What is CCPA (California Consumer Privacy Act)?
Also known as: CCPA, CPRA, California privacy law
What is the CCPA?
The California Consumer Privacy Act is a state law that gives California residents control over the personal information that businesses collect about them. It passed in June 2018 and took effect on 1 January 2020. The official text and FAQs sit at the California Attorney General CCPA page.
The CCPA was the first comprehensive consumer privacy law in the United States. It set the template that Virginia, Colorado, Connecticut, Texas, and a dozen other states have since copied. For advertisers, it is the most consequential US privacy law in force today.
CCPA vs CPRA: what changed in 2023?
The California Privacy Rights Act (CPRA) is an amendment to the CCPA, not a replacement. Voters approved Proposition 24 in November 2020. Substantive rules took effect on 1 January 2023. Enforcement began on 1 July 2023, per the California Privacy Protection Agency.
CPRA made four big changes:
- New regulator. The CPPA was created as a dedicated privacy agency. Before CPRA, only the Attorney General could enforce.
- Sharing for ad targeting. The opt-out right now covers sharing for cross-context behavioral advertising, not only outright sale.
- Sensitive personal information. A new category was added for race, health, precise geolocation, biometrics, and similar data. Consumers can limit its use.
- Contractual duties for vendors. Service providers, contractors, and third parties must sign written contracts with specific CPRA terms.
[UNIQUE INSIGHT] The CPRA shift from "sale" to "share" closed the loophole most ad-tech vendors had used since 2020. Many platforms argued data exchanges in real-time bidding were not "sales" because no money changed hands. CPRA settled the question. If the data leaves your domain to power targeting, the user can stop it.
Who does the CCPA apply to?
The CCPA applies to for-profit businesses that handle California resident personal information and meet at least one of three thresholds, set by Civil Code Section 1798.140:
- Gross annual revenue above 25 million dollars, or
- Buying, selling, or sharing personal information of 100,000 or more California consumers or households per year, or
- Earning 50 percent or more of annual revenue from selling or sharing personal information.
The law covers a California resident anywhere in the world, not only in-state activity. A New York retailer that ships to Los Angeles is in scope. A Berlin publisher running display ads to California readers is in scope.
Nonprofits, government agencies, and certain regulated data (HIPAA, GLBA, FCRA) sit outside. Employee and B2B data is now fully covered after the CPRA exemption sunset on 1 January 2023.
What rights do California consumers have?
Consumers gained five core rights under CCPA, expanded by CPRA. The table below maps each right to what advertisers must build.
| Right | What the consumer can do | Operational requirement |
|---|---|---|
| Right to know | Request the categories and specific pieces of personal information collected | Self-serve portal or verified request workflow, 45-day response |
| Right to delete | Ask the business to delete personal information | Deletion across CRM, ad platforms, and processors, with confirmation |
| Right to correct (CPRA) | Fix inaccurate personal information | Editable profile or verified correction workflow |
| Right to opt out of sale or sharing | Stop sale and stop cross-context behavioral advertising | "Do Not Sell or Share My Personal Information" link, GPC signal honored |
| Right to limit use of sensitive PI (CPRA) | Restrict processing of sensitive categories to necessary uses | "Limit the Use of My Sensitive Personal Information" link |
Verification rules are strict. The business must confirm the requester is the consumer before releasing or deleting data. Two or three data points usually suffice for low-risk requests. Identity documents are required for higher-risk ones.
What must advertisers do under CCPA?
Five concrete obligations sit on every advertiser running California traffic.
Post the opt-out links
Both "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" must appear as clear and conspicuous links on the homepage, in the footer, or wherever the privacy notice lives. The CPPA regulations specify font, placement, and language requirements.
Honor Global Privacy Control
Browsers like Brave and Firefox, plus extensions like the DuckDuckGo Privacy Essentials, send a GPC header on every request. California regulators have confirmed that GPC counts as a valid opt-out. The pixel layer must read the header and suppress sale or sharing automatically. A consent management platform (CMP) is the standard place to handle this.
Sign CPRA-compliant contracts with vendors
Every ad network, analytics tool, and data processor must sign a written agreement with specific CPRA terms. Service-provider clauses limit the vendor's use of data to the contracted purpose. The IAB Multi-State Privacy Agreement (MSPA) is the industry-standard template that programmatic buyers and sellers use today.
Update the privacy notice
The notice must list the categories of personal information collected, the categories of sources, the business purposes, the categories of third parties data is shared with, and retention periods. Update it annually at minimum.
Build a verified request workflow
Two intake methods are required, including a toll-free number for businesses that interact with consumers offline. Online-only businesses can offer email plus a web form. Response is 45 days, extendable once by another 45 days with notice.
[PERSONAL EXPERIENCE] On the campaigns we have audited, the failure point is rarely the homepage link. It is the pixel firing before the CMP reads the GPC header. Tag managers default to loading on page-ready, which beats the privacy logic. The fix is the same as for GDPR. Gate every advertising tag behind the consent or opt-out signal, never the page lifecycle.
How does the CCPA compare to the GDPR?
Both laws protect personal data. The mechanics differ in ways that matter for ad operations.
| Feature | CCPA / CPRA | GDPR |
|---|---|---|
| Default model | Opt-out (stop sale or sharing on request) | Opt-in (consent before processing) |
| Who is covered | California residents | People in the EU and EEA |
| Lawful bases | None required, "business purpose" framing | Six bases in Article 6 |
| Sensitive data | Limit-use right, not consent | Explicit consent or narrow exemption |
| Max fine | 7,500 dollars per intentional violation | 4 percent of global turnover or 20M euros |
| Private right of action | Yes, for data breaches only | No, regulators enforce |
| Regulator | CPPA and Attorney General | National DPAs coordinated by EDPB |
Most US advertisers running national traffic now build to a multi-state baseline. Ten US states had comprehensive privacy laws in force by early 2026, and another six are scheduled for 2026 to 2027.
Real-world example: a CCPA enforcement action
Sephora was the first major CCPA enforcement target. In August 2022, the California Attorney General announced a 1.2 million dollar settlement with the retailer.
The findings were specific. Sephora allowed third-party trackers to collect customer data for ad targeting. The company classified this as "not a sale," so it offered no opt-out link. Investigators also found that Sephora did not honor GPC signals from browsers.
The settlement required Sephora to:
- Disclose the sale of personal information in its privacy policy
- Add a Do Not Sell My Personal Information link to its homepage
- Configure systems to recognize and honor GPC opt-out signals
- Submit annual compliance reports for two years
[ORIGINAL DATA] In the four years since the Sephora action, the California Attorney General and CPPA have published roughly 30 enforcement settlements through early 2026, with cookie-and-pixel mishandling featuring in the majority of cases. Cumulative fines remain modest compared with GDPR, but injunctive relief, public press releases, and mandatory audits create the real cost.
What does the CCPA look like in 2026?
The CCPA itself has not changed since CPRA enforcement began. The ecosystem around it has shifted in three ways.
- Active CPPA rulemaking. The agency has issued draft rules on automated decision-making, risk assessments, and cybersecurity audits. Final rules are expected through 2026 and add real obligations for adtech vendors.
- More state laws to mirror. Texas, Oregon, Florida, and Montana laws now run alongside CCPA. The IAB MSPA exists precisely so a single contract covers all of them.
- Federal pressure. Discussion of a federal privacy law (APRA, ADPPA) continues. None has passed. CCPA remains the de facto US standard for now.
The takeaway for marketers running California or US-wide traffic. Treat CCPA as the floor, build the CMP and vendor contract layer once, and design audience targeting flows so that opt-outs propagate automatically across every platform a campaign touches. The cost of a Sephora-style settlement is no longer the headline fine. It is the public order to rebuild plumbing under regulator supervision.
Related terms
Frequently asked questions
Is CCPA the same as CPRA?
No. The CCPA passed in 2018 and took effect on 1 January 2020. The California Privacy Rights Act (CPRA), approved by voters in 2020, amended the CCPA. CPRA enforcement began on 1 July 2023. Today the combined law is often called CCPA or CCPA/CPRA. Source: California Attorney General.
Who must comply with the CCPA?
For-profit businesses that handle California resident data and meet one of three thresholds. Annual revenue over 25 million dollars, or buying or selling personal information of 100,000 or more California residents per year, or earning at least 50 percent of revenue from selling or sharing personal information.
What is the difference between selling and sharing data under the CPRA?
Selling means exchanging personal information for money or other value. Sharing was added by CPRA in 2023 and covers cross-context behavioral advertising, even without payment. Both trigger the right to opt out. The Do Not Sell or Share My Personal Information link must appear on the homepage.
Does the CCPA recognize Global Privacy Control signals?
Yes. California regulators confirmed that browsers and extensions sending the Global Privacy Control (GPC) signal must be treated as a valid opt-out request. Ignoring GPC signals exposes the business to enforcement. Sephora paid 1.2 million dollars in 2022 partly for this reason.
What are the CCPA penalties?
Civil penalties of up to 2,500 dollars per violation, or 7,500 dollars per intentional violation or violation involving a minor. The California Privacy Protection Agency (CPPA) and the Attorney General both enforce. Private lawsuits are allowed for certain data breaches under Section 1798.150, with statutory damages of 100 to 750 dollars per consumer per incident.