Picture this: you’ve been running your SaaS startup for two years. You’re growing, you’ve got users across the US, and a decent chunk of them are in California. Then someone mentions the CCPA and you realise you’ve never looked at it properly. Sound familiar?
The California Consumer Privacy Act (CCPA) is one of the most significant US privacy laws — and unlike GDPR, which many businesses outside the EU scrambled to understand in 2018, CCPA compliance still catches people off guard. The rules are real, the fines are real, and the requirements now go deeper than they did at launch.
This guide covers everything: who needs to comply, what your obligations actually are, what CCPA compliance means for your website and cookies specifically, and how the 2023–2025 CPRA amendments changed things. By the end, you’ll know exactly what your business needs to do.
What does CCPA compliance mean? CCPA compliance means a business has implemented the required practices to protect the personal data privacy rights of California residents — including providing opt-out mechanisms, responding to consumer rights requests within 45 days, and updating privacy policies to disclose data collection and sharing practices.
What Is CCPA Compliance?
The CCPA (California Consumer Privacy Act) is California’s landmark data privacy law, signed in 2018 and in force since January 2020. It gives California residents specific rights over their personal data and places obligations on businesses that collect it.
“Compliance” means meeting all of those obligations — not just ticking a legal box, but genuinely giving consumers visibility and control over how their data is used.
Who does the CCPA apply to?
Not every business needs to comply. The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of these three thresholds:
- Annual gross revenue over $25 million
- Buy, receive, sell, or share the personal data of 100,000 or more California residents or households per year
- Derive 50% or more of annual revenue from selling or sharing California residents’ personal information
The threshold was revised by CPRA — the previous limit was 50,000 consumers. The current 100,000 threshold means some smaller businesses dropped out of scope. But if you’re running any kind of SaaS, e-commerce, media, or lead generation business with a US audience, there’s a reasonable chance you hit threshold #2 before you realise it.
What counts as personal information under CCPA?
The CCPA defines personal information broadly. It includes the obvious — name, email, phone number, address — but also:
- IP addresses and device identifiers
- Browsing history and search history
- Geolocation data
- Inferences drawn from data to build consumer profiles
- Sensitive personal information (added by CPRA): Social Security numbers, financial account data, health data, precise geolocation, and biometric data
If your website uses analytics, ad tracking, or third-party cookies, you’re almost certainly collecting CCPA-covered personal information.
Consumer Rights Under the CCPA
The CCPA gives California residents a set of enforceable rights. Your business needs to be able to honour them.
Right to know
Consumers can ask what personal data you’ve collected about them, where it came from, why you’re collecting it, and whether you’ve sold or shared it with third parties. You have 45 days to respond — extendable by another 45 days in complex cases, as long as you notify the consumer.
Right to delete
Consumers can request that you delete their personal data. There are limited exceptions — legal obligations, completing a transaction, security purposes — but in most cases you need to comply and instruct any service providers who hold that data to delete it too.
Right to opt out of the sale of personal data
If you sell or share personal information with third parties, consumers have the right to opt out. This is where the “Do Not Sell My Personal Information” link requirement comes from. The CPRA expanded this to “sale or sharing” — which now explicitly includes sharing data for cross-context behavioural advertising, even when no money changes hands.
Right not to be discriminated against
You can’t penalise consumers for exercising their rights. You can’t deny service, charge different prices, or provide a lower quality experience because someone opted out or submitted a data request. There are narrow carve-outs for financial incentives (loyalty programmes, for example), but they need to be transparent and proportionate.
What Are the CCPA Compliance Requirements for Businesses?
If your business falls under the CCPA, here’s what you need to have in place:
Privacy policy disclosures
Your privacy policy must disclose — at minimum — the categories of personal information you collect, the purposes for which you collect it, how long you retain it, and whether you sell or share it. This must be updated annually, or within 12 months of any significant change in your data practices.
Consumer rights request process (45-day response window)
You must provide at least two methods for consumers to submit rights requests — typically a web form and a toll-free phone number (or email for online-only businesses). Requests must be verified and responded to within 45 days. You need to document your process internally and train staff to handle these requests.
Do Not Sell My Personal Information link
If you sell or share personal data, your website must include a clearly visible “Do Not Sell or Share My Personal Information” link — typically in the footer. Clicking it must take consumers to a mechanism to opt out, which must actually work.
Employee training requirements
Staff who handle consumer rights requests need to be trained on CCPA procedures and your company’s privacy policies. This is easy to overlook but is explicitly required by the law.
CCPA Cookie Consent: What Does It Mean for Your Website?
This is where most CCPA guides go quiet — and where WhatCookie.eu’s expertise is most relevant. The practical, website-level question is: what do you actually need to add to your site?
The CCPA doesn’t require opt-in consent for cookies (unlike GDPR). Instead, it requires the ability to opt out — but the reality is more nuanced than that.
Cookie banners and opt-out for AdTech
If your site uses third-party advertising cookies or shares browsing data with ad networks, that activity likely qualifies as “sharing” personal data under the CCPA, even if you’re not being paid directly for the data. This means you need:
- A cookie banner or preference centre that lets California visitors opt out of these cookies
- A “Do Not Sell or Share” mechanism that works — not just a link that goes nowhere
- Third-party tracking to stop firing on opt-out (this is the part a consent management platform handles)
The key point: CCPA cookie compliance isn’t about getting consent before setting cookies. It’s about giving users a genuine opt-out that is technically enforced.
Global Privacy Control (GPC) signals
The CPRA requires businesses to respect Global Privacy Control (GPC) signals — a browser-level opt-out signal that users can enable once to automatically signal their opt-out preference to every website they visit. If a California resident has GPC enabled, you must treat it as a valid “Do Not Sell or Share” request. This must be handled automatically, not manually. Most CMPs now support GPC detection natively.
Which consent management platforms support CCPA?
A consent management platform (CMP) handles the technical enforcement of user preferences — stopping cookies from firing when a user opts out, detecting GPC signals, and logging consent records. For CCPA compliance, you need a CMP that specifically supports the opt-out model (not just opt-in).
Good options include:
- Cookiebot — strong CCPA and CPRA support, GPC detection, suitable for small to mid-size sites
- OneTrust — enterprise-grade, full CCPA/CPRA functionality (see our OneTrust review)
- CookieYes — lightweight, affordable option with CCPA opt-out mode
For a full comparison, see our best consent management platforms guide.
CCPA Compliance Checklist
Use this checklist to assess where your business stands. Each item maps to a genuine CCPA requirement.
Legal foundations
- Determined whether your business meets one of the three CCPA thresholds
- Privacy policy updated with required CCPA disclosures (categories, purposes, retention, sale/sharing)
- Privacy policy dated within the last 12 months
Consumer rights
- At least two methods available for submitting consumer rights requests
- Internal process documented for verifying and responding within 45 days
- Deletion request process covers third-party service providers
- Non-discrimination policy documented and applied
Website and cookies
- “Do Not Sell or Share My Personal Information” link in website footer (if applicable)
- Cookie banner or preference centre with opt-out mechanism
- CMP configured to stop third-party cookies on opt-out
- Global Privacy Control (GPC) signals detected and honoured
- Third-party vendors reviewed — data sharing agreements in place
Governance
- Employees who handle requests trained on CCPA procedures
- Annual review of privacy policy and data practices scheduled
- Data inventory or record of processing activities maintained
CCPA vs GDPR: Key Differences Explained
If you’re already familiar with GDPR, CCPA will feel broadly recognisable — but the differences matter, especially around consent and scope.
Comparison table: applicability, consent, scope, enforcement
| CCPA (as amended by CPRA) | GDPR | |
|---|---|---|
| Jurisdiction | California residents (any business worldwide) | EU/EEA residents (any business worldwide) |
| Consent model | Opt-out (consumers must actively decline) | Opt-in (prior consent required for most processing) |
| Who must comply | For-profit businesses meeting size/revenue thresholds | Any entity processing EU resident data |
| Consumer rights | Know, delete, opt-out, correct, limit sensitive data | Access, deletion, portability, rectification, restriction, objection |
| Penalties | Up to $2,500/unintentional violation; $7,500/intentional violation | Up to €20M or 4% of global annual turnover |
| Enforcement body | California Privacy Protection Agency (CPPA) + private right of action for data breaches | National Data Protection Authorities in each EU country |
| Cookie consent | Opt-out for selling/sharing; no opt-in required | Opt-in required for non-essential cookies |
The biggest practical difference for website owners: GDPR requires a cookie consent banner that defaults to all non-essential cookies off. CCPA requires an opt-out mechanism but doesn’t require prior consent. If you’ve built your website for GDPR compliance, you’re likely doing more than CCPA requires — but you still need to check that your opt-out mechanism specifically addresses the “Do Not Sell or Share” requirement.
For a full breakdown of how GDPR works, see our GDPR guide.
CCPA and CPRA: What’s Changed Since 2023?
The CCPA was amended by the California Privacy Rights Act (CPRA), which became operative in January 2023. But the changes didn’t stop there — 2025 brought further amendments that most compliance guides haven’t caught up with.
New rights added by CPRA
CPRA introduced several significant additions to the original CCPA:
- Right to correct — consumers can now request that inaccurate personal data be corrected (not just deleted)
- Right to limit use of sensitive personal information — a new category of data (biometric, financial, health, precise geolocation, racial/ethnic origin) with stricter handling rules
- Opt-out for sharing — the original “Do Not Sell” requirement expanded to “Do Not Sell or Share,” explicitly covering data sharing for targeted advertising
- Data minimisation — businesses must limit collection and use to what’s reasonably necessary for disclosed purposes
- Contracts with third parties — updated requirements for contracts with service providers and contractors
CPRA also created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, replacing the previous model where the Attorney General handled enforcement.
Neural data and AI systems (2025 amendments)
In January 2025, California’s legislature enacted further amendments to the CCPA/CPRA framework, adding:
- Neural data as a new category of sensitive personal information — biometric identifiers derived from brain activity and neural signals are now explicitly protected
- AI systems — businesses using automated decision-making tools must provide consumers with the right to opt out of decisions that significantly affect them, and to request a human review of automated decisions
- Opt-out transfer requirements — when consumer data is sold or transferred to a third party, the opt-out obligation must transfer with it, meaning acquiring companies can’t simply ignore prior opt-out preferences
These 2025 amendments are live and enforceable. If you use any AI-powered personalisation, automated scoring, or profiling systems on your platform, you need to review whether your opt-out mechanisms cover them.
CCPA Penalties: What Happens If You Don’t Comply?
The CCPA has real teeth. Enforcement is split between the California Privacy Protection Agency and, for data breaches, a private right of action.
Civil penalties from the CPPA:
- $2,500 per unintentional violation
- $7,500 per intentional violation
Violations are counted per consumer, per incident — so a single data breach or systematic failure to honour opt-out requests can produce penalties in the hundreds of thousands or millions of dollars. In 2023 and 2024, enforcement actions targeted advertising data sharing, children’s data, and failures to respond to consumer requests within the 45-day window.
Private right of action for data breaches: Consumers can sue for $100–$750 per consumer per incident (or actual damages, if higher) when a data breach results from a business’s failure to implement reasonable security practices. This doesn’t require any individual harm — just the breach itself.
The California Privacy Protection Agency has made clear it is prioritising companies that systematically ignore opt-out requests, fail to honour GPC signals, and collect children’s data without appropriate safeguards.
FAQ
What is CCPA now called?
The CCPA was expanded by the California Privacy Rights Act (CPRA), which took effect in January 2023. Many people still use “CCPA” as shorthand, but technically the law now operates as the CCPA as amended by CPRA. The California Privacy Protection Agency (CPPA) now oversees enforcement.
Does CCPA only apply to California residents?
The CCPA protects the personal data of California residents. However, the law applies to any business anywhere in the world that meets the thresholds — not just California-based companies. If you have customers in California and cross the size/revenue thresholds, you need to comply regardless of where your business is located.
What is the difference between HIPAA and CCPA?
HIPAA (Health Insurance Portability and Accountability Act) applies specifically to healthcare entities and the handling of protected health information. CCPA is a general consumer privacy law that applies to a much broader range of businesses and data types. A healthcare company may need to comply with both, but they cover different ground.
Do I need to comply with CCPA if I’m outside the US?
Yes, potentially. The CCPA applies based on who your customers are, not where your business is located. If you collect personal data from California residents and meet one of the three compliance thresholds, you must comply — even if you’re based in Europe, Asia, or anywhere else. CCPA is one of many data protection laws that apply extraterritorially.
CCPA compliance isn’t as complicated as the legalese makes it sound. The core requirements are knowable, the checklist above covers the essentials, and the right tools make the website side manageable. If you’re not sure where your site stands on cookie consent and opt-out, our CMP comparison is the fastest way to find the right tool for your setup.
