The Complete Guide to CCPA Compliance
Everything small businesses need to know about CCPA compliance: who it applies to, consumer rights, and step-by-step instructions to get compliant.
Last updated: 2026-02-07
The California Consumer Privacy Act (CCPA) is the most significant privacy law in the United States. If your business collects personal information from California residents, you need to understand it -- even if you think it doesn't apply to you.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the CCPA (Cal. Civ. Code §§ 1798.100–1798.199.100) and its amendments under the CPRA, as of the date of publication.
This guide breaks down what CCPA actually requires, who it covers, and what you need to do about it. No legal jargon storms, no unnecessary panic. Just the practical stuff.
What Is the CCPA?
The CCPA (Cal. Civ. Code §§ 1798.100–1798.199.100) is a California state law that gives California residents specific rights over their personal information. It went into effect on January 1, 2020, and was amended by the California Privacy Rights Act (CPRA) in 2023.
In plain terms: if you collect data from people in California, the CCPA says those people have the right to know what you're collecting, ask you to delete it, and tell you to stop selling it. And you have to actually do those things.
The law was modeled loosely on the European Union's GDPR, but it's distinctly American in its approach. It's narrower in some ways (it only applies to businesses above certain thresholds) and broader in others (its definition of "personal information" is remarkably wide).
For a deeper dive on the amendments that CPRA brought, see our CPRA compliance guide.
Who Does the CCPA Apply To?
This is the first question every business owner asks, and the answer is more nuanced than most guides let on.
The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of these three thresholds (Cal. Civ. Code § 1798.140(d)):
- Annual gross revenue exceeds $25 million (adjusted annually for CPI; $26.625 million as of 2026). This is worldwide revenue, not just California revenue.
- Annually buys, sells, or shares the personal information of 100,000 or more California consumers or households. Note: this was originally 50,000 under the original CCPA. CPRA raised it to 100,000.
- Derives 50% or more of annual revenue from selling or sharing California consumers' personal information. This primarily targets data brokers.
If you hit any one of those thresholds, you're covered. Period. It doesn't matter if you're based in California, New York, or Tokyo. If you do business in California and meet a threshold, the CCPA applies to you.
We've written a detailed breakdown in Who Does the CCPA Apply To? and a specific analysis for smaller companies in Does CCPA Apply to Small Businesses?.
What Counts as "Personal Information"?
The CCPA defines personal information very broadly (Cal. Civ. Code § 1798.140(v)). It's any information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
That includes the obvious stuff like names, email addresses, and Social Security numbers. But it also includes:
- IP addresses
- Browsing history
- Purchase history
- Geolocation data
- Audio, visual, or similar information
- Professional or employment-related information
- Education information
- Inferences drawn from any of the above to create a consumer profile
If you're collecting website analytics, running email marketing, or processing online orders from California residents, you're almost certainly collecting personal information under this definition.
The Four Core Consumer Rights
The CCPA grants California residents four fundamental rights. These are non-negotiable if the law applies to you.
Right to Know (Cal. Civ. Code § 1798.100)
Consumers can ask your business to disclose:
- What categories of personal information you've collected
- Where you got it (the sources)
- Why you collected it (the business purpose)
- Who you've shared it with (categories of third parties)
- The specific pieces of personal information you've collected about them
You must be able to provide this information for the preceding 12 months. This is the foundation of DSAR (Data Subject Access Request) compliance under CCPA. For a complete walkthrough of how to handle these requests, see our CCPA DSAR process guide.
Right to Delete (Cal. Civ. Code § 1798.105)
Consumers can request that you delete the personal information you've collected about them. When you receive a verified deletion request, you must delete the information and direct any service providers to do the same.
There are exceptions -- you don't have to delete information if you need it to complete a transaction, detect security incidents, comply with a legal obligation, or for certain other purposes. But the default position is: if they ask, you delete.
We cover the practical details of handling deletion requests in How to Handle CCPA Right-to-Delete and Right-to-Know Requests.
Right to Opt Out of Sale or Sharing (Cal. Civ. Code § 1798.120)
If your business sells or shares personal information, consumers have the right to say "stop." You must honor this request, and you must provide a clear and conspicuous link on your website titled "Do Not Sell or Share My Personal Information."
Here's where it gets tricky: "selling" under the CCPA doesn't just mean exchanging data for money. It means any transfer of personal information for "monetary or other valuable consideration." If you share customer data with an advertising network and get targeted ads in return, that could be a "sale."
CPRA expanded this to also cover "sharing" -- which means disclosing personal information for cross-context behavioral advertising, regardless of whether money changes hands. This captures a lot of common ad-tech practices.
Right to Non-Discrimination (Cal. Civ. Code § 1798.125)
You cannot punish consumers for exercising their privacy rights. That means you can't:
- Deny them goods or services
- Charge them different prices
- Provide a different quality of service
- Threaten any of the above
You can offer financial incentives for the collection or sale of personal information, but only if those incentives are reasonably related to the value of the consumer's data and the consumer opts in.
How to Comply: Step by Step
Enough theory. Here's what you actually need to do.
Step 1: Map Your Data
Before you can comply with anything, you need to know what data you have. Conduct a thorough data inventory:
- What personal information do you collect?
- Where does it come from? (Directly from consumers, from third parties, automatically via cookies/tracking?)
- Why do you collect it? (What's the business purpose?)
- Where do you store it?
- Who do you share it with?
- How long do you keep it?
This isn't glamorous work, but it's the foundation of everything else. You can't tell consumers what you collect if you don't know yourself.
Step 2: Update Your Privacy Policy
Your privacy policy must include specific disclosures required by the CCPA:
- The categories of personal information you've collected in the past 12 months
- The categories of sources from which you collected it
- Your business purpose for collecting or selling it
- The categories of third parties with whom you share it
- If you sell personal information: the categories sold and the categories of third parties to whom it was sold
- If you disclose personal information for a business purpose: the categories disclosed and the categories of recipients
- A description of each consumer right and how to exercise them
- Contact information for submitting requests
The privacy policy must be updated at least once every 12 months. We recommend reviewing it quarterly if your data practices change frequently.
Step 3: Set Up Consumer Request Channels
You must provide at least two methods for consumers to submit requests. One of those must be a toll-free phone number. If you have a website, you must also provide a web-based method (like an online form or email address).
For businesses that operate exclusively online, you may be able to provide just an email address instead of a phone number. But most businesses should offer:
- A web form (recommended as your primary intake method)
- An email address (e.g., privacy@yourbusiness.com)
- A toll-free phone number
Step 4: Build Your DSAR Response Process
When a consumer submits a request, the clock starts ticking. You have 45 calendar days to respond (Cal. Civ. Code § 1798.130(a)(2)). You can extend this by another 45 days if necessary, but you must notify the consumer of the extension within the initial 45-day window.
Your DSAR process needs to include:
- Intake: How you receive and log requests
- Verification: How you confirm the requester is who they claim to be
- Processing: How you gather the requested information or process the deletion
- Response: How you deliver the response to the consumer
- Documentation: How you record what you did and when
This is where most businesses struggle, especially the first time. Our CCPA DSAR process guide walks through each step in detail.
For a complete checklist of everything you need to set up, see our CCPA compliance checklist.
Step 5: Implement "Do Not Sell or Share My Personal Information"
If you sell or share personal information (and remember, the definition is broad), you need to:
- Add a clear link on your website homepage labeled "Do Not Sell or Share My Personal Information"
- Process opt-out requests without requiring the consumer to create an account
- Wait at least 12 months before asking a consumer who opted out to reconsider
- Communicate opt-out requests to any third parties with whom you've shared data
If you don't sell or share personal information, you don't technically need this link. But many businesses add it anyway as a best practice, because proving you don't "sell" data under the CCPA's broad definition can be harder than just providing the opt-out mechanism.
For details on how this relates to cookies and tracking, see our CCPA cookie compliance guide.
Step 6: Train Your Employees
Anyone who handles consumer inquiries or personal information needs to know the basics:
- How to recognize a privacy request (consumers don't always use the word "DSAR")
- Where to route requests
- How to respond appropriately
- What not to say (don't promise timelines you can't meet)
You don't need a week-long training seminar. A one-hour overview and a simple reference guide will do for most small businesses.
Step 7: Review Your Vendor Agreements
If you share personal information with service providers, you need written contracts that:
- Specify the business purpose for sharing the data
- Require the service provider to comply with the CCPA
- Prohibit the service provider from retaining, using, or disclosing the data for purposes other than the contracted service
- Require the service provider to notify you if it can no longer meet its CCPA obligations
Go through your existing vendor agreements and check whether they include these provisions. Many SaaS providers have updated their terms to include CCPA-compliant language, but don't assume -- verify.
Step 8: Implement Reasonable Security Measures
The CCPA doesn't prescribe specific security requirements, but it gives consumers a private right of action (Cal. Civ. Code § 1798.150) if a data breach occurs because of your failure to implement "reasonable security measures." That means if you get breached because you weren't taking basic security seriously, consumers can sue you directly.
"Reasonable" generally means:
- Encrypting sensitive data at rest and in transit
- Using strong access controls
- Keeping software updated
- Having an incident response plan
- Conducting regular security assessments
The California Attorney General has referenced the CIS Controls as a reasonable baseline. You don't need to build a fortress, but you do need to show you took security seriously.
Privacy Policy Requirements: The Details
Your CCPA privacy policy isn't just a "we respect your privacy" page anymore. It's a legal document with specific required disclosures (Cal. Civ. Code § 1798.130). Here's what must be in it:
Required disclosures:
- Categories of personal information collected in the past 12 months
- Categories of sources
- Business or commercial purpose for collecting/selling
- Categories of third parties with whom you share data
- For each category of personal information collected: the categories of sources, business purpose, and third parties
- A description of consumer rights under the CCPA
- How consumers can submit requests
- The process for verifying consumer requests
- Information about financial incentive programs (if any)
- The date the privacy policy was last updated
- Whether you sell personal information (and if so, the categories sold)
Format requirements:
- Must be available in the same languages your website supports
- Must be accessible to consumers with disabilities
- Must be updated at least once every 12 months
Common Compliance Mistakes
After seeing hundreds of businesses go through CCPA compliance, these are the mistakes that come up again and again:
Ignoring the law because you're "too small." The thresholds may mean the law doesn't technically apply to you, but that can change quickly. And even if you're under the thresholds, good privacy practices are just good business. See Does CCPA Apply to Small Businesses? for an honest assessment.
Copy-pasting a privacy policy template. Your privacy policy needs to reflect your actual data practices. A template that says you collect "biometric data" when you don't, or fails to mention that you share data with ad networks when you do, creates more problems than it solves.
Not having a real DSAR process. Having a privacy email address is not a process. You need documented steps for intake, verification, processing, and response. Otherwise, when a request comes in at 4:30 PM on a Friday, nobody knows what to do.
Treating "do not sell" as optional. If you use Google Analytics, Facebook Pixel, or any other ad-tech tool that shares data with third parties, you may be "selling" or "sharing" data under the CCPA. The "Do Not Sell or Share" link is not optional for these businesses.
Forgetting about service providers. Your compliance is only as good as your vendors' compliance. If you share personal information with service providers who don't have proper agreements in place, you're exposed.
CCPA vs. GDPR: The Key Differences
If you're also dealing with GDPR compliance (or just wondering how they compare), here are the most important differences:
| Area | CCPA | GDPR |
|---|---|---|
| **Who it covers** | For-profit businesses meeting thresholds | Any organization processing EU residents' data |
| **Consent model** | Opt-out (you can collect, consumers can say stop) | Opt-in (you need consent before collecting) |
| **Cookie consent** | No banner required (but "Do Not Sell" link needed) | Explicit consent banner required |
| **Right to delete** | Yes, with exceptions | Yes, with exceptions |
| **Data breach penalties** | Private right of action ($100-$750 per consumer) | Up to 4% of global annual revenue |
| **Enforcement** | California AG + CPPA | Data Protection Authorities in each EU country |
The CCPA is generally less strict than the GDPR, but the private right of action for data breaches makes it uniquely dangerous for businesses that suffer a breach. For more on penalties, see our CCPA penalties guide.
What About CPRA?
The California Privacy Rights Act (CPRA) amended the CCPA effective January 1, 2023. It didn't replace the CCPA -- it strengthened it. Key changes include:
- New consumer rights (correction, limiting use of sensitive personal information)
- A new enforcement agency (the California Privacy Protection Agency, or CPPA)
- Raised the data threshold from 50,000 to 100,000 consumers/households
- Expanded the concept of "selling" to include "sharing" for behavioral advertising
- New requirements for data minimization, storage limitation, and purpose limitation
- New obligations for "contractors" (in addition to service providers)
If you comply with the CCPA as amended by CPRA, you're compliant with both. For a detailed breakdown of what changed, see our CPRA compliance guide.
The Bottom Line
CCPA compliance isn't a one-time project. It's an ongoing commitment to handling personal information responsibly. The good news: if you set up the right processes now, maintaining compliance is largely a matter of following your own procedures.
Start with data mapping. Update your privacy policy. Build a real DSAR response process. Train your team. Review your vendors. That's the core of it.
Is it boring? Absolutely. But boring is reliable, and reliable is what keeps you out of trouble.
References
- California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
- California Privacy Rights Act (CPRA): Proposition 24 (2020), amending the CCPA. CPRA ballot text
- CCPA Regulations: Title 11, Division 6, California Code of Regulations. Final CCPA regulations (California Office of the Attorney General)
- California Privacy Protection Agency (CPPA): Official CPPA website
- CIS Controls: Center for Internet Security Critical Security Controls. CIS Controls v8
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Ready to build your DSAR compliance process? Download our DSAR Compliance Guide for a step-by-step framework you can implement this week. It covers intake, verification, processing, and response -- everything you need to handle consumer requests with confidence.