When California’s Consumer Privacy Act went into effect on January 1, 2020, it was the first law in US history to give residents of any state a comprehensive set of rights over their personal data. No equivalent existed at the federal level. Privacy advocates called it a landmark. Businesses called it expensive. Regulators called it a starting point.
They were all right.
Six years later, the CCPA has been significantly expanded by the California Privacy Rights Act (CPRA), which took full effect in 2023 and created a dedicated enforcement agency. As of 2026, the law has real fines, real enforcement actions, and new requirements around automated decision-making that are pulling California’s framework meaningfully closer to GDPR territory.
Here’s what businesses and consumers need to understand.
CCPA and CPRA: What’s the Relationship?
The California Consumer Privacy Act (CCPA) was passed in 2018 and became enforceable in 2020. The California Privacy Rights Act (CPRA) was passed by ballot initiative in 2020 and substantially amended and expanded the CCPA, effective January 1, 2023.
Think of CPRA not as a replacement but as a second version of the same law – CCPA 2.0. It kept the core structure while adding:
- A new state agency dedicated to enforcement: the California Privacy Protection Agency (CPPA)
- New consumer rights: the right to correct inaccurate data, and rights regarding automated decision-making
- Stricter requirements for “sensitive personal information” (a new category)
- New obligations on data minimization and purpose limitation (closer to GDPR’s approach)
- Annual cybersecurity audits and risk assessments for certain businesses (effective January 1, 2026)
When people refer to “CCPA compliance” in 2026, they typically mean compliance with the CCPA as amended by CPRA. This guide covers the combined framework.
Who Does CCPA/CPRA Apply To?
CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of the following thresholds:
| Threshold | 2026 Value |
|---|---|
| Annual gross revenues | Over $26,625,000 (CPI-adjusted) |
| California residents whose data is processed annually | 100,000+ consumers or households |
| % of revenue from selling/sharing personal information | 50% or more of annual revenue |
Key points:
- The law applies regardless of where the business is located. A company headquartered in London with California customers can be covered.
- Nonprofits are generally exempt, but there are limited exceptions.
- Control chains matter: A business that controls or is controlled by a business that meets the thresholds, and shares common branding (name, service mark, or trademark) with it, is also covered – even if it doesn’t independently meet the thresholds.
- Service providers (the CCPA equivalent of GDPR’s “data processors”) are not directly covered by most consumer rights obligations, but must have contracts with covered businesses that restrict their use of personal information.
What Is “Personal Information” Under CCPA?
CCPA defines personal information broadly – more broadly than most US state laws, and arguably more broadly than GDPR in some respects.
Covered categories include:
- Identifiers: Real name, alias, postal address, email address, IP address, account name, Social Security number, driver’s license number, passport number
- Commercial information: Purchase history, products considered, other purchasing or consuming tendencies
- Biometric data: Physiological, biological, or behavioral characteristics used for identification
- Internet or network activity: Browsing history, search history, interaction with websites, applications, or advertisements
- Geolocation data: Precise physical location
- Employment and education history
- Inferences: Profiles created from any of the above to make predictions about preferences, behavior, attitudes, intelligence, abilities, or aptitudes
The last category – inferences – is particularly significant. If a business has used your browsing history to infer that you’re likely to be interested in insurance, that inference itself is personal information, separate from the data it was derived from.
Sensitive Personal Information (added by CPRA): CPRA creates a sub-category of “sensitive personal information” with additional protections. This includes:
- Social Security, driver’s license, and financial account numbers (in combination with required security codes)
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, union membership
- Genetic data and biometric data processed for identification
- Health information, sex life, or sexual orientation
- Content of communications (emails, texts) unless the business is the intended recipient
Consumers have the right to direct businesses to limit the use of sensitive personal information to what is necessary to perform the service requested.
Consumer Rights Under CCPA/CPRA
California residents have the following rights under the combined law:
1. Right to Know (Access)
Consumers can request what personal information a business has collected about them, the categories and specific pieces of information, where it came from, why it’s being collected, and who it’s shared or sold to. Businesses must respond within 45 days (extendable by another 45 days in complex cases).
2. Right to Delete
Consumers can request deletion of their personal information. Unlike GDPR’s erasure right, CCPA requires the business to also direct its service providers to delete the information – closing a significant loophole.
Businesses can refuse deletion requests if they need the information to:
- Complete a transaction the consumer requested
- Detect security incidents
- Comply with a legal obligation
- Several other specific exceptions
3. Right to Correct
Added by CPRA. Consumers can request correction of inaccurate personal information, similar to GDPR’s right to rectification.
4. Right to Opt Out of Sale/Sharing
Consumers can tell businesses not to sell or share their personal information with third parties. The “Do Not Sell or Share My Personal Information” link – required by CCPA on websites – implements this right.
“Sharing” was added by CPRA to explicitly cover sharing for cross-context behavioral advertising, even without money changing hands. This closed the original CCPA’s loophole where data-for-advertising-services arrangements weren’t technically “sales.”
5. Right to Limit Use of Sensitive Personal Information
Consumers can direct businesses to use sensitive personal information only for the purpose of providing the requested service or good.
6. Right to Non-Discrimination
Businesses cannot discriminate against consumers who exercise their privacy rights – denying service, charging different prices, or providing a different quality of service.
7. Right Regarding Automated Decision-Making (new in 2026)
Effective January 1, 2026, consumers have the right to:
- Opt out of the use of automated decision-making technology (ADMT) for significant decisions affecting access to goods, services, employment, or housing
- Access meaningful information about the logic used in consequential automated decisions
- Human review of automated decisions in certain contexts
This right represents a major expansion toward GDPR Article 22 territory and will require significant operational changes for businesses using algorithmic scoring, ad targeting, credit assessment, and similar systems.
What Is the “Sale” of Personal Information?
CCPA’s definition of “sale” is deliberately broad: any disclosure of personal information to a third party for monetary or other valuable consideration.
This goes well beyond the ordinary meaning of “selling.” It can include:
- Providing data to an analytics platform in exchange for free use of their services
- Sharing data with advertising networks as part of a publisher agreement
- Exchanging data with business partners under a data-sharing arrangement
The “other valuable consideration” language is what makes this broad. It means the exchange doesn’t need to involve money.
The advertising implication: If your website uses standard Google Analytics or Meta Pixel implementations, there’s a reasonable argument that sharing user behavioral data with Google or Meta in exchange for their advertising services constitutes a “sale” under CCPA. The CPPA’s guidance on this has been expanding, and several enforcement actions have implicitly treated third-party advertising integrations as sales.
Enforcement: What’s Actually Happening in 2026
The California Privacy Protection Agency
CPRA created the CPPA, a new dedicated enforcement agency – the first of its kind in the US. The agency can investigate, issue fines, and create regulations without routing through the California Attorney General’s office. This significantly increases enforcement capacity.
Updated Fine Structure (2026)
Penalties are adjusted biennially for inflation under CCPA’s terms. Current 2026 figures:
| Violation Type | Maximum Fine Per Violation |
|---|---|
| Unintentional violation | $2,663 |
| Intentional violation | $7,988 |
| Intentional violation involving a minor’s data | $7,988 |
| Civil damages per consumer per incident (min) | $107 |
| Civil damages per consumer per incident (max) | $799 |
For businesses with millions of California users, even a $2,663-per-violation fine for systemic non-compliance can aggregate to very significant totals.
Recent Enforcement Actions
The enforcement record has been developing steadily:
- Tractor Supply Company (2025): $1.35 million fine and mandatory business practice changes for CCPA violations related to data sharing and consent
- Todd Snyder Inc. (clothing retailer): $345,178 fine for CCPA violations
- American Honda Motor Co.: $632,500 fine for violations including inadequate privacy disclosures
- DoorDash: $375,000 settlement with the California AG for selling personal information without adequate disclosure in violation of CCPA
- Sephora: $1.2 million settlement with the California AG – the first major CCPA enforcement action – for selling consumer data without disclosure
The pattern across enforcement actions: inadequate “Do Not Sell” mechanisms, failure to disclose data sharing with advertising partners, and insufficient privacy notices.
New Requirements Effective January 1, 2026
The CPPA adopted final regulations in 2025 requiring:
- Mandatory cybersecurity audits for businesses whose data processing poses “significant risk” to consumer privacy – submitted annually to the CPPA
- Risk assessments for automated decision-making before deploying ADMT for consequential decisions
- Expanded consumer rights for algorithmic processes as described above
These requirements bring CCPA meaningfully closer to GDPR’s accountability and documentation obligations.
CCPA vs. GDPR: Key Differences
| Dimension | CCPA/CPRA | GDPR |
|---|---|---|
| Scope | For-profit businesses above size thresholds | All organizations processing EU residents’ data |
| Legal basis requirement | No equivalent – no need to identify a lawful basis | Explicit lawful basis required for each processing activity |
| Default | Opt-out model (data can be collected; consumers opt out) | Opt-in for certain categories; lawful basis required |
| Consumer rights | Know, delete, correct, opt out, limit, non-discrimination | Access, erasure, rectification, restriction, portability, object, automated decisions |
| Data minimisation | Added by CPRA but less prescriptive | Core principle, strictly interpreted |
| Children’s data | Under 16 requires opt-in consent for sale/sharing | Under 16 (or member-state equivalent) requires parental consent |
| Maximum fine | $7,988/violation or civil action up to $799/consumer | €20M or 4% global turnover – whichever is higher |
| Enforcement | CPPA + California AG + private right of action (limited) | Member-state supervisory authorities |
The fundamental difference in philosophy: GDPR is a lawful basis model – you need a positive reason to process data. CCPA is an opt-out model – data can be processed by default; consumers have the right to stop it.
This makes GDPR more restrictive at the collection stage and CCPA more dependent on consumer awareness and opt-out mechanisms actually working.
Compliance Checklist for CCPA/CPRA in 2026
Notice and transparency:
- Privacy policy updated to include all CCPA-required disclosures (categories of data, purposes, third parties)
- “Do Not Sell or Share My Personal Information” link visible on website homepage
- Separate notice at collection (at the point data is collected, not buried in the privacy policy)
- Privacy notice for job applicants and employees if applicable
Consumer rights:
- Process for verifying and responding to consumer requests within 45 days
- Mechanism for consumers to submit access, deletion, and correction requests (at minimum a toll-free number and web form)
- Opt-out mechanism for sale/sharing is functional and honored within 15 business days
- Service providers instructed to delete data when consumer deletion requests are honored
- Sensitive personal information limitation mechanism in place
Data practices:
- Data inventory mapping all personal information collected, purposes, and third-party sharing
- Contracts with service providers include required CCPA data processing provisions
- Data retention policies established and enforced
- Third-party advertising integrations reviewed for “sale” or “sharing” implications
- Children’s data: opt-in consent mechanism for consumers under 16
New 2026 requirements:
- Assess whether cybersecurity audit requirement applies
- Conduct risk assessments for any automated decision-making systems used for consequential decisions
- Consumer opt-out mechanism for automated decision-making operational
Final Note: The Federal Privacy Law Question
Every year since 2018, there have been renewed conversations in the US Congress about a federal privacy law that would create a unified national standard rather than a patchwork of state laws. As of 2026, no comprehensive federal privacy law has passed, though the American Privacy Rights Act (APRA) has progressed further than previous attempts.
In the meantime, California remains the de facto standard for US businesses. A company that builds for CCPA/CPRA compliance – with proper data inventories, consumer rights processes, and transparency obligations – is also well-positioned for the state privacy laws that have passed in Virginia, Colorado, Connecticut, Texas, and more than a dozen other states, most of which used CCPA as a model.
For businesses operating at scale, CCPA compliance is not a California problem. It’s a US data governance foundation.
Sources and further reading: