What is the CCPA & CPRA?
The California Consumer Privacy Act "CCPA" is the first comprehensive US state privacy law to pass on the 28th of June 2018, with its enforcement beginning on January 1st 2020.
Codified at Cal. Civil Code §§ 1798.100–1798.199, it gives California residents meaningful control over their personal information. It requires covered businesses to be transparent about what data they collect, who they share it with, and why; and to honor consumers' requests to access, delete, or opt out of the sale of that data.
In November 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA). The CPRA did not create a separate law, rather it amended and significantly expanded the CCPA, adding new consumer rights, tightening obligations for businesses, and establishing the California Privacy Protection Agency (CPPA) as a dedicated enforcement body. The CPRA amendments took effect January 1, 2023. Most practitioners now simply refer to the combined law as "the CCPA, as amended."
Then in 2025, the CPPA finalized a sweeping new round of regulations, covering automated decision-making technology (ADMT), mandatory cybersecurity audits, and formal risk assessments. These regulations take effect on a staggered schedule running from January 2026 through April 2028, making the CCPA a genuinely evolving compliance target.
While the CCPA is the only comprehensive state privacy law that provides a limited private right of action, allowing individuals to sue over certain data breaches, most enforcement of U.S. state privacy laws is conducted by public authorities, rather than through private litigation.
Only California has a dedicated enforcement agency, the California Privacy Protection Agency (CPPA), for the promulgation of rulemaking.
The CCPA is not the only Privacy law in California
One of the most common misconceptions among companies entering the California market, whether from Europe or elsewhere in the U.S., is treating the CCPA/CPRA as the California privacy law. In reality, it is just the most visible layer of a much deeper and older legal ecosystem.
There are dozens of major privacy statutes that coexist with the CCPA, many predating it by decades, several with sharper teeth on specific issues. Understanding this landscape is not optional. Exposure can come from directions you never anticipated.
Does the CCPA apply to you?
Jurisdictional threshold
The first requirement for a company to fall within the scope of a state privacy law is the jurisdictional threshold.
In California, that means an organization must “do business” in California to be subject to the CCPA.
Business is understood as "A sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California."
In other words, doing business means the entity offers goods/services to CA residents, or has CA operations, or otherwise conducts business in CA.
Data threshold
The second set of conditions is substantive: beyond jurisdiction, a company must meet at least one of the law’s applicability thresholds such as handling personal data above certain volume limits, deriving revenue from selling or sharing personal data, or exceeding an annual gross revenue threshold.
1- The processing of personal information of 100,000 or more unique California consumers
A consumer is understood as a natural person who is a California resident. Therefore, an entity meets the state's applicability threshold when it processes the data of 0.3% of California's population.
Personal information is understood as "Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
It does not include publicly available information, lawfully obtained, truthful information that is a matter of public concern, aggregated or deidentified data.
Question: In the past 12 months, did you buy, sell, share, or otherwise process personal information of ≥ 100,000 California consumers or households?
2- The sale of personal information threshold: control or process any personal data & derive 50% or more of its revenues from the sale of personal data.
The sale of personal data is understood as "Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration."
A business does not sell personal information when:
A consumer uses or directs the business to intentionally disclose personal information or interact with one or more third parties.
The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal information.
The business transfers to a third party the personal information of a consumer as part of a merger (or) acquisition.
Question: Does your organization derive more than 50% of its revenue from the sale of personal data?
3- The processing of personal data threshold:
Only California provides a fourth threshold that may be met based on an entity's overall annual revenue.
If an entity is doing business in California & generates at least 25 million USD in annual revenue (of the preceding calendar year), then it is subject to the CCPA (regardless of the previous thresholds).
Question: Does your organization generate at least USD25 million in annual revenue?
The consumer rights
The CCPA, as amended, provides California residents with six core privacy rights. The CPPA uses the acronym LORCAD to capture them:
1. Right to LIMIT the use and disclosure of sensitive personal information Consumers can direct businesses to restrict their use of sensitive personal information to what is strictly necessary to provide the requested product or service, preventing its use for secondary purposes like targeted advertising or profiling.
2. Right to OPT OUT of sale or sharing Consumers can instruct a business to stop selling or sharing their personal information. "Sharing" was added by the CPRA and expressly captures cross-context behavioral advertising, meaning that passing data to an ad network for targeting, even without receiving cash payment, constitutes "sharing" under California law. Businesses must display a clear "Do Not Sell or Share My Personal Information" link on their homepage.
3. Right to CORRECT inaccurate personal information Added by the CPRA. Businesses must use commercially reasonable efforts to correct inaccurate data and must propagate corrections to their service providers and contractors.
4. Right to ACCESS personal information Consumers can request the specific pieces and categories of personal information a business has collected about them, the sources from which it was collected, the business purpose for collection, and the categories of third parties with whom it has been shared.
5. Right to DELETE personal information Consumers can request deletion of their personal data. The business must also notify its service providers and contractors to delete the information. Exceptions apply, legal obligations, security research, completing a transaction, and others; but these exceptions are narrower than they appear.
6. Right against DISCRIMINATION for exercising rights Businesses cannot deny goods or services, charge different prices, or provide a different quality of service to consumers who exercise their CCPA rights, unless the difference in treatment is directly and reasonably related to the value of the consumer's data.
Business obligations at a glance
Beyond honoring consumer requests, covered businesses carry a substantial set of affirmative obligations.
Notice at collection. Businesses must inform consumers, before or at the time of collection, of the categories of personal information being collected and the purposes for which it will be used. This notice must be easily accessible and cannot be buried.
Privacy policy. Businesses must maintain a comprehensive, publicly accessible privacy policy that describes all CCPA rights, the categories of personal information collected and shared over the preceding 12 months, retention periods for each category, and how consumers can submit requests. The policy must be updated at least annually.
Data retention. The CPRA added an explicit requirement to disclose how long each category of personal information is retained, or explain the criteria used to determine that period. This catches many companies off guard, particularly those without documented retention schedules.
Reasonable security. The CPRA expressly requires businesses that collect personal information to implement reasonable security procedures and practices appropriate to the nature of the data. A breach of unencrypted personal information in the absence of reasonable security can give rise to a private right of action.
Vendor contracts. Businesses must have written contracts in place with service providers, contractors, and third parties, containing specific provisions required by the CCPA, including restricting the recipient's use of personal information to the specified business purpose and obligating them to comply with CCPA requirements.
Global Privacy Control (GPC). Businesses must recognize and honor GPC signals (browser-level opt-out signals) as valid opt-out requests. Failure to honor GPC has been a central issue in multiple enforcement actions.
Minor-specific protections
The CCPA follows an opt-out model by default for adults. For consumers under 16, the framework flips.
Businesses that have actual knowledge that a consumer is between 13 and 16 years old may not sell or share that consumer's personal information without affirmative opt-in consent from the consumer. For consumers under 13, opt-in consent must be obtained from a parent or guardian, in compliance with COPPA.
The $1.4 million Jam City settlement and the Tilting Point Media complaint both arose from alleged violations of these provisions, with mobile gaming companies alleged to have misconfigured their apps to share data from users they knew to be minors.
New 2026 requirements & beyond
The CPPA's 2025 regulations, finalized in October 2025 and taking effect on a rolling basis from January 2026, introduce three significant new layers of obligation.
Automated Decision-Making Technology (ADMT). Effective January 1, 2027, businesses that use ADMT to make or contribute to significant decisions affecting consumers (including hiring, housing, credit, education, and healthcare) must provide a clear pre-use disclosure and give consumers the ability to opt out. Businesses must also provide an appeals mechanism for ADMT-driven decisions. Detailed recordkeeping requirements apply.
Cybersecurity audits. Businesses whose processing activities present significant risk to consumers, based on the sensitivity of the data or the nature of the processing, will be required to conduct annual cybersecurity audits and submit certifications to the CPPA. The audit requirement phases in between 2028 and 2030, depending on the business’s annual gross revenue in the preceding year.
Risk assessments. Under the new California rules, if a business’s processing presents a significant or heightened risk to consumers’ privacy, the business must complete a risk assessment before starting that processing. This requirement also applies to certain processing activities that began before 2026 and continue into 2026. In that case, the business must complete the risk assessment no later than December 31, 2027.
The Delete Act (SB 362), separately enforced by the CPPA, also takes effect in 2026. It creates a single accessible mechanism, the Drop platform, through which consumers can submit one request to delete their data from all registered data brokers simultaneously.
Enforcement: who, how & how much
The CCPA operates under a dual enforcement structure unique in U.S. privacy law.
The California Privacy Protection Agency (CPPA), established by the CPRA and the only dedicated privacy regulator in the United States, has full administrative enforcement authority, the power to conduct audits, and the authority to issue binding regulations. Its enforcement division became operational for CPRA violations on July 1, 2023.
The California Attorney General retains independent enforcement authority and cannot be limited by the CPPA. The AG's office has historically pursued targeted industry sweeps: retail (2022), loyalty programs (2022), mobile apps (2023), streaming services (2024), the location data industry (2025), and employment services (2025). Both authorities are actively pursuing cases simultaneously.
Penalty amounts (as of January 1, 2025, adjusted for inflation):
- Up to $2,663 per unintentional violation
- Up to $7,988 per intentional violation, or for any violation involving consumers the business knows to be under 16
- Additional consumer-level damages for data breaches: $107 to $799 per affected person per incident, or actual damages, whichever is greater, through a limited private right of action
- No cap on total penalties; each affected consumer's record can constitute a separate violation
A glance at the enforcement record so far:
Sephora (2022) — $1.2 million. The California AG found that Sephora failed to disclose that it sold personal information, did not process opt-out requests submitted via Global Privacy Control, and failed to cure violations within the required period. The case established that sharing data with third-party advertising platforms constitutes a "sale" under California law even without direct monetary payment.
Jam City (2024) — $1.4 million. The AG found that the mobile gaming company failed to offer any CCPA-compliant opt-out mechanisms across its 21 mobile apps, and shared data from users it knew to be between 13 and 16 years old without the required affirmative opt-in consent.
Healthline (2025) — $1.55 million. The largest CCPA civil penalty to date, brought by the AG against the health information platform for violations involving the handling of sensitive health data and inadequate privacy disclosures.
Tractor Supply (2025) — the CPPA's largest fine to date, issued in October 2025, after finding that the company's "Do Not Sell" mechanism did not actually stop the sale or sharing of personal information, and that it failed to honor GPC signals until mid-2024.
A pattern is visible across these cases. The violations that actually trigger enforcement are not exotic edge cases: they are operational failures: opt-out links that don't work, GPC signals that are ignored, vendor relationships undisclosed in privacy policies, and data-sharing arrangements silently mislabeled as something other than a "sale".
Is your organization ready for the CCPA?
Dastra helps privacy teams build and maintain exactly that kind of living compliance program, from data mapping and vendor contract management to consumer rights request workflows and automated risk assessments.
Not sure where you stand? Take our CCPA readiness questionnaire to get an instant picture of your exposure, your gaps, and your next steps.
