California Privacy Law (CCPA/CPRA): What Small Businesses Need to Know
Plain-English guide to California's CCPA and CPRA for small businesses. Learn who it applies to, what rights consumers have, and how to comply.
Last updated: 2026-02-08
A customer emails your Shopify store and says, "Send me everything you have on me and then delete it." You have 45 days to respond -- and if you get it wrong, the fine is up to $7,500 per violation. That is the reality of doing business in California under the CCPA and its successor amendment, the CPRA. Whether you are a solo founder running a SaaS app or a 40-person marketing agency with California clients, this law likely affects you. This guide breaks down California's privacy law into plain English so you can figure out what applies, what you owe consumers, and what to do about it.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the CCPA (Cal. Civ. Code §§ 1798.100–1798.199.100) as amended by the CPRA (Proposition 24, 2020), as of the date of publication.
Does This Law Apply to Your Business?
The CCPA/CPRA applies to for-profit businesses that collect personal information from California residents and meet at least one of these three thresholds (Cal. Civ. Code § 1798.140(d)):
-
Annual gross revenue exceeds $26.625 million. This figure is adjusted for inflation by the CPPA. It started at $25 million when the law took effect in 2020 and has been adjusted upward since. This is worldwide revenue, not just what you earn from California customers. If your SaaS app brings in $27 million globally, you are covered even if only 5% of users are in California.
-
You annually buy, sell, or share the personal information of 100,000 or more California consumers or households. The original CCPA set this at 50,000. The CPRA raised it to 100,000. If your e-commerce site gets 300,000 unique visitors a year from California and you drop a tracking pixel on each of them, you may hit this number faster than you think.
-
You derive 50% or more of annual revenue from selling or sharing California consumers' personal information. This mainly targets data brokers, but it catches any business where data monetization is the core revenue model.
You only need to meet one of these. And it does not matter where your business is located. A marketing agency in Austin with California clients is just as covered as one based in San Francisco.
A note on "personal information": The CCPA defines this broadly (Cal. Civ. Code § 1798.140(v)). It includes names, email addresses, IP addresses, browsing history, purchase records, geolocation data, and inferences drawn from any of the above. If you run Google Analytics on your website, you are collecting personal information under this definition.
What Rights Do Consumers Have?
The CCPA/CPRA grants California residents seven distinct rights. When a consumer exercises one of these rights, it triggers a Data Subject Access Request (DSAR) that your business must fulfill within 45 calendar days (with a possible 45-day extension).
Right to Know (Access). Consumers can ask what personal information you have collected about them, where you got it, why you collected it, and who you have shared it with (Cal. Civ. Code § 1798.100). You must provide this for at least the preceding 12 months, and potentially longer for data collected after January 1, 2022.
Right to Correct. Added by the CPRA, consumers can ask you to fix inaccurate personal information in your records (Cal. Civ. Code § 1798.106). You must use commercially reasonable efforts to make the correction.
Right to Delete. Consumers can request that you delete the personal information you have collected about them (Cal. Civ. Code § 1798.105). You must also direct your service providers to delete it. There are exceptions for legal obligations and transaction completion.
Right to Portability. Consumers can request their data in a portable, machine-readable format so they can move it to another service.
Right to Opt Out of Sale. If you sell personal information, consumers can tell you to stop (Cal. Civ. Code § 1798.120). Remember, "selling" includes any transfer for monetary or other valuable consideration.
Right to Opt Out of Sharing. Added by the CPRA, consumers can opt out of having their data shared for cross-context behavioral advertising, even if no money changes hands (Cal. Civ. Code § 1798.120).
Right to Limit Sensitive Data Use. Consumers can restrict how you use sensitive personal information -- things like Social Security numbers, precise geolocation, racial or ethnic origin, and health data (Cal. Civ. Code § 1798.121).
| Right | Granted? | Key Detail |
|---|---|---|
| Access (Right to Know) | ✅ | Must cover at least 12 months of collected data |
| Correction | ✅ | Added by CPRA; commercially reasonable efforts required |
| Deletion | ✅ | Must also instruct service providers to delete |
| Portability | ✅ | Data must be provided in a machine-readable format |
| Opt Out of Sale | ✅ | Requires a 'Do Not Sell or Share' link on your website |
| Opt Out of Sharing | ✅ | Covers cross-context behavioral advertising |
| Limit Sensitive Data Use | ✅ | Applies to SSNs, geolocation, health data, and more |
What Your Business Must Do
Update your privacy policy. Your privacy policy must disclose the categories of personal information you collect, the sources, the business purposes, the third parties you share with, retention periods for each category, and a description of each consumer right. It must be updated at least annually (Cal. Civ. Code § 1798.130).
Provide request intake channels. You need at least two methods for consumers to submit requests. One must be a toll-free phone number (unless you operate exclusively online). A web form is recommended as the primary intake channel. Many small businesses use a dedicated email address like privacy@yourbusiness.com alongside an online form.
Build a DSAR response process. When a request comes in, you have 45 calendar days to respond. You need a documented workflow that covers intake, identity verification, data retrieval or processing, response delivery, and recordkeeping. This is where most businesses stumble. A spreadsheet tracker, a designated point person, and a written process document can get a small team through the first year. For a complete walkthrough, see our DSAR response templates.
Post "Do Not Sell or Share" and "Limit Use" links. If you sell or share personal information (and if you use ad-tech tools like Google Ads or Meta Pixel, you probably do), you need a conspicuous link on your homepage. If you process sensitive personal information beyond what is necessary for your core service, you also need a "Limit the Use of My Sensitive Personal Information" link.
Honor Global Privacy Control (GPC) signals. GPC is a browser-level signal that acts as an automatic opt-out request. The CPPA has made clear that businesses must treat GPC signals as valid opt-out requests. The Sephora enforcement action in 2022 -- a $1.2 million settlement -- centered partly on the company's failure to honor GPC signals.
Train your team. Anyone who handles customer inquiries needs to recognize a privacy request and know where to route it. A one-hour training session and a reference guide is enough for most small businesses.
Review vendor contracts. Every service provider that processes personal information on your behalf needs a written agreement specifying the business purpose, requiring CCPA compliance, and prohibiting unauthorized use of the data (Cal. Civ. Code § 1798.100(d)).
How Is It Enforced?
The CCPA/CPRA is enforced by two bodies: the California Privacy Protection Agency (CPPA) and the California Attorney General. The CPPA is the first dedicated state privacy enforcement agency in the United States, created by the CPRA in 2020 and operational since 2021.
Penalties are $2,500 per unintentional violation and $7,500 per intentional violation (Cal. Civ. Code § 1798.155). There is no cap, so fines scale with the number of affected consumers. The CPRA removed the 30-day cure period that existed under the original CCPA, so businesses can no longer fix a violation to avoid penalties.
There is also a private right of action for data breaches (Cal. Civ. Code § 1798.150). If a breach occurs because your business failed to implement reasonable security measures, affected consumers can sue for statutory damages of $100 to $750 per consumer per incident -- or actual damages, whichever is greater. This is the provision that drives class-action lawsuits.
Notable enforcement: In 2022, the AG reached a $1.2 million settlement with Sephora for failing to honor opt-out requests, not recognizing GPC signals, and not disclosing that it was selling personal information. The CPPA has since signaled that enforcement will intensify.
How This Compares to Other State Laws
California's law is one of the strongest in the country, but it is not the only one. Here is how it stacks up against Virginia's VCDPA and Colorado's CPA:
| Feature | CCPA/CPRA (CA) | VCDPA (VA) | CPA (CO) |
|---|---|---|---|
| Revenue threshold | $26.625M (inflation-adjusted) | None | None |
| Data threshold | 100K consumers | 100K consumers | 100K consumers |
| Consent model | Opt-out | Opt-out (opt-in for sensitive data) | Opt-out (opt-in for sensitive data) |
| Right to correct | Yes | Yes | Yes |
| Right to opt out of sale | Yes | Yes | Yes |
| Private right of action | Yes (data breaches only) | No | No |
| Dedicated enforcement agency | Yes (CPPA) | No (AG only) | No (AG only) |
| Cure period | None (removed by CPRA) | 60 days (sunsets 2025) | 60 days (sunsets 2025) |
| Universal opt-out (GPC) | Required | Required | Required |
California stands out for two reasons: it has a dedicated enforcement agency (the CPPA), and it is the only major state law with a private right of action for data breaches. Virginia and Colorado rely solely on their attorneys general for enforcement. If you comply with the CCPA/CPRA, you will cover most requirements under other state laws -- but Virginia and Colorado require opt-in consent for sensitive data, whereas California uses an opt-out model.
Action Checklist for Small Businesses
-
Determine whether the law applies to you. Check your annual revenue against the $26.625 million threshold (adjusted for inflation), count your California consumers, and assess whether data sales make up half your revenue.
-
Conduct a data inventory. Map every category of personal information you collect, where it comes from, where it goes, and how long you keep it.
-
Update your privacy policy. Add required disclosures including retention periods, consumer rights descriptions, and data sharing categories.
-
Set up DSAR intake channels. Create a web form and email address (and toll-free number if required). Designate a team member to own the process.
-
Build your DSAR response workflow. Document steps for intake, verification, processing, and response. Set calendar reminders for the 45-day deadline.
-
Add "Do Not Sell or Share" and "Limit Use" links. Place them on your homepage and configure them to actually process opt-out requests.
-
Implement GPC signal recognition. Make sure your website detects and honors Global Privacy Control signals from browsers.
-
Review vendor agreements. Ensure every service provider has a CCPA-compliant contract in place.
-
Train your team. Run a one-hour training session covering how to spot privacy requests, where to route them, and what not to say.
-
Set a quarterly review cadence. Privacy compliance is not a one-time project. Review your data practices, privacy policy, and DSAR logs every quarter.
Key Dates
- January 1, 2020: CCPA took effect.
- November 3, 2020: California voters approved the CPRA (Proposition 24).
- January 1, 2022: CPRA lookback period begins -- data collected from this date forward is subject to expanded right-to-know.
- January 1, 2023: CPRA amendments took effect.
- March 29, 2023: CPPA finalized first set of CCPA/CPRA regulations.
- February 2024: CPPA finalized additional regulations on cybersecurity audits and risk assessments.
References
- California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on California Legislative Information
- California Privacy Rights Act (CPRA): Proposition 24 (2020). CPRA ballot text
- CPPA Regulations: California Privacy Protection Agency
- Attorney General CCPA Regulations: OAG CCPA regulations
- Sephora Enforcement Action: AG press release
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Ready to handle data subject requests? Download our free DSAR Response Templates for a step-by-step framework you can implement this week.