CCPA & CPRA Compliance
Guide 2026
The definitive guide to California's Consumer Privacy Act and Privacy Rights Act — who must comply, what consumers can demand, and how to avoid six-figure fines.
CCPA vs CPRA — What Changed
California has enacted two landmark privacy laws. Understanding the relationship between them is the starting point for any compliance programme.
CCPA — The Original Law
Signed 2018 · Effective January 1, 2020The California Consumer Privacy Act was the first comprehensive US state privacy law. It gave California residents rights to know about, delete, and opt out of the sale of their personal information, and prohibited businesses from discriminating against consumers who exercise those rights.
- Right to know (categories & specific pieces)
- Right to delete personal information
- Right to opt out of sale
- Right to non-discrimination
- Private right of action for data breaches
CPRA — The Upgrade
Ballot initiative 2020 · Effective January 1, 2023The California Privacy Rights Act substantially strengthened and amended the CCPA. Passed by 56% of California voters, it created a dedicated enforcement agency, expanded consumer rights, and introduced new obligations around sensitive personal information and data minimisation.
- New "Sensitive Personal Information" category
- Right to correct inaccurate personal information
- Right to limit use of sensitive data
- Opt-out of "sharing" (not just sale)
- California Privacy Protection Agency (CPPA)
- Data minimisation and purpose limitation
- Stronger contractor/service provider rules
Who Must Comply
CCPA/CPRA applies to for-profit businesses that collect personal information from California residents and meet at least one of three thresholds. Your physical location does not matter — if California residents use your service, the law may apply to you.
Annual gross revenue exceeds $25 million
If your business generates more than $25 million in annual gross revenue — from any source globally — you are subject to CCPA/CPRA regardless of how much California-specific revenue you earn.
Buy, sell, or share data of 100,000+ consumers
If your business buys, sells, receives, or shares the personal information of 100,000 or more California consumers or households per year (updated from 50,000 under CPRA), you must comply.
50%+ revenue from selling personal information
If selling consumers' personal information accounts for 50% or more of your annual revenue, CCPA/CPRA applies — even if you are a small business below the revenue threshold.
Consumer Rights Under CCPA/CPRA
California residents have nine enforceable rights against businesses that collect their personal information. Businesses must facilitate the exercise of these rights through verifiable request processes and respond within 45 days.
Right to Know
Consumers can request disclosure of the categories and specific pieces of personal information collected about them, the sources, the purposes, and the third parties with whom it is shared.
Right to Delete
Consumers can request deletion of personal information held by the business and its service providers, subject to specific exceptions such as completing a transaction or legal obligations.
Right to Correct
Consumers can request correction of inaccurate personal information that a business holds about them. The business must use commercially reasonable efforts to correct the information.
Right to Opt-Out of Sale/Sharing
Consumers can direct businesses not to sell or share their personal information with third parties — including for cross-context behavioural advertising — at any time.
Right to Opt-In (Minors)
Businesses may not sell or share personal information of consumers under 16 without affirmative authorisation. Consumers aged 13–15 must opt in directly; parents must opt in for children under 13.
Right to Limit Use of Sensitive Personal Information
Consumers can limit a business's use and disclosure of sensitive personal information to only what is necessary to provide the requested goods or services.
Right to Non-Discrimination
Businesses cannot deny goods or services, charge different prices, or provide a different quality of service to consumers who exercise their CCPA rights, unless the difference is reasonably related to the value of the data.
Right to Data Portability
When consumers exercise their right to know specific pieces of information, the business must provide that data in a portable, readily usable format that allows the consumer to transmit it to another entity.
Right to Appeal
Consumers have the right to appeal a business's decision regarding a consumer request. Businesses must provide a method for submitting an appeal and respond within 45 days of receipt.
Sensitive Personal Information
CPRA created a new category of “sensitive personal information” (SPI) that receives heightened protection. Consumers have the right to limit a business's use of SPI to what is necessary to provide the requested service. Businesses must disclose SPI separately in their privacy policy.
If your business collects any SPI, you must add a “Limit the Use of My Sensitive Personal Information” link to your website (unless you only use SPI for permissible purposes such as providing the requested service). This link must be as prominent as your “Do Not Sell or Share” link.
Required Disclosures in Your Privacy Policy
CCPA/CPRA sets out specific information that must be included in your privacy policy. Businesses must update their privacy policy at least once every 12 months.
Categories of personal information collected
List each category of personal information your business has collected about consumers in the past 12 months (e.g., identifiers, commercial information, internet activity, geolocation data, inferences).
Purposes for collection and use
Describe the business or commercial purpose for which each category of personal information is collected or used. Purposes must be disclosed at or before the time of collection (Notice at Collection).
Categories of third parties personal information is shared with
Disclose the categories of third parties — including service providers, contractors, and third parties with whom data is sold or shared — that receive personal information in each category.
Consumer rights and how to exercise them
Describe each CCPA/CPRA right, provide at least two methods for submitting verifiable consumer requests (including a toll-free number or webform), and explain the verification process.
"Do Not Sell or Share My Personal Information" link
If you sell or share personal information, your privacy policy must include a clear and conspicuous link using this exact text, leading directly to an opt-out mechanism.
"Limit the Use of My Sensitive Personal Information" link
If you collect sensitive personal information for purposes beyond those required to provide requested services, you must provide this opt-in/opt-out mechanism.
Retention periods
CPRA added a requirement to disclose how long each category of personal information is retained, or if that is not possible, the criteria used to determine the retention period.
Financial incentive programs
If you offer financial incentives for providing personal information, disclose the material terms of each program, how to opt in, and the right to withdraw without detriment.
Global Privacy Control (GPC)
What is the Global Privacy Control?
GPC is a browser-level signal that automatically communicates a consumer's opt-out preference to every website they visit — without requiring them to click a “Do Not Sell” link on each site individually. It is supported by major browsers including Firefox and Brave, and browser extensions such as Privacy Badger.
California's Attorney General and the CPPA have confirmed that businesses must honor the GPC signal as a valid opt-out of sale and sharing of personal information. Failure to do so is a CPRA violation.
What this means for your business
- Your website must detect the GPC signal server-side or client-side
- When GPC is detected, you must treat the user as having opted out of sale/sharing
- You must not override or ignore the GPC signal
- A Consent Management Platform (CMP) is the standard way to implement GPC detection
CCPA Enforcement & Fines
CPRA created the California Privacy Protection Agency (CPPA) — the first dedicated US state privacy enforcement agency — which took over enforcement from the California Attorney General in July 2023. Both agencies retain enforcement powers.
Civil penalty for each violation that occurs through negligence. A single data incident affecting thousands of consumers can compound into millions of dollars in exposure.
The maximum civil penalty for each knowing or intentional violation. This applies when a business is aware of a required practice and chooses not to implement it.
California consumers can bring a private right of action for data security breaches affecting non-encrypted or non-redacted personal information. Statutory damages range from $100 to $750 per consumer per incident.
No grace period for children's data
CPRA removed the 30-day cure period for violations involving the personal information of consumers under 16 years old. This means that violations involving children's data are immediately actionable with no opportunity to correct the violation before penalties are issued.
Notable enforcement actions
- Sephora — $1.2M AG settlement (2022) for failing to honor GPC signals
- DoorDash — $375K AG settlement (2024) for selling data without notice
- Honda — AG investigation for obstructive DSAR process
How Policify Helps You Comply
Policify provides everything a business needs to achieve and maintain CCPA/CPRA compliance — from AI-generated policies to opt-out pages and DSAR management.
CCPA-compliant privacy policies
Generate a complete privacy policy with all required CCPA/CPRA disclosures — categories of data collected, purposes, third-party sharing, consumer rights, and retention periods. AI-drafted and quality-verified.
Generate a policy →"Do Not Sell" opt-out page
A branded, accessible opt-out page that lets California consumers exercise their right to opt out of the sale and sharing of their personal information — required by CCPA.
See the Do Not Sell page →Sensitive info limitation page
A dedicated page allowing consumers to limit the use of their sensitive personal information to only what is necessary to provide requested services — required by CPRA.
See Limit Sensitive Info →DSAR management
Receive, verify, and respond to Data Subject Access Requests within the 45-day CCPA window. A centralised dashboard tracks all requests, their status, and response deadlines.
Explore DSAR tools →Consent Management Platform
Our CMP detects and honors the Global Privacy Control signal, manages consent preferences, blocks non-consented third-party scripts, and maintains audit-grade consent logs.
Learn about the CMP →120+ compliance templates
Access CCPA-specific notices, Notice at Collection templates, service provider agreements, data processing addenda, and more — all jurisdiction-aware and AI-reviewed.
Browse templates →CCPA Compliance Checklist
Use this checklist to assess and build out your CCPA/CPRA compliance programme. Tick each item off before your next California-facing product launch.
Privacy policy with all required CCPA/CPRA disclosures
Ensure your policy covers collected categories, purposes, third-party sharing, all nine consumer rights, retention periods, and how to submit verifiable requests.
"Do Not Sell or Share My Personal Information" opt-out mechanism
Add a prominent link in your website footer and privacy policy. The link must lead to a functional opt-out page that works without requiring account creation.
"Limit the Use of My Sensitive Personal Information" option
If you collect sensitive personal information beyond what is strictly necessary to provide requested services, you must provide this dedicated opt-out mechanism.
Global Privacy Control (GPC) signal detection and honoring
Implement server-side or client-side GPC detection. Automatically treat users sending GPC signals as having opted out of sale and sharing.
Verified consumer request process with 45-day response window
Set up a process to receive, verify, and respond to consumer rights requests within 45 days. You may extend by 45 additional days if you notify the consumer.
Data inventory and mapping completed
Document what personal information you collect, from whom, for what purpose, how long you keep it, and with whom you share it. This is the foundation of your compliance programme.
Service provider and contractor agreements updated
Ensure all contracts with service providers and contractors include CCPA-required data processing terms. Service providers cannot use personal information for their own commercial purposes.
Staff training for consumer request handling
Train customer-facing staff on how to identify, route, and respond to consumer rights requests. Frontline staff are often the first point of contact for DSAR submissions.
CCPA/CPRA vs GDPR
If your business serves both California and EU/EEA users, you likely need to comply with both frameworks simultaneously. Here is how the two laws compare across key dimensions.
CCPA FAQ
Does CCPA apply to businesses outside California?
Yes. CCPA and CPRA apply to any for-profit business that collects personal information from California residents and meets at least one of the three thresholds — regardless of where the business is physically located. If you operate online and California residents use your service, you may be subject to CCPA even if your company is headquartered in another state or country.
What's the difference between "sale" and "sharing" under CCPA?
Under the original CCPA, "sale" covered disclosures of personal information to third parties for monetary or other valuable consideration. CPRA expanded this to separately cover "sharing," which includes disclosing personal information to third parties for cross-context behavioural advertising — even without any monetary exchange. This means businesses engaged in ad targeting via third-party pixels or SDKs must offer an opt-out even if they do not receive payment for that data.
Do I need a separate CCPA privacy policy?
No — you do not need a completely separate document. However, your privacy policy must contain a dedicated CCPA section with all required disclosures. Many businesses add a clearly labeled "California Privacy Rights" section to their main privacy policy. This section must be comprehensive enough to stand alone for California residents.
How long do I have to respond to consumer requests?
Businesses must respond to verifiable consumer requests within 45 days of receipt. If reasonably necessary, you may extend the response period by an additional 45 days (90 days total), provided you notify the consumer within the initial 45-day window and explain the reason for the extension. Requests must also be provided free of charge.
Does CCPA apply to employee data?
As of January 1, 2023, the employee and B2B data exemptions that existed under the original CCPA expired under CPRA. Employee personal information is now fully covered by the CCPA/CPRA framework, meaning employees have the right to know, delete, and correct their personal information held by their employer, subject to employment law limitations.
What should my "Do Not Sell or Share" link say?
CPRA updated the required link text to "Do Not Sell or Share My Personal Information." This exact phrasing is required. The link must appear prominently in your website footer, in your privacy policy, and on any page where personal information is collected. It must lead directly to an opt-out mechanism that consumers can complete without creating an account.
Related Compliance Guides
Ready to become CCPA compliant?
Generate a fully CCPA/CPRA-compliant privacy policy in minutes — covering all required disclosures, consumer rights, and opt-out mechanisms. AI-drafted, quality-verified, and publication-ready.
Policify is a technology provider, not a law firm. Generated documents are a structured starting point — review with qualified legal counsel before publication.