GUIDE

Complete CCPA/CPRA Compliance Guide (2026)

Last updated: February 2026 · 15 min read

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive state privacy law in the United States. This guide covers everything you need to know about compliance.

What is CCPA/CPRA?

The CCPA was enacted in 2018 and took effect in January 2020. The CPRA, passed in November 2020, amended and expanded the CCPA significantly, with full enforcement beginning July 2023. Together, they give California consumers powerful rights over their personal information.

The law applies to for-profit businesses that collect California residents' personal information and meet any of these thresholds: annual gross revenue over $25 million, buy/sell/share personal information of 100,000+ consumers or households, or derive 50%+ of revenue from selling/sharing personal information.

Consumer Rights Under CCPA/CPRA

  • Right to Know: Consumers can request what personal information a business collects, uses, shares, and sells.
  • Right to Delete: Consumers can request deletion of their personal information.
  • Right to Opt-Out: Consumers can opt out of the sale or sharing of their personal information.
  • Right to Non-Discrimination: Businesses cannot discriminate against consumers who exercise their privacy rights.
  • Right to Correct (CPRA): Consumers can request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive PI (CPRA): Consumers can limit how businesses use their sensitive personal information.

Business Obligations

Businesses must:

  • • Provide a "Do Not Sell or Share My Personal Information" link on their website
  • • Provide a "Limit the Use of My Sensitive Personal Information" link (CPRA)
  • • Update privacy policies annually with required disclosures
  • • Respond to consumer requests within 45 days
  • • Implement reasonable security measures
  • • Conduct data protection assessments for high-risk processing (CPRA)
  • • Limit data collection to what is necessary (CPRA data minimization)
  • • Enter into contracts with service providers and contractors

Automate Your Compliance with PrivaBase

Start free. No credit card required.

Start Free

What Counts as Personal Information?

CCPA defines personal information broadly. It includes identifiers (name, email, SSN), commercial information (purchase history), internet activity (browsing history), geolocation data, biometric information, professional information, education records, and inferences drawn from any of this data.

CPRA added the concept of "sensitive personal information" which includes SSN, driver's license, financial account info, precise geolocation, racial/ethnic origin, religious beliefs, union membership, mail/email/text content, genetic data, biometric data, health information, and sex life/sexual orientation.

CCPA/CPRA Penalties

  • Enforcement fines: Up to $2,500 per unintentional violation, $7,500 per intentional violation
  • Private right of action: Consumers can sue for data breaches ($100–$750 per consumer per incident)
  • CPPA enforcement: The California Privacy Protection Agency actively investigates and enforces violations

CCPA vs GDPR

While both laws protect personal data, they differ significantly:

  • Scope: GDPR applies to all data processors; CCPA applies to for-profit businesses meeting revenue/data thresholds
  • Consent Model: GDPR is opt-in (requires consent before collection); CCPA is opt-out (allows collection with right to opt-out of sale)
  • Definition: GDPR uses "personal data"; CCPA uses "personal information" which is broader (includes household data)
  • Enforcement: GDPR enforced by DPAs; CCPA enforced by CA Attorney General and CPPA

For a complete GDPR guide, see our GDPR Compliance Guide.

CCPA/CPRA Compliance Checklist

  • Determine if your business meets CCPA thresholds
  • Map all personal information collection and sharing
  • Update privacy policy with required CCPA disclosures
  • Add "Do Not Sell or Share" link to website
  • Add "Limit Use of Sensitive PI" link (CPRA)
  • Implement DSR response procedures
  • Review and update service provider contracts
  • Honor Global Privacy Control (GPC) signals
  • Conduct data protection assessments (CPRA)
  • Train employees on CCPA requirements
  • Implement data retention schedules

Automate Your Compliance with PrivaBase

Start free. No credit card required.

Start Free

Related Guides

Complete GDPR Compliance Guide (2026)

The complete guide to GDPR compliance in 2026. Learn about lawful bases, data subject rights, DPIAs, breach notification, and how to build a compliance program.

Complete HIPAA Compliance Guide (2026)

The complete guide to HIPAA compliance in 2026. Learn about covered entities, PHI, the Privacy Rule, Security Rule, breach notification, and BAAs.

Guide to Automating Data Subject Requests (DSRs)

Learn how to automate data subject requests (DSRs) under GDPR, CCPA, and other privacy laws. Reduce response time, cut costs, and ensure compliance.

Developer's Guide to Privacy Compliance

A developer's guide to building privacy-compliant applications. Learn about privacy by design, data minimization, encryption, consent management, and API-first compliance.