The California Consumer Privacy Act (CCPA) is a landmark data privacy law that grants California residents significant rights over their personal information and imposes strict obligations on businesses. This guide provides a thorough summary and practical cheat sheet for understanding, complying with, and implementing the CCPA, including recent amendments and best practices.
Enacted in 2018, effective January 1, 2020, the CCPA enhances privacy rights and consumer protection for California residents .
Amended by the California Privacy Rights Act (CPRA), effective January 1, 2023, which expanded consumer rights and established the California Privacy Protection Agency (CPPA) .
The CCPA applies to for-profit businesses that do business in California and meet any of the following thresholds:
Gross Annual Revenue: Over $26.625 million (as of January 1, 2025; previously $25 million) .
Data Transactions: Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices annually .
Revenue from Data: Derive 50% or more of annual revenue from selling or sharing personal information .
Note: The law applies to businesses outside California if they meet these thresholds and handle California residents’ data .
Consumer: A natural person who is a California resident .
Business: A for-profit entity that collects consumers’ personal information, determines the purposes and means of processing, and meets the applicability thresholds .
Personal Information: Information that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household.
Sensitive Personal Information: Includes government IDs, financial data, geolocation, racial/ethnic origin, health data, and, as of August 2024, neural data .
Right to Know/Access
Know what personal info is collected, sources, purposes, and third parties shared with
Provide this info upon request within 45 days; update privacy policy accordingly
Right to Delete
Request deletion of personal info held by the business
Delete info and instruct service providers to do the same, unless an exception applies
Right to Opt-Out
Opt out of the sale of personal info
Provide a “Do Not Sell My Personal Information” link; honor opt-out requests for at least 12 months
Right to Correct
Request correction of inaccurate personal info (added by CPRA)
Correct inaccurate info upon request
Right to Limit
Limit use/disclosure of sensitive personal info
Provide a “Limit the Use of My Sensitive Personal Information” link
Right to Non-Discrimination
No discrimination for exercising CCPA rights
Cannot deny goods/services, charge different prices, or provide different quality of service
Transparency: Provide clear, conspicuous notices about data collection, use, and sharing .
Privacy Policy: Update at least every 12 months; must detail consumer rights and how to exercise them .
Opt-Out Mechanism: Prominently display “Do Not Sell My Personal Information” and “Limit the Use of My Sensitive Personal Information” links .
Consumer Request Handling: Offer at least two methods for submitting requests (e.g., toll-free number, web form) .
Verification: Verify consumer identity before fulfilling requests .
Timely Response: Respond to requests within 45 days (with a possible 45-day extension) .
Data Security: Implement reasonable security measures (encryption, access controls, regular audits) .
Employee Training: Train staff on CCPA requirements and consumer request handling .
Third-Party Management: Update contracts to ensure vendors comply with CCPA .
Record Keeping: Maintain records of consumer requests and responses for at least 24 months .
Conduct a Data Inventory: Map all personal data collected, processed, and shared .
Update Privacy Policies and Notices: Ensure clarity and compliance with CCPA requirements .
Implement Consumer Rights Protocols: Streamline processes for handling access, deletion, correction, and opt-out requests .
Provide Opt-Out and Limitation Links: Make these links easy to find and use; recognize global opt-out signals .
Enhance Data Security: Use encryption, access controls, and regular security assessments.
Audit Third-Party Agreements: Ensure all vendors and partners are CCPA-compliant .
Regularly Review Compliance: Stay updated on amendments and adjust practices as needed.
CPRA Amendments: Effective January 1, 2023, expanded consumer rights and established the CPPA .
2024 Amendments: Six new amendments passed, including expanded definitions (e.g., neural data as sensitive personal info) and additional protections for reproductive healthcare and citizenship data .
2025 Updates: New regulations on automated decision-making, cybersecurity audits, and risk assessments; increased penalties and new obligations for businesses .
Delayed Enforcement: CPPA won an appeal in February 2024, delaying enforcement of updated regulations by one year .
Regulatory Bodies: California Attorney General and California Privacy Protection Agency (CPPA) .
Cure Period: 30-day period to fix violations after notification (may not apply to all violations post-CPRA) .
Private Right of Action: Consumers can sue for certain data breaches .
Penalties:
Up to $2,500 per unintentional violation
Up to $7,500 per intentional violation
No cap on total fines; penalties can accumulate
Additional Costs: Injunctions, reputational damage, and civil lawsuit costs.
Sephora (2022): $1.2 million fine for failing to disclose data sales and not honoring global opt-out signals .
Todd Snyder, Inc.: $345,178 fine for improper opt-out mechanisms and excessive data collection.
Honda (2025): $632,500 fine for difficult opt-out process and excessive info requests .
DoorDash (2024): $375,000 fine for sharing user data with marketing partners without proper notice .
Who Must Comply?
For-profit businesses in CA or serving CA residents, meeting revenue/data thresholds
Consumer Rights
Know, Delete, Opt-Out, Correct, Limit, Non-Discrimination
Privacy Policy
Must be clear, updated annually, and detail rights/processes
Opt-Out Links
“Do Not Sell My Personal Information” and “Limit the Use of My Sensitive Personal Information”
Request Handling
At least two methods; respond in 45 days; verify identity
Data Security
Reasonable measures (encryption, access controls, audits)
Employee Training
Required for all staff handling consumer data
Third-Party Contracts
Must ensure CCPA compliance
Penalties
$2,500–$7,500 per violation; no cap; private right of action for breaches
Recent Changes
CPRA amendments, new sensitive data categories, increased penalties, new regulations (2023–2025)
Stay Informed: Regularly monitor updates from the California Privacy Protection Agency and Attorney General.
Review Practices: Conduct annual reviews of privacy policies, data inventories, and compliance protocols.
Document Everything: Keep detailed records of compliance efforts, consumer requests, and responses.
Right to Correct
No
Yes
Right to Limit Sensitive Info
No
Yes
Sensitive Info Definition
Basic
Expanded (e.g., neural data, health, etc.)
Enforcement Agency
Attorney General
CPPA (new agency)
Automated Decision-Making
Not addressed
New regulations in 2025
Risk Assessments
Not required
Required for certain businesses