say so and provide the opt-out method. This is more prescriptive than a generic privacy notice, requiring specific categories and disclosures rather than vague statements. The policy must be accessible, typically linked in the footer, and written so consumers can understand it. Because data practices and the law itself evolve, the annual update requirement means this is a living document. Many businesses use outdated or generic policies that fail these specifics. Our /tools/privacy-policy-generator produces a CCPA-aware starting point, and our /services/web-design team ensures it is properly disclosed and matched to your actual practices.

How is the CCPA different from GDPR? #

The CCPA and /wiki/what-is-gdpr share the goal of protecting personal data and giving individuals control, but they differ in important ways. GDPR is an EU regulation covering all EU and UK residents and applies to nearly any organization handling their data, with a consent-first approach where you generally need a lawful basis before processing. The CCPA is a California state law covering California residents and applies only to businesses meeting size or data thresholds, taking an opt-out approach where businesses can collect and even sell data unless the consumer objects. GDPR's fines are calculated as a percentage of global revenue and can be enormous, while CCPA penalties are assessed per violation. GDPR emphasizes upfront consent, especially for cookies; the CCPA emphasizes the right to opt out of sale. Definitions of personal data are broad in both but not identical. Because GDPR is generally stricter, building to its standard often eases CCPA compliance, though each has unique specifics. Our /services/web-design team builds privacy foundations that address both frameworks where they apply rather than treating them as interchangeable.

What are the penalties for CCPA violations? #

The CCPA carries financial penalties enforced by California's privacy authority. Businesses can face civil penalties per violation, with higher amounts for intentional violations or those involving minors' data, and because penalties are assessed per affected consumer, totals can climb quickly across many records. The CPRA established the California Privacy Protection Agency, a dedicated body with authority to investigate and enforce, and it removed an earlier grace period that let businesses fix problems before penalties applied in some cases. Separately, the CCPA gives consumers a limited private right of action: individuals can sue directly if their non-encrypted personal information is exposed in a data breach caused by inadequate security, seeking statutory damages per incident. This breach-related liability is a significant motivator to maintain strong security, since a breach can trigger both regulatory penalties and consumer lawsuits. The combination of agency enforcement and private lawsuits gives the CCPA real teeth. Reducing breach risk through solid security is therefore both a privacy and a legal priority. Our /services/website-security team implements the safeguards that lower breach exposure and the liability that comes with it.

How do you make a website CCPA-compliant? #

Making a website CCPA-compliant follows practical steps similar to other privacy work but with California-specific requirements. First, determine whether you are actually covered by the thresholds, since many small businesses are not directly subject to it. If you are, inventory the personal information you collect, its sources, purposes, and who you share it with. Publish a compliant privacy policy that includes the required categories and disclosures, and update it at least annually. Provide clear mechanisms for consumers to exercise their rights, including a "Do Not Sell or Share My Personal Information" link if you sell or share data, and honor opt-out signals like the Global Privacy Control. Build processes to respond to know, delete, correct, and opt-out requests within the required timeframes, which means knowing where your data lives. Maintain strong security to reduce breach liability. Review your analytics and advertising tools, since these often trigger "sharing" obligations. This is ongoing work as the law and your practices evolve. Our /services/web-design and /services/website-security teams implement these requirements, and our /tools/privacy-policy-generator helps produce the required disclosures.

The CCPA and the wider privacy landscape #

The CCPA was a landmark because it was the first broad US state privacy law, and it has inspired a growing wave of similar laws across other states, each with its own thresholds, definitions, and rules. This means US businesses increasingly face a patchwork rather than a single national standard, and a business serving customers nationwide may need to consider several state laws at once. The practical strategy for most is to adopt strong, privacy-respecting practices, clear disclosure, honored consumer rights, genuine opt-out mechanisms, and solid data security, that hold up broadly across jurisdictions, then address the specific requirements of the states that truly apply. Because the strictest standards, like /wiki/what-is-gdpr in Europe, cover most principles the state laws share, building to a high baseline is efficient. Privacy law is evolving rapidly, so this is an area requiring ongoing attention rather than a one-time setup. Understand the full picture in our /wiki/website-privacy-laws-explained reference and compare with /wiki/what-is-gdpr, and our /services/web-design team builds adaptable privacy foundations that handle multiple state laws as they emerge rather than rebuilding for each one.

FAQ

Is my small business covered by the CCPA?

Probably not directly, unless you meet a threshold: annual revenue above roughly 25 million dollars, handling the data of 100,000 or more California consumers or households, or deriving half your revenue from selling personal information. Many small local businesses fall below all of these. But if you grow or run large data operations, you can cross the line, so reassess as you scale.

Does the CCPA apply to businesses outside California?

Yes, if they meet the thresholds and handle California residents' personal information. Location does not exempt you; a business based anywhere can be covered when it does business with Californians and crosses the size or data criteria. Since California is populous and economically influential, the CCPA reaches a large number of out-of-state businesses across the country.

What does 'sale' of personal information mean under the CCPA?

It is defined broadly and does not require money. Sharing personal information with third parties for advertising and similar purposes can count as a 'sale.' This surprises businesses that share data through tracking and ad tools without thinking of it as selling. The CPRA also covers 'sharing' for cross-context behavioral advertising, triggering opt-out obligations.

What is the difference between CCPA and CPRA?

The CPRA (California Privacy Rights Act) amends and strengthens the CCPA rather than replacing it. It added rights to correct data and limit sensitive information use, expanded rules around sharing for advertising, and created the California Privacy Protection Agency to enforce the law. People often use 'CCPA' to refer to the combined framework as it stands after the CPRA took effect.

Do I need a 'Do Not Sell My Info' link?

You need one if you are a covered business that sells or shares personal information, which includes many sites using advertising and analytics tools that transfer data to third parties. The link must let consumers opt out, and you should honor browser signals like the Global Privacy Control. If you genuinely do not sell or share data, the requirement may not apply.

How does the CCPA compare to GDPR?

Both protect personal data, but GDPR is an EU law using a consent-first model and applies to almost any organization handling EU residents' data, while the CCPA is a California law using an opt-out model that applies only to businesses meeting thresholds. GDPR is generally stricter, so building to its standard often eases CCPA compliance, though each has its own specific rules.

Was this helpful?