What Is CCPA?
CCPA stands for California Consumers Protection Act 2018. It is the most comprehensive data protection regulation in California and the United States.
[ Learn about CCPA Requirements 2026 → ]
It has been passed as a response to the GDPR (CCPA vs GDPR) and other data protection laws. It is not as comprehensive as the EU law, yet it grants consumers with more rights about their data privacy than ever.
The California government was the first ever US state to pass a data privacy law. It has been updated multiple times.
CCPA vs. CalOPPA
Yes, you have to comply with any data protection law that is currently in force in California, and that includes CalOPPA and other laws as well.
The CCPA is not a replacement for any existing California data protection law. All of them are in effect after 1 January 2020; therefore, you’ll have to comply with every data protection regulation adopted in the state.
CCPA was meant to complement the current personal data protection, not to replace it. CalOPPA and other personal data protection laws will keep to exist, which means the requirements for your business remain. Introducing the CCPA doesn’t change anything regarding your duties to comply with other California privacy laws, such as the CalOPPA, Shine the Light, and the Privacy Rights for California Minors in the Digital World Act, as well as federal laws such as HIPAA.
What Is CCPA Compliance?
CCPA compliance means that you meet all the compliance requirements as set out in the CCPA. Read our ultimate compliance checklist about CCPA privacy policy right here.
Check out Secure Privacy's GDPR and CCPA Compliance features for Publishers.
What are CCPA compliance requirements?
If the CCPA applies to your business, then you have to be CCPA compliant. Read all about CCPA privacy policy and how to become CCPA compliant here.
Who does CCPA apply to?
The California Consumer Privacy Act (CCPA) applies only to businesses that meet the requirements for applicability.
It applies to every company in the world if:
- They collect personal data of California residents, and
- They (or their parent company or a subsidiary) exceed at least one of the following three thresholds:
- Annual gross revenue of at least $25 million,
- Obtains personal information of at least 50,000 California residents, households, and/or devices per year, or
- At least 50% of their annual revenue is generated from selling California residents’ personal data.
A California resident is defined by California’s Privacy law as any person who:
- Is in California for other than a temporary or transitory purpose, or
- Is domiciled in California, but is outside the state for temporary or transitory purposes.
Does CCPA Apply To SME Businesses?
CCPA may apply to any business. It may apply even to small and medium businesses if they meet the applicability standards. It doesn’t matter how big the business is. California’s new privacy law is not focused on the size of your business, but on whether it meets certain criteria as mentioned above.
What Are The Fines For Non-Compliance With The CCPA?
Failure to comply with CCPA puts you at risk of huge fines. You can expect the Attorney General to initiate a process against you if you do not meet CCPA requirements after 30 days upon being notified about it.
This brings a risk of being fined up to $7500 per violation in case of a data breach. It means that if you violate the CCPA-guaranteed rights of 1000 users, you might receive a fine of up to $7.500.000 in total ($7500×1000 users).
Recently The California Privacy Protection Agency (CPPA) issued draft regulations on risk assessment and cybersecurity audits under the CCPA (California Consumer Privacy Act). Learn about CCPA Risk Assessments.
Is CCPA The California Version Of GDPR?
No, it is not. The government of California may have used the momentum created by the introduction of the EU’s General Data Protection Regulation (GDPR) to augment the ePrivacy Directive, but the CCPA requirements are not as extensive as the GDPR cookie consent obligations.
How Do You Do CCPA Vs GDPR Comparison?
When comparing GDPR vs CCPA, several differences are obvious.
CCPA is not as comprehensive as the GDPR. The California law does not require consent for the use of cookies, does not provide as many data subject, i.e. consumer rights, does not establish a dedicated government body for enforcement, does not contain data breach rules, etc.
In general, GDPR requires the user to opt-in for collection and processing of their data. CCPA does not require that. It only provides an opportunity to opt-out.
We Are Compliant With The GDPR. Does It Mean That We Are CCPA Compliant?
No, if you comply with GDPR, it doesn’t guarantee CCPA compliance by default. Chances are you already meet some of the CCPA requirements simply by being GDPR compliant, but you still have some work to do.
Unlike the EU ePrivacy Directive and the General Data Protection Regulation (GDPR), you’ll have to make adjustments to your privacy policy to meet CCPA requirements in 2026. You need to include a “Do Not Sell My Personal Information” link on your home page, establish methods for requests for access, change, and erasure of users’ data, establish a method for verification of the identity of the person making a data-related request, and establish a method for obtaining prior CCPA cookie consent from minors similar to GDPR consent before selling their personal data.
Simply put, you need to address the differences between the GDPR and the CCPA.
Learn about Secure Privacy's CCPA Certification.
What Is A CCPA Service Provider?
A CCPA service provider is what a data processor is according to the GDPR - the entity processing data on someone else’s behalf based on their instructions.
For example, your email marketing provider helps you collect email addresses and process them. They are your CCPA service provider.
Although CCPA contains a number of service provider exceptions, it prescribes some duties that service providers must abide by.
What Is Personal Information Under The CCPA?
Personal information under the CCPA is any information that could identify, describe, or be linked, directly or indirectly, with a particular consumer or household. Read all about what personal information under the CCPA is right here.
Can We Sell Our Users’ Personal Information Freely?
The CCPA doesn’t prevent you from selling your users’ data, but it obliges you to allow them to opt-out of their personal information being used for a business purpose. Read all about personal information under the CCPA here.
What is Opt-Out Under the CCPA?
Opt-out under the CCPA means the right of California residents to request that a business that sells or shares their personal information stop doing so. If the consumer requests an opt-out, the business has no choice but to stop selling or sharing their personal information.
Businesses have two obligations under the opt-out requirement:
- To provide a clear and conspicuous link on their homepage titled "Do Not Sell or Share My Personal Information" that allows consumers to opt out of the sale of their personal information, and
- To provide consumers with notice of their right to opt out and a description of how to exercise that right.
In addition, businesses must conform to opt-out preferences signals received by consumers’ browsers. These are also valid opt-out requests.
Updated CCPA 2026 opt-out requirements now include Global Privacy Control signals.
What is Privacy Notice Under the CCPA?
A privacy notice is a disclosure that businesses subject to the CCPA must provide to consumers regarding their data collection and sharing practices.
CCPA requires four types of privacy notices:
- Notice on collection
- Notice on the right to opt-out
- Notice the right to limit
- Notice on financial incentives.
Most businesses need to provide consumers with a "notice at collection" that explains what personal information the business collects, the business purposes for which it collects the information, and the categories of third parties with whom the business shares the information.
Many also need to provide them with a notice on the right to opt-out from the sales or sharing of their data with third parties.
What Is Global Privacy Control and What Does the CCPA Require About GPC?
Global Privacy Control (GPC) is a privacy standard that allows internet users to signal their privacy preferences to websites and online services.
The CCPA considers the GPC a valid opt-out request. Therefore, businesses that collect personal information from California residents must honor GPC signals if they receive them. Businesses are also prohibited from discriminating against users who choose to exercise their GPC rights.
What Should A CCPA-Compliant Privacy Policy Contain?
A Privacy policy is explicitly required by the CalOPPA and indirectly by the CCPA. If CCPA applies to your business, then certainly CalOPPA applies as well.
When you combine the requirements from both laws, you’ll understand that your privacy policy should be written in plain language and contain at least the following:
- What kind of information you collect and process
- Why do you collect and process information
- How do you collect and process information
- How users can request access, change, move, or deletion of their personal data
- The method for verifying the identity of the person who submits a request
- Sales of users’ personal data and how they can opt-out of the selling of their data
- Information on financial incentives where providing personal information is involved.
Do I Need To Obtain The User's Consent Before Using Cookies To Collect And Process Their Personal Data For CCPA Compliance?
No, you don’t need to obtain their consent. Unlike many other laws worldwide, obtaining user’s consent for the use of cookies and other tracking technologies is not required for CCPA compliance.
What Is CCPA 2.0?
Officially known as the California Privacy Rights Act (CPRA), CCPA 2.0 builds upon and amends the California Consumer Protection Act (CCPA), and in the process, expanding the privacy rights of California residents. Read more about how the CPRA it differs from CCPA.
When Does CCPA Come Into Effect?
Although some of the changes to the current CCPA will be enforced immediately, most will not take effect until Jan 1, 2023, and apply only to personal information collected after January 1, 2022.
It is hugely important to start your CCPA 2.0 compliance efforts in advance to avoid penalties for violations.
Who Needs To Comply With The CCPA 2.0?
The businesses that need to comply with the CCPA need to comply with the CCPA 2.0 as well. The only difference in the applicability requirements is that one of the thresholds has been updated - the threshold of 50.000 California residents or households from whom the business collects data has been moved up to 100.000 residents or households.
What Changes Does The CCPA 2.0 Bring?
The CPRA will introduce several changes to the current CCPA setup in the form of minor revisions, new concepts, and expansion of California consumers’ rights.
CCPA 2.0 changes include;
- New regulations for a category of personal information known as “sensitive data’’
- A new definition of consent that introduces GDPR-like requirements
- A new definition for ‘sharing’ personal information
- Clarifications on the definition of a business under the CCPA
- Changes to CCPA service provider requirements
- New disclosure requirements
- An update to users’ right of action under CCPA
- The California Privacy Protection Agency
- Removal of the 30-day cure period
- Extension of CCPA’s employee data and business-to-business data exemptions
What Is Sensitive Data Under The CCPA?
CCPA 2.0 introduces a new subcategory of personal data referred to as “Sensitive Personal Information".
It consists of a user’s:
- Racial or ethnic background
- Religious beliefs
- Union membership
- Contents of email or text messages
- Genetic information
- Sexual orientation
- Account login, financial account, debit or credit card, alongside any other necessary security or access code, password, or credentials that facilitate access to an account
- Specific geolocation
