What Is the CCPA? Definitions, Key Rights, and Compliance Requirements

The California Consumer Privacy Act (CCPA) is a state privacy law that grants California residents rights over their personal data, including the right to know what data is collected, the right to delete it, and the right to opt out of its sale. On January 1, 2020, California became the first state to enact a data privacy law to empower its residents with ownership over their personal information and change the way businesses handle this personal information.

We look at the California privacy law, what it means for your business and website, and steps you can take to achieve and maintain compliance.

What Is the CCPA?

The California Consumer Privacy Act (CCPA) is the first comprehensive modern data privacy law in the United States, and came into effect January 1, 2020. The CCPA has been influential on privacy laws subsequently passed in other states. Passed in response to growing public concern about how businesses collect and use personal information, the CCPA gave California residents new rights over their data and placed significant new obligations on the businesses that handle it.

The full text of the CCPA is available at the California Legislative Information website. CPPA regulations and enforcement actions are published at cppa.ca.gov.

What is the CPRA?

The California Privacy Rights Act (CPRA) amended and expanded the CCPA, enhancing consumer privacy rights for the state’s residents — including the right to correct inaccurate data — tightening requirements for businesses that collect and share personal information, and creating the California Privacy Protection Agency (CPPA) as an independent enforcement body.

The CPRA took effect on January 1, 2023, and enforcement began in February 2024 after a legal challenge delayed the original enforcement date of July 2023. 

Who Does the CCPA Protect?

The CCPA, as amended by the CPRA, protects the state’s nearly 40 million residents, known as consumers under the law.

A consumer is a natural person who is either:

• In the state for other than a temporary or transitory purpose 

or 

• Domiciled in the state, but temporarily outside of the state, such as on vacation or business trip

It is not enough to simply be located in the state when having one’s data collected — individuals must meet the definition of California resident under the law. Those who are simply passing through, visiting on vacation, or in the state to complete a particular transaction or perform a particular contract are considered to be in the state for temporary or transitory purposes and are not protected by the CCPA/CPRA. This definition is likely to evolve over time, particularly based on case law resulting from lawsuits relating to alleged violations.

The CCPA/CPRA protects the personal information of California residents even when they are temporarily outside the state.

Who Does the CCPA Apply To?

The CCPA/CPRA applies to for-profit businesses that operate in California and collect the personal information of its residents, if they meet at least one of the following thresholds:

• Buy, sell, or share the personal information of more than 100,000 consumers or households annually
• Have a gross annual revenue exceeding USD 25 million (adjusted periodically for the Consumer Price Index)
• Derive 50 percent or more of their annual revenue from selling consumers’ personal information

The CCPA/CPRA has extraterritorial application, meaning that a business located in another US state, or even outside the US, must comply with the law if it meets one of these conditions.

Additionally, if your business shares common brandingwith a company that meets one of the above mentioned thresholds, your business will be subject to CCPA compliance. Common branding means that a business shares a name, service mark, or trademark with another business.

Interestingly, a number of more recently passed state-level privacy laws in the US do not include the revenue-only threshold.

What Is Personal Information Under the CCPA?

The CCPA/CPRA law defines personal information (known as personal data under some laws) as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Personal information under the CCPA/CPRA includes:

• Direct identifiers, such as real name, alias, postal address, email address
• Unique identifiers, such as cookies, IP addresses, beacons, pixel tags
• Biometric data, such as face, retina, fingerprints, and voice recordings
• Precise geolocation data used to accurately identify a person within a radius of 1850 feet (563 meters)
• Internet activity, such as browsing history, search history, data on interaction with a web page or app
• Sensitive personal information, such as Social Security number, racial or ethnic origin, citizenship or immigration status, genetic data, financial information

Personal information also includes data that by inference can lead to the identification of an individual or a household.

Aggregate and anonymous data is exempt from the CCPA/CPRA, unless it is in any way re-identifiable. 

What Does the CCPA Say About Cookies?

Cookies and other website tracking technologies are classified as unique identifiers that form part of the CCPA's definition of personal information. Cookies are one of the most commonly used technologies for websites to collect personal information on end users.

First-party cookies, set by the website itself, often collect anonymous data for core website functions. They are deleted once a user closes the browser. Third-party cookies, like those set by tech companies, ad networks, and social media platforms, often collect a lot of personal — and sometimes sensitive — information on consumers.

Data collected on your website through cookies can ultimately be considered personal information under the CCPA/CPRA. This information might not in itself constitute personal information, e.g. anonymized analytics data, but it can become personally identifying by inference or in combination with other data, for the purpose of identifying and connecting devices, creating profiles, or serving personalized ads.

What Rights Does the CCPA Give California Consumers?

The CCPA/CPRA sets up a legal framework whereby California residents can claim ownership of their data. It also requires organizations that do business in California to provide users with easy ways of exercising their CCPA rights.

The CCPA/CPRA empowers consumers with the following rights. Organizations that meet any of the CCPA/CPRA compliance thresholds are liable for personal information collected on California residents via their website's cookies, if the information is sold or shared. With the CPRA, consumers are now also able to opt out of collection and use of their data for targeted advertising or profiling purposes.

What are CCPA Obligations for Businesses?

If your business meets any of the three CCPA/CPRA thresholds, you are required to comply with the obligations under the law.

How Do I Make My Website CCPA-Compliant?

CCPA compliance for your website centers on giving California residents visibility and control over their personal information. In practice, that means a few core obligations.

Your website must display a "Do Not Sell Or Share My Personal Information" link, and if you handle sensitive personal information, a "Limit The Use Of My Sensitive Personal Information" link. Both must be easy for consumers to find and use. You must also provide a notice at or before the point of data collection, informing visitors of what you collect and why.

Beyond that, you need a privacy policy that reflects your actual data practices, at least two methods for consumers to submit rights requests, and processes in place to respond to those requests within the required time frames — 15 days for opt-out requests, and 45 days for requests to access, correct, or delete personal information.

CCPA Rules and Requirements for Consent

The CCPA/CPRA operates under an opt-out consent model, meaning that in most cases, you don’t need to obtain prior consent from users before collecting their personal data through cookies or other tracking technologies. However, there is an exception for personal data belonging to minors under age 13.

If your website has visitors or customers who are minors under the age of 16, you are required to obtain their opt-in (consent) before you can sell or disclose their personal information to third parties. If the minor is under the age of 13, a parent or legal guardian must consent for them.

The California privacy law grants consumers the right to opt out of the sale or sharing of their personal information, and to limit the use or disclosure of sensitive personal information.

What Are the CCPA Compliance for Rights to Opt Out?

If your business sells or shares consumers’ personal information, your website must feature a link titled “Do Not Sell Or Share My Personal Information,” which consumers can use to make an opt-out request. (“Or Share” was added when the CPRA came into effect.) If such a request is received, you are prohibited from selling or sharing the consumer’s personal information, and must cease those activities if they are already in progress.

Similarly introduced with the CPRA, if your business uses or discloses consumers’ sensitive personal information, your website must feature a link titled “Limit The Use Of My Sensitive Personal Information,” which consumers can use to limit its use or disclosure.

You may use a single link for both purposes if consumers can exercise their right to both — to opt out of sale/sharing/targeted advertising/profiling and limit the use/disclosure of sensitive information — effectively from one link.

The law defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.”

Your business must respect universal opt-out mechanisms, such as Global Privacy Control (GPC) signals, that consumers may use to set their consent preferences once, typically via their browser settings or a browser plugin, which are then communicated automatically across various websites and online services.

What Are the CCPA Notice at Collection Requirements?

Your website must inform users at or before the point of data collection about the categories of personal information that it collects, including any sensitive personal information, for what purposes, and whether you sell or share consumers’ personal information.

If you sell or share personal information, you must include a “Do Not Sell Or Share My Personal Information” link in the notice at collection. The notice at collection must also link to your business’s privacy policy.

What Are the CCPA Privacy Policy Requirements?

Your business must publish a privacy policy that includes: 

• Description of consumers' rights and how to exercise them
• Annually updated list of the categories of personal information that your business collects, sells, and/or discloses
• Categories of sources from which your business collects personal information
• Business or commercial purpose for collecting, selling, or sharing personal information
• Categories of third parties to whom your business discloses personal information

Your privacy policy may contain a section detailing your website’s use of cookies and other trackers, or you can create a separate cookie policy with this information.

Businesses usually link to their privacy policy where consumers can easily find it on their website, often in the footer at the bottom of the page, or from a consent banner.

What Are the CCPA Compliance Requirements with Consumer Requests for Rights to Know, Correct, and Delete?

Consumer rights requests under the California privacy law must be verifiable before your business has to provide the information. Your business must make available two or more methods for consumers to submit requests and must disclose the required information, correct inaccurate personal information, or delete consumers' personal information within 45 days of receiving the verifiable request. An extension of 45 days may be taken when reasonably necessary and you must inform the consumer of the extension within the first 45-day period.

You may not require Californian consumers to create a new account to make a request, but they can be required to use an existing account to verify their identity.

The CCPA/CPRA prohibits discrimination against consumers based on their choice to exercise their rights. This means that if a consumer chooses to opt out of the selling of their data to third parties, or if they request their data deleted, you cannot charge different prices for services, provide different levels or quality of services, or deny service.

However, the CCPA does authorize businesses to offer financial incentives, e.g. different prices and quality of service, for the collection, sale, or deletion of personal information, if the differences are reasonably related to the value provided to the business by the consumer’s data.

What Are the CCPA Requirements for Data Minimization?

Under the CCPA/CPRA, businesses must collect, use, store, and share consumers’ personal information only to the extent necessary to fulfill the original purpose for which the information was collected, or for another compatible purpose. You may not process consumers’ personal information in ways that conflict with these original purposes.

This principle of data minimization also applies when collecting data through cookies and other tracking technologies. You may only use tracking cookies to collect data that is necessary for the specified purposes and must ensure that consumers are informed about the use of such technologies in your cookie policy.

What Are the Penalties for CCPA Non-Compliance?

The enforcement of the CCPA/CPRA lies with both the California Attorney General and CalPrivacy. To date, California is the only U.S. state with two enforcement bodies. In all other states with privacy laws, enforcement falls solely under the attorney general's office.

Importantly, while the CPPA has enforcement authority, it cannot limit the Attorney General's authority and must stay any actions or investigations if the Attorney General requests it. Businesses cannot be penalized by both the CPPA and the Attorney General for the same violation.

The penalties for noncompliance with the CCPA/CPRA can be substantial: 

• Up to USD 2,500 for each unintentional violation
• Up to USD 7,500 for intentional violations 

Fines are adjusted periodically for the Consumer Price Index. If a business commits multiple CCPA/CPRA violations, the fines can accumulate quickly, leading to significant financial repercussions.

The California privacy law also grants consumers the right to to take legal action against businesses in the event of a data breach. Consumers can seek statutory damages ranging from USD 100 to USD 750 per incident or the actual damages incurred, whichever amount is greater, or injunctive relief. California is the only state that grants consumers this private right of action.

Consumers must give businesses 30 days to cure any violations stemming from a data breach before they can take legal action. When the CCPA first went into effect, the 30-day cure period also applied to actions brought by the Attorney General/CPPA. This has now sunset.

CCPA Compliance Checklist for Websites

Here is a non-exhaustive CCPA compliance checklist for your website that covers the central points of the CCPA requirements.

1. Provide “Do Not Sell Or Share My Personal Information” and “Limit The Use Of My Sensitive Personal Information" links on your website in accessible locations so consumers can use to opt out of third-party data sales/sharing and use/disclosure of sensitive personal information.
2. Provide a notice at or before the point of collection informing consumers of the categories of personal information (including sensitive personal information) your business collects, for what purposes, and whether it shares or sells the personal information.
3. Respond to opt-out requests within 15 days of receipt, including stopping further sale/sharing of data and notifying all parties to whom you have sold the personal information in the previous 90 days.
4. Obtain opt-in consent from minors age 13 to 16 and from parents or legal guardians of minors under the age of 13 before selling or sharing their personal information.
5. Provide consumers with records of the personal information collected in the past 12 months free of charge (including sources, commercial purposes, and categories of third parties with whom it has been shared) if a consumer requests disclosure or deletion. This is for a reasonable number of requests by a consumer annually, and excessive requests can be denied.
6. Respond within 45 days of receiving a verifiable request for disclosure or deletion with information on how the request will be processed.
7. Establish at least two methods for consumers to exercise their rights, such as a toll-free phone number, email address, or web form.
8. Only offer financial incentives (e.g. different prices, rates, and quality) for goods and services if the differences are reasonably related to the value that the consumer’s data brings to the business.
9. Refrain from discriminating against consumers who choose to exercise their rights under the law, particularly opting out of data collection and processing.

You must also publish a CCPA privacy policy that includes:

1. Description of CCPA consumer rights and how to exercise these rights
2. Annually updated list of the categories of personal information that you collect, sell, or disclose, including through the use of cookies
3. Categories of sources from which you collect personal information 
4. Business or commercial purposes for which you collect, sell, or share personal information 
5. Categories of third parties to whom you disclose personal information

How Can I Achieve CCPA Compliance with Cookiebot CMP?

Cookiebot CMP supports ongoing CCPA compliance by automatically scanning your website, finding all cookies and similar tracking technologies in use, and can automatically block them if users opt out. This supports compliance with both the CCPA and the European Union’sGeneral Data Protection Regulation (GDPR).

Cookies, especially those from third parties embedded through plugins, can harvest personal information such as names, physical addresses, IP addresses, and location data, but also sensitive personal data such as religious convictions, political opinions, and/or sexual orientation.

The CCPA requires that businesses enable California residents to opt out of having their personal information sold to third parties, as well as disclosing what data has already been collected and deleting it, if consumers request it.

Cookiebot CMP enables compliance with the CCPA with a specific configuration that detects whether a user is from California, and then displays the required “Do Not Sell Or Share My Personal Information” link on the website’s cookie banner.

You can also fulfill the CCPA/CPRA requirement to inform users about personal information processing at or before the point of data collection by using a cookie banner or cookie notice to display your notice at collection.

How Does the CCPA Compare to the CPRA?

The California Privacy Rights Act (CPRA) is best understood as an upgrade to the CCPA rather than a separate law. It amended and expanded the CCPA, and the two now operate together as a single, strengthened framework.

The key changes the CPRA introduced:

• New consumer rights: Consumers can now correct inaccurate personal information and opt out of automated decision-making and profiling.
• Sensitive personal information: The CPRA created a distinct category for sensitive data — including Social Security numbers, precise geolocation, and racial or ethnic origin — giving consumers the right to limit its use and disclosure.
• Data minimization: Businesses must limit their collection and use of personal information to what is reasonably necessary for the stated purpose.
• New enforcement body: The California Privacy Protection Agency (CPPA), publicly known as CalPrivacy, was established to enforce California's privacy laws alongside the Attorney General.
• Adjusted thresholds: The annual threshold for the number of consumers whose data a business buys, sells, or shares was raised from 50,000 to 100,000.

The CPRA took effect on January 1, 2023, with enforcement beginning in February 2024.

California Privacy Law and the GDPR

When comparing the CCPA/CPRA to the GDPR, it becomes clear that though there are similar intentions and provisions, the two data privacy laws are very different.

CCPA vs. GDPR: Who is Protected?

Where the GDPR protects anyone in the European Union/European Economic Area (EU/EEA), the CCPA only protects California residents.

It is not enough to be located in the state at the time of collection or processing. According to the CCPA/CPRA laws, you must have a permanent residency in the state in order to be protected.

CCPA vs. GDPR: What Are the Consent Requirements?

The GDPR grants the user the right of consent, meaning that their data cannot be used until the user gives their consentto do so. Prior consentis required by the GDPR, including cookie consent.

Under the CCPA, a business does not need prior consentto handle personal information, nor does a website need to obtain user consent to sell consumers’ data to third parties, with the exception of minors’ data.

CCPA vs. GDPR: What Are the Compliance Thresholds?

The CCPA/CPRA contains specific thresholds that a for-profit business must meet for the law to apply, based on annual revenue, volume of personal information handled, or percentage of revenue from sale of personal data.

The GDPR contains no such threshold and applies to any entity that processes the personal data of individuals located in the EU/EEA. This includes nonprofits and government agencies, which are exempt from CCPA/CPRA compliance.

CCPA vs. GDPR: What Are the Legal Bases?

The GDPR permits the collection of personal data only if one of six legal bases applies, namely explicit consent, to perform a contract, legal obligation, to protect vital interests, in the public interest, or legitimate interest.

The CCPA/CPRA does not require any specific legal basis for collecting personal information.

CCPA vs. GDPR: What Are the Potential Fines?

GDPR fines are substantial and are among the highest penalties for data protection violations globally. They can reach up to 2 percent of annual turnover or EU 10 million, whichever is higher, for certain violations; and up to 4 percent of annual turnover or EU 20 million, whichever is higher, for more serious violations.

In contrast, CCPA/CPRA fines are up to USD 2,500 per unintentional violation and USD 7,500 (adjusted periodically for the Consumer Price Index) per intentional violation, and statutory damages for data breach. However, each individual’s personal information counts as a separate violation, and CCPA civil penalties can quickly add up. Additionally, statutory damages ranging from USD 100 to USD 750 (adjusted periodically for the Consumer Price Index, or actual damages suffered, may be applicable in cases of data breaches.

CCPA vs. GDPR: What Are the Key Differences?

The CCPA and the GDPR share a common goal to protect individuals' personal information, but they differ significantly in scope, structure, and approach.

The GDPR applies to any organization processing the personal data of individuals in the EU/EEA, regardless of where the organization is based or its size. The CCPA applies only to for-profit businesses that meet specific revenue or data volume thresholds and operate in California.

The most significant practical difference is consent. The GDPR requires prior consent before personal data can be collected in most cases. The CCPA operates on an opt-out model — businesses can collect and use personal information unless a consumer actively requests otherwise.

Penalties also differ in scale. GDPR fines can reach tens of millions of euros or a percentage of global annual turnover. CCPA/CPRA fines are assessed per violation, but can accumulate significantly depending on the number of consumers affected.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.