What is CCPA compliance?
California's privacy law, strengthened by the CPRA, sets rules for handling consumer data. This guide explains what it requires.
The California Consumer Privacy Act (CCPA), amended and strengthened by the California Privacy Rights Act (CPRA), is the most influential US state privacy law. It gives California consumers rights over their personal information and places obligations on the businesses that collect it.
Because California is such a large market, CCPA effectively sets a baseline many companies adopt nationwide. This guide covers who it applies to, the rights it grants, and how to comply.
- Applies to for-profit businesses that meet revenue or data-volume thresholds and handle Californians' data.
- Consumers can know, delete, correct, and opt out of the sale or sharing of their data.
- The CPRA added new rights and created a dedicated regulator, the CPPA.
- It overlaps heavily with GDPR and the DPDP Act, so one privacy programme can cover several.
Who must comply
CCPA applies to for-profit businesses that handle California residents' personal information and meet at least one threshold: annual gross revenue above a set amount, buying or selling the personal information of a large number of consumers, or deriving a significant share of revenue from selling or sharing personal information. If you serve California consumers at scale, assume it applies.
Consumer rights
CCPA and CPRA give consumers the right to:
- Know what personal information is collected and how it is used.
- Delete their personal information.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of their personal information.
- Limit the use of sensitive personal information.
How to comply
Map the personal information you hold and how it flows, update your privacy notice and consumer-request handling, honour opt-outs, and secure the data, since a failure to protect it can trigger liability. Because the requirements resemble GDPR and the DPDP Act, building one strong data-protection programme lets you meet several laws at once.
Frequently asked questions
One programme, many privacy laws
CCPA, GDPR, and DPDP overlap. See where personal data is exposed with a free check.
Run a free check