{"id":579,"date":"2022-04-28T12:15:00","date_gmt":"2022-04-28T12:15:00","guid":{"rendered":"https:\/\/www.cookiebot.com\/en\/?page_id=579"},"modified":"2026-03-30T17:57:29","modified_gmt":"2026-03-30T15:57:29","slug":"what-is-ccpa","status":"publish","type":"page","link":"https:\/\/www.cookiebot.com\/en\/what-is-ccpa\/","title":{"rendered":"What is the CCPA? Overview and compliance requirements for the California Consumer Privacy Act"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2025\/04\/CCPA_hero_900x450.svg\" alt=\"\" class=\"wp-image-16990\"\/><\/figure>\n\n\n\n<p>California was one of the first states in the United States to enshrine privacy as an \u201cinalienable right\u201d of all people when it amended its constitution in 1972.<\/p>\n\n\n\n<p>On January 1, 2020, California became the first state to enact a data privacy law to empower its residents with ownership over their personal information and change the way businesses handle this personal information.<\/p>\n\n\n\n<p>We look at the California privacy law, what it means for your business and website, and steps you can take to achieve and maintain compliance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-the-ccpa\"> What is the CCPA?<\/h2>\n\n\n\n<p>The<a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/codes_displayText.xhtml?division=3.&amp;part=4.&amp;lawCode=CIV&amp;title=1.81.5\" target=\"_blank\" rel=\"noreferrer noopener\"> California Consumer Privacy Act (CCPA)<\/a> is the first comprehensive modern data privacy law in the United States, and came into effect January 1, 2020.<\/p>\n\n\n\n<p>The<a href=\"https:\/\/www.cookiebot.com\/en\/cpra\/\"> California Privacy Rights Act (CPRA)<\/a> amended and expanded the CCPA, enhancing consumer privacy rights for the state\u2019s residents, tightening requirements for businesses that collect and share personal information, and creating a new government agency to enforce California\u2019s privacy laws.<\/p>\n\n\n\n<p>The CPRA took effect on January 1, 2023, and enforcement began in February 2024 after a legal challenge delayed the original enforcement date of July 2023.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-does-the-ccpa-protect\">Who does the CCPA protect?<\/h2>\n\n\n\n<p>The CCPA, as amended by the CPRA, protects the state\u2019s nearly 40 million residents, known as consumers under the law.<\/p>\n\n\n\n<p>A consumer is a natural person who is either:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>in the state for other than a temporary or transitory purpose&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>or&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>domiciled in the state, but temporarily outside of the state, such as on vacation or business trip<\/li>\n<\/ul>\n\n\n\n<p>It is not enough to simply be located in the state when having one\u2019s data collected \u2014 individuals must meet the definition of California resident under the law. Those who are simply passing through, visiting on vacation, or in the state to complete a particular transaction or perform a particular contract are considered to be in the state <em>for temporary or transitory purposes<\/em> and are not protected by the CCPA\/CPRA. This definition is likely to evolve over time, particularly based on case law resulting from lawsuits relating to alleged violations.<\/p>\n\n\n\n<p>The CCPA\/CPRA protects the personal information of California residents even when they are temporarily outside the state.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-does-the-ccpa-apply-to\">Who does the CCPA apply to?<\/h2>\n\n\n\n<p>The CCPA\/CPRA applies to for-profit businesses that operate in California and collect the personal information of its residents, if they meet at least one of the following thresholds:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>buy, sell, or share the personal information of more than 100,000 consumers or households annually<\/li>\n\n\n\n<li>have a gross annual revenue exceeding USD 26,625,000<\/li>\n\n\n\n<li>derive 50 percent or more of their annual revenue from selling consumers\u2019 personal information<\/li>\n<\/ul>\n\n\n\n<p>The CCPA\/CPRA has extraterritorial application, meaning that a business located in another US state, or even outside the US, must comply with the law if it meets one of these conditions.<\/p>\n\n\n\n<p>Additionally, if your business shares common branding<em> <\/em>with a company that meets one of the above mentioned thresholds, your business will be subject to <a href=\"\/en\/ccpa-compliance\/\">CCPA compliance<\/a>. Common branding means that a business shares a name, service mark, or trademark with another business.<\/p>\n\n\n\n<p>Interestingly, a number of more recently passed state-level privacy laws in the US do not include the revenue-only threshold.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2025\/04\/cb_blog_900x450_Who-does-the-CCPA-apply-to.svg\" alt=\"\" class=\"wp-image-16989\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-personal-information-under-the-ccpa-laws\">What is personal information under the CCPA laws?<\/h2>\n\n\n\n<p>The CCPA\/CPRA law defines<a href=\"https:\/\/www.cookiebot.com\/en\/ccpa-personal-information-ccpa-compliance-with-cookiebot-cmp\/\"> personal information<\/a> (known as personal data under some laws) as <em>\u201cinformation that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.\u201d<\/em><\/p>\n\n\n\n<p>Personal information under the CCPA\/CPRA includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>direct identifiers<\/em>, such as real name, alias, postal address, email address<\/li>\n\n\n\n<li><em>unique identifiers<\/em>, such as cookies, IP addresses, beacons, pixel tags<\/li>\n\n\n\n<li><em>biometric data<\/em>, such as face, retina, fingerprints, and voice recordings<\/li>\n\n\n\n<li><em>precise geolocation data<\/em> used to accurately identify a person within a radius of 1850 feet (563 meters)<\/li>\n\n\n\n<li><em>internet activity<\/em>, such as browsing history, search history, data on interaction with a web page or app<\/li>\n\n\n\n<li><em>sensitive personal information<\/em>, such as Social Security number, racial or ethnic origin, citizenship or immigration status, genetic data, financial information<\/li>\n<\/ul>\n\n\n\n<p>Personal information also includes data that by inference can lead to the identification of an individual or a household.<\/p>\n\n\n\n<p>Aggregate and anonymous data is exempt from the CCPA\/CPRA, unless it is in any way re-identifiable.&nbsp;<\/p>\n\n\n<div class=\"cta-block cta-block--size-s cta-block--only-buttons cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Understand CCPA personal information requirements                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p>Learn what the CCPA\u2019s definition of personal information means for your business.<\/p>\n                    <\/div>\n                                                                                                                                                        <\/div>\n                            <div class=\"cta-block__right-column\">\n                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"b3d29f8f-4cca-4975-b6b0-d0f2c7e54b1b\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"\/en\/ccpa-personal-information-ccpa-compliance-with-cookiebot-cmp\/\" target=\"\">\n<span>Read more<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                        <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-does-the-ccpa-say-about-cookies\"> What does the CCPA say about cookies?<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.cookiebot.com\/en\/ccpa-cookies\/\">Cookies<\/a> and other<a href=\"https:\/\/www.cookiebot.com\/en\/website-tracking\/\"> website tracking<\/a> technologies are classified as unique identifiers that form part of the CCPA's definition of personal information. Cookies are one of the most commonly used technologies for websites to collect personal information on end users.<\/p>\n\n\n\n<p>First-party cookies, set by the website itself, often collect anonymous data for core website functions. They are deleted once a user closes the browser. Third-party cookies, like those set by tech companies, ad networks, and social media platforms, often collect a lot of personal \u2014 and sometimes sensitive \u2014 information on consumers.<\/p>\n\n\n\n<p>Data collected on your website through cookies can ultimately be considered personal information under the CCPA\/CPRA. This information might not in itself constitute personal information, e.g. anonymized analytics data, but it can become personally identifying by inference or in combination with other data, for the purpose of identifying and connecting devices, creating profiles, or serving personalized ads.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-the-ccpa-s-consumer-rights\">What are the CCPA\u2019s consumer rights?<\/h2>\n\n\n\n<p>The CCPA\/CPRA sets up a legal framework whereby California residents can claim ownership of their data. It also requires organizations that do business in California to provide users with easy ways of exercising their<a href=\"https:\/\/www.cookiebot.com\/en\/ccpa-rights-for-consumers-ccpa-compliance-with-cookiebot-cmp\/\"> CCPA rights<\/a>.<\/p>\n\n\n\n<p>The CCPA\/CPRA empowers consumers with the following rights:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>right to opt out<\/strong> of having their data sold to or shared with third parties<\/li>\n\n\n\n<li><strong>right to limit<\/strong> the use and disclosure of their sensitive personal information<\/li>\n\n\n\n<li><strong>right to know and access <\/strong>personal information<strong> <\/strong>collected about them, including that collected through cookies, purposes of processing, and to whom the personal information is disclosed<\/li>\n\n\n\n<li><strong>right to correct<\/strong> inaccurate or incomplete personal information<\/li>\n\n\n\n<li><strong>right to request deletion<\/strong> of personal information collected from them, with exceptions<\/li>\n\n\n\n<li><strong>right to know <\/strong>what personal information is sold or shared, and to whom<\/li>\n\n\n\n<li><strong>right not to be discriminated against <\/strong>if they choose to exercise their rights under the law<\/li>\n<\/ul>\n\n\n\n<p>Organizations that meet any of the CCPA\/CPRA compliance thresholds are liable for personal information collected on California residents via their website's cookies, if the information is sold or shared. With the CPRA, consumers are now also able to opt out of collection and use of their data for targeted advertising or profiling purposes.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2025\/04\/cb_blog_900x450_CCPA-obligations-for-businesses.svg\" alt=\"\" class=\"wp-image-16988\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-ccpa-obligations-for-businesses\">CCPA obligations for businesses<\/h2>\n\n\n\n<p>If your business meets any of the three CCPA\/CPRA thresholds, you are required to comply with the obligations under the law.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ccpa-rules-and-requirements-for-consent\">CCPA rules and requirements for consent<\/h3>\n\n\n\n<p>The CCPA\/CPRA operates under an opt-out consent model, meaning that in most cases, you don\u2019t need to obtain prior consent from users before collecting their personal data through cookies or other tracking technologies. However, there is an exception for personal data belonging to minors under age 13.<\/p>\n\n\n\n<p>If your website has visitors or customers who are minors under the age of 16, you are required to obtain their opt-in (consent) before you can sell or disclose their personal information to third parties. If the minor is under the age of 13, a parent or legal guardian must consent for them.<\/p>\n\n\n\n<p>The California privacy law grants consumers the right to opt out of the sale or sharing of their personal information, and to limit the use or disclosure of sensitive personal information.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ccpa-compliance-with-the-rights-to-opt-out-and-limit\">CCPA compliance with the rights to opt out and limit<\/h3>\n\n\n\n<p>If your business sells or shares consumers\u2019 personal information, your website must feature a link titled \u201cDo Not Sell Or Share My Personal Information,\u201d which consumers can use to make an opt-out request. (\u201cOr Share\u201d was added when the CPRA came into effect.) If such a request is received, you are prohibited from selling or sharing the consumer\u2019s personal information, and must cease those activities if they are already in progress.<\/p>\n\n\n\n<p>Similarly introduced with the CPRA, if your business uses or discloses consumers\u2019 sensitive personal information, your website must feature a link titled \u201cLimit The Use Of My Sensitive Personal Information,\u201d which consumers can use to limit its use or disclosure.<\/p>\n\n\n\n<p>You may use a single link for both purposes if consumers can exercise their right to both \u2014 to opt out of sale\/sharing\/targeted advertising\/profiling and limit the use\/disclosure of sensitive information \u2014 effectively from one link.<\/p>\n\n\n\n<p>The law defines sale as <em>\u201cselling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer\u2019s personal information by the business to a third party for monetary or other valuable consideration.\u201d<\/em><\/p>\n\n\n\n<p>Your business must respect universal opt-out mechanisms, such as<a href=\"https:\/\/usercentrics.com\/knowledge-hub\/what-is-global-privacy-control\/\" target=\"_blank\" rel=\"noreferrer noopener\"> Global Privacy Control (GPC)<\/a> signals, that consumers may use to set their consent preferences once, typically via their browser settings or a browser plugin, which are then communicated automatically across various websites and online services.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ccpa-notice-at-collection\">CCPA notice at collection<\/h3>\n\n\n\n<p>Your website must inform users at or before the point of data collection about the categories of personal information that it collects, including any sensitive personal information, for what purposes, and whether you sell or share consumers\u2019 personal information.<\/p>\n\n\n\n<p>If you sell or share personal information, you must include a \u201cDo Not Sell Or Share My Personal Information\u201d link in the notice at collection.<\/p>\n\n\n\n<p>The notice at collection must also link to your business\u2019s privacy policy.<\/p>\n\n\n<div class=\"cta-block cta-block--size-s cta-block--only-buttons cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Understand CCPA privacy policy requirements                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p>Discover the essential elements that must be included in your CCPA privacy policy to protect consumer rights.<\/p>\n                    <\/div>\n                                                                                                                                                        <\/div>\n                            <div class=\"cta-block__right-column\">\n                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"e5fe575c-52a3-4210-a94e-a916eea63c72\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"\/en\/ccpa-privacy-policy\/\" target=\"\">\n<span>Learn more<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                        <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ccpa-privacy-policy\">CCPA privacy policy<\/h3>\n\n\n\n<p>Your business must publish a privacy policy that includes:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>description of consumers' rights and how to exercise them<\/li>\n\n\n\n<li>annually updated list of the categories of personal information that your business collects, sells, and\/or discloses<\/li>\n\n\n\n<li>categories of sources from which your business collects personal information<\/li>\n\n\n\n<li>business or commercial purpose for collecting, selling, or sharing personal information<\/li>\n\n\n\n<li>categories of third parties to whom your business discloses personal information<\/li>\n<\/ul>\n\n\n\n<p>Your privacy policy may contain a section detailing your website\u2019s use of cookies and other trackers, or you can create a separate<a href=\"https:\/\/www.cookiebot.com\/en\/cookie-policy\/\"> cookie policy<\/a> with this information.<\/p>\n\n\n\n<p>Businesses usually link to their privacy policy where consumers can easily find it on their website, often in the footer at the bottom of the page, or from a consent banner.<\/p>\n\n\n<div class=\"cta-block cta-block--size-s cta-block--only-buttons cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Craft your tailored privacy policy                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p>Use the Cookiebot\u2122 privacy policy generator to create a CCPA privacy policy that reflects your data practices and protects your users.<\/p>\n                    <\/div>\n                                                                                                                                                        <\/div>\n                            <div class=\"cta-block__right-column\">\n                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"d43a189e-c5ad-4305-a052-6ee83aba3bfa\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"\/en\/privacy-policy-generator-gdpr\/\" target=\"\">\n<span>Learn more<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                        <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ccpa-compliance-with-consumer-requests-for-rights-to-know-correct-and-delete\">CCPA compliance with consumer requests for rights to know, correct, and delete<\/h3>\n\n\n\n<p>Consumer rights requests under the California privacy law must be verifiable before your business has to provide the information. Your business must make available two or more methods for consumers to submit requests and must disclose the required information, correct inaccurate personal information, or delete consumers' personal information within 45 days of receiving the verifiable request. An extension of 45 days may be taken when reasonably necessary and you must inform the consumer of the extension within the first 45-day period.<\/p>\n\n\n\n<p>You may not require Californian consumers to create a new account to make a request, but they can be required to use an existing account to verify their identity.<\/p>\n\n\n\n<p>The CCPA\/CPRA prohibits discrimination against consumers based on their choice to exercise their rights. This means that if a consumer chooses to opt out of the selling of their data to third parties, or if they request their data deleted, you cannot charge different prices for services, provide different levels or quality of services, or deny service.<\/p>\n\n\n\n<p>However, the CCPA does authorize businesses to offer financial incentives, e.g. different prices and quality of service, for the collection, sale, or deletion of personal information, if the differences are reasonably related to the value provided to the business by the consumer\u2019s data.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ccpa-obligation-of-data-minimization\">CCPA obligation of data minimization<\/h3>\n\n\n\n<p>Under the CCPA\/CPRA, businesses must collect, use, store, and share consumers\u2019 personal information only to the extent necessary to fulfill the original purpose for which the information was collected, or for another compatible purpose. You may not process consumers\u2019 personal information in ways that conflict with these original purposes.<\/p>\n\n\n\n<p>This principle of data minimization also applies when collecting data through cookies and other tracking technologies. You may only use<a href=\"https:\/\/www.cookiebot.com\/en\/tracking-cookies\/\"> tracking cookies<\/a> to collect data that is necessary for the specified purposes and must ensure that consumers are informed about the use of such technologies in your cookie policy.<\/p>\n\n\n<div class=\"cta-block cta-block--size-s cta-block--only-buttons cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Understand your website\u2019s cookie usage                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p>Do you know what cookies and tracking technologies your website uses? Our free cookie checker can audit your website\u2019s cookies in minutes.<\/p>\n                    <\/div>\n                                                                                                                                                        <\/div>\n                            <div class=\"cta-block__right-column\">\n                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"5230df78-da45-4d9a-87a0-14399c1c440c\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"\/en\/cookie-checker\/\" target=\"\">\n<span>Run a cookie scan<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                        <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-ccpa-enforcement-and-penalties\">CCPA enforcement and penalties<\/h2>\n\n\n\n<p>The enforcement of the CCPA\/CPRA lies with two entities: the California Attorney General and the California Privacy Protection Agency (CPPA), the government agency established under the CPRA. This is unique to California, as most other states\u2019 data privacy laws empower the Attorney General of the state with full enforcement authority.<\/p>\n\n\n\n<p>Importantly, while the CPPA has enforcement authority, it cannot limit the Attorney General's authority and must stay any actions or investigations if the Attorney General requests it. Businesses cannot be penalized by both the CPPA and the Attorney General for the same violation.<\/p>\n\n\n\n<p>The penalties for noncompliance with the CCPA\/CPRA can be substantial:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>up to USD 2,663 for each unintentional violation<\/li>\n\n\n\n<li>up to USD 7,988 for intentional violations&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>If a business commits multiple CCPA\/CPRA violations, the fines can accumulate quickly, leading to significant financial repercussions.<\/p>\n\n\n\n<p>The California privacy law also grants consumers the right to to take legal action against businesses in the event of a data breach. Consumers can seek statutory damages ranging from USD 107 to USD 799 per incident or the actual damages incurred, whichever amount is greater, or injunctive relief. California is the only state that grants consumers this private right of action.<\/p>\n\n\n\n<p>Consumers must give businesses 30 days to cure any violations stemming from a data breach before they can take legal action. When the CCPA first went into effect, the 30-day cure period also applied to actions brought by the Attorney General\/CPPA. This has now sunset.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-to-be-ccpa-compliant\">How to be CCPA compliant<\/h2>\n\n\n\n<p>Here is a non-exhaustive CCPA compliance checklist for your business and its website that covers the central points of the CCPA requirements.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Feature \u201cDo Not Sell Or Share My Personal Information\u201d and \u201cLimit The Use Of My Sensitive Personal Information\" links on your website that consumers can use to opt out of third-party data sales\/sharing and use\/disclosure of sensitive personal information.<\/li>\n\n\n\n<li>Provide a notice at or before the point of collection informing consumers of the categories of personal information (including sensitive personal information) your business collects, for what purposes, and whether it shares or sells the personal information.<\/li>\n\n\n\n<li>Respond to opt-out requests within 15 days of receipt, including stopping further sale\/sharing of data and notifying all parties to whom you have sold the personal information in the previous 90 days.<\/li>\n\n\n\n<li>Obtain opt-in consent from minors age 13 to 16 and from parents or legal guardians of minors under the age of 13 before selling or sharing their personal information.<\/li>\n\n\n\n<li>Provide consumers with records of the personal information collected in the past 12 months free of charge (including sources, commercial purposes, and categories of third parties with whom it has been shared) if a consumer requests disclosure or deletion. This is for a reasonable number of requests by a consumer annually, and excessive requests can be denied.<\/li>\n\n\n\n<li>Respond within 45 days of receiving a verifiable request for disclosure or deletion with information on how the request will be processed.<\/li>\n\n\n\n<li>Establish at least two methods for consumers to exercise their rights, such as a toll-free phone number, email address, or web form.<\/li>\n\n\n\n<li>Only offer financial incentives (e.g. different prices, rates, and quality) for goods and services if the differences are reasonably related to the value that the consumer\u2019s data brings to the business.<\/li>\n\n\n\n<li>Refrain from discriminating against consumers who choose to exercise their rights under the law, particularly opting out of data collection and processing.<\/li>\n<\/ul>\n\n\n\n<p>You must also publish a CCPA privacy policy that includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>description of CCPA consumer rights and how to exercise these rights<\/li>\n\n\n\n<li>annually updated list of the categories of personal information that you collect, sell, or disclose, including through the use of cookies<\/li>\n\n\n\n<li>categories of sources from which you collect personal information&nbsp;<\/li>\n\n\n\n<li>business or commercial purposes for which you collect, sell, or share personal information&nbsp;<\/li>\n\n\n\n<li>categories of third parties to whom you disclose personal information<\/li>\n<\/ul>\n\n\n<div class=\"cta-block cta-block--size-s cta-block--only-buttons cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Privacy protection in California and across the U.S.                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p>Manage evolving U.S. privacy laws right out of the box. Start for free with Cookiebot \u2014 no code or lawyers needed.<\/p>\n                    <\/div>\n                                                                                                                                                        <\/div>\n                            <div class=\"cta-block__right-column\">\n                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"a4359ab3-e3fb-4f54-97c7-7d742626131d\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"https:\/\/admin.cookiebot.com\/signup\" target=\"_blank\">\n<span>Start free<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                        <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-ccpa-compliance-with-cookiebot-cmp\">CCPA compliance with Cookiebot CMP<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.cookiebot.com\/\">Cookiebot CMP<\/a> automatically scans your website, finds all cookies and similar tracking technologies in use, and can automatically block them if users opt out. This enables compliance with both the CCPA and the European Union\u2019s<a href=\"https:\/\/www.cookiebot.com\/en\/gdpr\/\"> General Data Protection Regulation (GDPR)<\/a>.<\/p>\n\n\n\n<p>Cookies, especially those from third parties embedded through plugins, can harvest personal information such as names, physical addresses, IP addresses, and location data, but also sensitive personal data such as religious convictions, political opinions, and\/or sexual orientation.<\/p>\n\n\n\n<p>The CCPA requires that businesses enable California residents to opt out of having their personal information sold to third parties, as well as disclosing what data has already been collected and deleting it, if consumers request it.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.cookiebot.com\/\">Cookiebot CMP<\/a> enables compliance with the CCPA with a specific configuration that detects whether a user is from California, and then displays the required \u201cDo Not Sell Or Share My Personal Information\u201d link on the website\u2019s<a href=\"https:\/\/www.cookiebot.com\/en\/cookie-banner\/\"> cookie banner<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2025\/06\/CCPA-compliance-with-Cookiebot-CMP-1.svg\" alt=\"\" class=\"wp-image-17209\"\/><\/figure>\n\n\n\n<p>You can also fulfill the CCPA\/CPRA requirement to inform users about personal information processing at or before the point of data collection by using a cookie banner or<a href=\"https:\/\/www.cookiebot.com\/en\/cookie-notice\/\"> cookie notice<\/a> to display your notice at collection.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-california-privacy-law-and-the-gdpr\">California privacy law and the GDPR<\/h2>\n\n\n\n<p>When comparing the CCPA\/CPRA to the GDPR, it becomes clear that though there are similar intentions and provisions, the two data privacy laws are very different.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-gdpr-vs-ccpa-who-is-protected\">GDPR vs. CCPA: Who is protected<\/h3>\n\n\n\n<p>Where the GDPR protects anyone in the European Union\/European Economic Area (EU\/EEA), the CCPA only protects California residents.<\/p>\n\n\n\n<p>It is not enough to be located in the state at the time of collection or processing. According to the CCPA\/CPRA laws, you must have a permanent residency in the state in order to be protected.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-gdpr-vs-ccpa-consent-requirements\">GDPR vs. CCPA: Consent requirements<\/h3>\n\n\n\n<p>The GDPR grants the user the right of consent, meaning that their data cannot be used until the user gives their consent<em> <\/em>to do so. Prior consent<strong> <\/strong>is required by the GDPR, including<a href=\"https:\/\/www.cookiebot.com\/en\/cookie-consent\/\"> cookie consent<\/a>.<\/p>\n\n\n\n<p>Under the CCPA, a business does not need prior consent<em> <\/em>to handle personal information, nor does a website need to obtain user consent to sell consumers\u2019 data to third parties, with the exception of minors\u2019 data.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-gdpr-vs-ccpa-compliance-thresholds\">GDPR vs. CCPA: Compliance thresholds<\/h3>\n\n\n\n<p>The CCPA\/CPRA contains specific thresholds that a for-profit business must meet for the law to apply, based on annual revenue, volume of personal information handled, or percentage of revenue from sale of personal data.<\/p>\n\n\n\n<p>The GDPR contains no such threshold and applies to any entity that processes the personal data of individuals located in the EU\/EEA. This includes nonprofits and government agencies, which are exempt from CCPA\/CPRA compliance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-gdpr-vs-ccpa-legal-bases\">GDPR vs. CCPA: Legal bases<\/h3>\n\n\n\n<p>The GDPR permits the collection of personal data only if one of six legal bases applies, namely explicit consent, to perform a contract, legal obligation, to protect vital interests, in the public interest, or legitimate interest.<\/p>\n\n\n\n<p>The CCPA\/CPRA does not require any specific legal basis for collecting personal information.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-gdpr-vs-ccpa-fines\">GDPR vs. CCPA: Fines<\/h3>\n\n\n\n<p>GDPR fines are substantial and are among the highest penalties for data protection violations globally. They can reach up to 2 percent of annual turnover or EU 10 million, whichever is higher, for certain violations; and up to 4 percent of annual turnover or EU 20 million, whichever is higher, for more serious violations.<\/p>\n\n\n\n<p>In contrast, CCPA\/CPRA fines are up to USD 2,663 per unintentional violation and USD 7,988 per intentional violation, and statutory damages for data breach. However, each individual\u2019s personal information counts as a separate violation, and CCPA civil penalties can quickly add up. Additionally, statutory damages ranging from USD 107 to USD 799, or actual damages suffered, may be applicable in cases of data breaches.<\/p>\n\n\n<div class=\"cb-faqs\" >\n    <div class=\"cb-faqs__heading\">\n        <h2>Frequently asked questions<\/h2>\n    <\/div>\n\n    <div class=\"cb-faqs__list\">\n            <noscript>\n        <style>\n            .cb-faq__answer {\n                height: auto !important;\n            }\n        <\/style>\n    <\/noscript>\n<div class=\"cb-faq\"\n     id=\"faq-why-was-the-ccpa-introduced\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-why-was-the-ccpa-introduced-answer\"\n        >\n            Why was the CCPA introduced?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-why-was-the-ccpa-introduced-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p>The CCPA was introduced to empower California residents with ownership over their personal information and to change how businesses handle this data, establishing privacy as an inalienable right.<\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-why-was-the-ccpa-introduced');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-why-was-the-ccpa-introduced'));\n            });\n        <\/script>\n    <\/div>\n<div class=\"cb-faq\"\n     id=\"faq-when-did-the-ccpa-go-into-effect\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-when-did-the-ccpa-go-into-effect-answer\"\n        >\n            When did the CCPA go into effect?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-when-did-the-ccpa-go-into-effect-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p>The CCPA went into effect on January 1, 2020. The CPRA, which amends and expands the CCPA, took effect on January 1, 2023, with enforcement starting in February 2024.<\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-when-did-the-ccpa-go-into-effect');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-when-did-the-ccpa-go-into-effect'));\n            });\n        <\/script>\n    <\/div>\n<div class=\"cb-faq\"\n     id=\"faq-what-is-the-ccpa-threshold\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-what-is-the-ccpa-threshold-answer\"\n        >\n            What is the CCPA threshold?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-what-is-the-ccpa-threshold-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p>The CCPA\/CPRA applies to for-profit businesses that meet any one of the following thresholds: have annual gross revenues over USD 26,625,000; buy, sell, or share personal information of more than 100,000 consumers or households annually; or derive 50 percent or more of their revenue from selling consumers\u2019 personal information.<\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-what-is-the-ccpa-threshold');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-what-is-the-ccpa-threshold'));\n            });\n        <\/script>\n    <\/div>\n<div class=\"cb-faq\"\n     id=\"faq-what-are-consumers-ccpa-data-privacy-rights\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-what-are-consumers-ccpa-data-privacy-rights-answer\"\n        >\n            What are consumers\u2019 CCPA data privacy rights?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-what-are-consumers-ccpa-data-privacy-rights-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p>Consumers have the right to opt out of data sale or sharing, limit the use of sensitive personal information, access their personal information, correct inaccuracies, request deletion of their data, know what information is sold or shared, and not be discriminated against for exercising their rights.<\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-what-are-consumers-ccpa-data-privacy-rights');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-what-are-consumers-ccpa-data-privacy-rights'));\n            });\n        <\/script>\n    <\/div>\n<div class=\"cb-faq\"\n     id=\"faq-how-can-businesses-comply-with-the-ccpas-opt-out-requirements\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-how-can-businesses-comply-with-the-ccpas-opt-out-requirements-answer\"\n        >\n            How can businesses comply with the CCPA's opt-out requirements?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-how-can-businesses-comply-with-the-ccpas-opt-out-requirements-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p>Businesses must feature a link titled \u201cDo Not Sell Or Share My Personal Information\u201d on their websites and in their notice at collection, enabling consumers to easily opt out of data sales or sharing.<\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-how-can-businesses-comply-with-the-ccpas-opt-out-requirements');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-how-can-businesses-comply-with-the-ccpas-opt-out-requirements'));\n            });\n        <\/script>\n    <\/div>\n<div class=\"cb-faq\"\n     id=\"faq-what-is-ccpa-compliance-2\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-what-is-ccpa-compliance-2-answer\"\n        >\n            What is CCPA compliance?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-what-is-ccpa-compliance-2-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p>CCPA compliance involves adhering to the requirements set forth in the CCPA, including providing consumers with rights to access, correct, and delete their personal information, as well as implementing necessary privacy policies and practices.<\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-what-is-ccpa-compliance-2');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-what-is-ccpa-compliance-2'));\n            });\n        <\/script>\n    <\/div>\n<div class=\"cb-faq\"\n     id=\"faq-what-are-the-penalties-for-noncompliance-with-the-ccpa\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-what-are-the-penalties-for-noncompliance-with-the-ccpa-answer\"\n        >\n            What are the penalties for noncompliance with the CCPA?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-what-are-the-penalties-for-noncompliance-with-the-ccpa-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p>Penalties for noncompliance with the CCPA\/CPRA can reach up to USD 2,663 for unintentional violations and USD 7,988 for intentional violations. Additionally, consumers can seek statutory damages for data breaches with penalties between USD 107 and USD 799 or actual damages, whichever is higher, or injunctive relief.<\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-what-are-the-penalties-for-noncompliance-with-the-ccpa');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-what-are-the-penalties-for-noncompliance-with-the-ccpa'));\n            });\n        <\/script>\n    <\/div>\n<div class=\"cb-faq\"\n     id=\"faq-what-is-ccpa-website-compliance\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-what-is-ccpa-website-compliance-answer\"\n        >\n            What is CCPA website compliance?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-what-is-ccpa-website-compliance-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p>CCPA website compliance refers to the measures that businesses must implement on their websites to adhere to the CCPA\/CPRA. This includes providing clear notices at the point of data collection, featuring opt-out links for consumers to manage their personal information, and maintaining a privacy policy that outlines CCPA consumer rights and data usage. Compliance also involves ensuring that any tracking technologies, like cookies, are disclosed appropriately.<\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-what-is-ccpa-website-compliance');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-what-is-ccpa-website-compliance'));\n            });\n        <\/script>\n    <\/div>\n            <\/div>\n\n    <\/div>\n\n\n\n<p><em>Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>California was one of the first states in the United States to enshrine privacy as an \u201cinalienable right\u201d of all people when it amended its constitution in 1972. On January 1, 2020, California became the first state to enact a data privacy law to empower its residents with ownership over their personal information and change [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":true,"inline_featured_image":false,"editor_notices":[],"footnotes":""},"tags":[],"class_list":["post-579","page","type-page","status-publish","hentry"],"acf":[],"thumbnail_status":false,"thumbnail_url":"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/09\/uc_some_ccpa_overview_091224.jpg","_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/pages\/579","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/comments?post=579"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/pages\/579\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media?parent=579"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/tags?post=579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}