CCPAPrivacy LawComplianceCPRABy Gregor Emm· 6 min read

CCPA Compliance Requirements — The Complete 2026 Guide

The California Consumer Privacy Act, as amended by the CPRA, is the most significant US privacy law. If your business has California customers — and most online businesses do — these requirements likely apply to you.

This guide covers every CCPA compliance requirement, from the threshold test to the specific technical changes your website needs.

Does the CCPA Apply to You?

The CCPA applies to for-profit businesses that collect California residents' personal information AND meet at least one of these thresholds:

| Threshold | Requirement | |---|---| | Revenue | Annual gross revenue exceeds $25 million | | Data volume | Buys, sells, or shares personal information of 100,000+ California residents, households, or devices annually | | Revenue source | Derives 50% or more of annual revenue from selling or sharing personal information |

Important: The data volume threshold is easier to hit than you think. If your website gets 100,000+ unique visitors from California per year and uses advertising cookies (Google Ads, Meta Pixel), you're likely "sharing" their data under the CCPA definition.

Non-profits and government agencies are exempt. Businesses that don't meet any threshold are technically exempt but should still implement basic privacy controls — other states are passing similar laws with different thresholds.

The 8 Core CCPA Compliance Requirements

1. Right to Know (Disclosure)

Consumers can request a detailed report of:

  • What categories of personal information you've collected
  • The sources of that information
  • Your business purpose for collecting it
  • The categories of third parties you share it with
  • The specific pieces of personal information you hold about them

You must respond to verified requests within 45 days (extendable to 90 days with notice). You must provide at least two methods for submitting requests — typically a web form and an email address.

2. Right to Delete

Consumers can request deletion of their personal information. You must comply and direct any service providers you've shared the data with to delete it as well.

Exceptions exist for data needed to complete transactions, detect fraud, exercise free speech, comply with legal obligations, or conduct research.

3. Right to Opt-Out of Sale/Sharing

This is the requirement with the biggest website impact. You must:

  • Display a "Do Not Sell or Share My Personal Information" link on your website
  • Provide a functional opt-out mechanism at that link
  • Stop selling or sharing the consumer's data upon request
  • Wait at least 12 months before asking the consumer to opt back in

Under the CPRA amendment, "sharing" includes providing data for cross-context behavioral advertising — even without payment. This means advertising pixels (Meta, Google Ads, TikTok) qualify as sharing.

4. Right to Correct

Added by the CPRA. Consumers can request correction of inaccurate personal information. You must make commercially reasonable efforts to correct the data.

5. Right to Limit Use of Sensitive Personal Information

The CPRA created a new category of sensitive personal information that includes:

  • Social Security numbers and government IDs
  • Financial account details
  • Precise geolocation (within 1,750 feet)
  • Race, ethnicity, religion, genetic data
  • Private communications content
  • Health information

If you collect sensitive PI, you must provide a "Limit the Use of My Sensitive Personal Information" link and allow consumers to restrict its use to what's necessary for the service.

6. Privacy Policy Requirements

Your privacy policy must include:

  • Categories of personal information collected in the preceding 12 months
  • Sources of each category
  • Business purposes for collection
  • Categories of third parties data is shared with
  • Consumer rights and how to exercise them
  • Contact information for privacy requests
  • Date of last update
  • Whether you sell or share personal information (and a link to opt out if so)

The privacy policy must be updated at least every 12 months.

7. Honor Global Privacy Control (GPC)

The CPRA explicitly requires businesses to treat the GPC browser signal as a valid opt-out request. When a visitor's browser sends GPC, you must stop selling or sharing their personal information — including suppressing third-party advertising cookies.

This is a technical requirement your consent management platform needs to handle. Many CMPs now support GPC detection, but we regularly find websites that ignore the signal entirely.

8. Non-Discrimination

You cannot retaliate against consumers who exercise their CCPA rights by:

  • Denying goods or services
  • Charging different prices
  • Providing different quality of service
  • Threatening any of the above

You can offer financial incentives for data collection, but they must be clearly disclosed and reasonably related to the value of the data.

CCPA Website Compliance Checklist

Here's what your website specifically needs:

  • [ ] "Do Not Sell or Share" link visible on every page (typically in the footer)
  • [ ] Functional opt-out page where users can actually stop data sharing
  • [ ] GPC signal detection — your site must honor the browser signal
  • [ ] Privacy policy with all required disclosures (see section 6)
  • [ ] Cookie disclosure — which cookies collect personal information and why
  • [ ] Data request mechanism — web form + email for access/deletion requests
  • [ ] Response procedures — ability to verify identity and respond within 45 days
  • [ ] Sensitive data link (if applicable) — "Limit the Use of My Sensitive Personal Information"
  • [ ] No pre-consent tracking violations — while CCPA allows default tracking, opt-out must actually work

CCPA Enforcement and Penalties

Who Enforces

The California Privacy Protection Agency (CPPA) is the primary enforcer since July 2023. The California Attorney General retains enforcement authority as well.

Penalty Structure

| Violation Type | Fine | |---|---| | Unintentional | Up to $2,500 per violation | | Intentional | Up to $7,500 per violation | | Involving minors | Up to $7,500 per violation |

There is no cap on total fines. A violation affecting 100,000 consumers could theoretically result in $750 million in penalties.

Private Right of Action

Consumers can sue directly for data breaches involving their personal information. Statutory damages range from $100 to $750 per consumer per incident, or actual damages — whichever is greater.

This is limited to data breaches — consumers cannot sue for other CCPA violations (those are enforced by the CPPA/AG).

CCPA vs. GDPR: Key Differences

| Aspect | CCPA/CPRA | GDPR | |---|---|---| | Consent model | Opt-out | Opt-in | | Applies to | For-profits meeting thresholds | All organizations processing EU data | | Cookie handling | Allowed by default, opt-out required | Blocked until consent | | Fines | $2,500-$7,500 per violation | Up to 4% of global revenue | | Enforcement | CPPA + AG | National DPAs | | Private lawsuits | Data breaches only | Broader rights | | Sensitive data | Separate "Limit Use" link | Explicit consent required |

If you're already GDPR compliant

Good news: GDPR compliance mostly covers CCPA requirements since GDPR is stricter. The main additions you need for CCPA:

  • A "Do Not Sell or Share" link (GDPR doesn't require this specific language)
  • GPC signal support
  • CCPA-specific privacy policy disclosures

Common CCPA Compliance Mistakes

Based on scanning hundreds of websites:

  1. Opt-out that doesn't actually work — The "Do Not Sell" link exists but clicking it doesn't suppress advertising cookies
  2. Missing GPC support — The browser sends an opt-out signal and the site ignores it
  3. Generic privacy policy — Doesn't list specific data categories, sources, or third parties
  4. No data request mechanism — No web form or clear email for consumer requests
  5. "Accept All" cookie banner with no decline option — While CCPA doesn't require a GDPR-style banner, if you have one, it should include an opt-out

How to Check Your CCPA Compliance

  1. Run a free website scan — checks pre-consent tracking, consent banner, and opt-out mechanisms
  2. Search your site for "Do Not Sell" — verify the link exists and works
  3. Test GPC — install the GPC browser extension, visit your site, and check if tracking stops
  4. Review your privacy policy — compare against the 8 requirements above
  5. Submit a test data request — verify your process works end-to-end
Share

Frequently Asked Questions

What are the main CCPA compliance requirements?

The CCPA requires businesses to: disclose what personal information they collect, provide consumers the right to delete their data, offer an opt-out of data sale/sharing, maintain a CCPA-compliant privacy policy, honor Global Privacy Control signals, and not discriminate against consumers who exercise their rights.

Who needs to comply with the CCPA?

The CCPA applies to for-profit businesses that collect California residents' personal information AND meet at least one threshold: annual gross revenue over $25 million, buy/sell/share data of 100,000+ consumers annually, or derive 50%+ of revenue from selling personal information.

What is the penalty for CCPA non-compliance?

The CPPA can impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. There is no cap on total fines, so violations affecting many consumers can result in significant penalties. Consumers can also sue for data breaches involving their personal information.

What does CCPA compliance mean for my website?

For websites, CCPA compliance means having a 'Do Not Sell or Share' link, disclosing cookie and tracking data collection in your privacy policy, honoring browser opt-out signals like GPC, providing data access and deletion mechanisms, and ensuring your consent tools actually stop data sharing when users opt out.

How is the CCPA different from GDPR?

The biggest difference is the consent model: GDPR requires opt-in consent before data collection, while CCPA uses opt-out (collection is allowed by default, but consumers must be able to stop it). GDPR applies to all organizations processing EU residents' data regardless of size, while CCPA has revenue and data volume thresholds.

Related articles

Privacy Enforcement News — Latest Fines & Rulings (2026)

Track the latest privacy enforcement actions worldwide: GDPR fines, CCPA penalties, and global privacy rulings that affect your website's compliance obligations.

Cookie Consent Examples — Good, Bad, and Non-Compliant

Real examples of cookie consent banners that get it right and wrong. Learn what makes a banner GDPR compliant, what dark patterns to avoid, and what regulators look for.

Best GDPR Compliance Software & Tools (2026)

Compare the best GDPR compliance software for cookie consent, data mapping, and privacy management. We break down features, pricing, and what actually matters for compliance.

Tag Leak · Free Tool

Is your site leaking data before consent?

Paste your URL and get a full compliance report in 60 seconds — no signup required. Detects pre-consent tag firing, GCM v2 score, and security headers.

Scan your site free