California Data Privacy Laws: CCPA, CPRA & Consumer Rights (2026)

California has the most comprehensive data privacy framework in the United States. The state's consumer privacy protections go far beyond what federal law requires, giving residents powerful rights over how businesses collect, use, and share their personal information.

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), serves as the foundation of the state's data privacy regime. Additional laws covering data breaches, online privacy policies, student data, and data brokers provide further layers of protection.

This guide covers every major California data privacy law currently in effect, including the latest 2026 updates to penalties, regulations, and enforcement mechanisms.

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

The CCPA was signed into law in 2018 and took effect on January 1, 2020. California voters then approved Proposition 24 in November 2020, which created the CPRA. The CPRA did not replace the CCPA. Instead, it amended and expanded the existing law, adding new consumer rights and creating a dedicated enforcement agency.

The CPRA amendments took effect on January 1, 2023. Today, the combined law is still commonly referred to as the CCPA. It is codified at California Civil Code Sections 1798.100 through 1798.199.100.

Which Businesses Must Comply

The CCPA applies to for-profit businesses that do business in California and meet any one of the following three thresholds, as updated in January 2025 to account for inflation:

• Annual gross revenue of $26.625 million or more (adjusted from the original $25 million)
• Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices
• Derive 50% or more of annual revenue from selling or sharing California residents' personal information

The law does not apply to nonprofit organizations or government agencies. Certain types of data are also exempt, including medical information covered by HIPAA, clinical trial data, consumer credit reporting data covered by the FCRA, and information collected under the Gramm-Leach-Bliley Act.

What Counts as Personal Information

The CCPA defines personal information broadly. According to Section 1798.140, personal information is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household.

Examples include names, Social Security numbers, email addresses, purchase histories, browsing activity, geolocation data, fingerprints, and inferences drawn to create consumer profiles.

Sensitive Personal Information

The CPRA introduced a separate category called sensitive personal information, which receives stronger protections. Sensitive personal information includes:

• Social Security numbers, driver's license numbers, and state ID numbers
• Financial account numbers combined with access credentials
• Precise geolocation data
• Racial or ethnic origin
• Religious or philosophical beliefs
• Union membership
• Contents of mail, email, and text messages (unless the business is the intended recipient)
• Genetic data
• Biometric information used for identification purposes
• Health information
• Information about sex life or sexual orientation
• Neural data (added by SB 1223, effective September 2024)

Consumers have the right to limit how businesses use and disclose their sensitive personal information.

Six Core Consumer Rights Under the CCPA

The CCPA grants California residents six fundamental privacy rights. Businesses must honor these rights regardless of whether the consumer is a customer.

Right to Know

Consumers can request that a business disclose what personal information it has collected about them. This includes the categories and specific pieces of personal information, the sources of collection, the business purposes for collecting or selling the data, and the categories of third parties with whom the information is shared.

Businesses must respond to a verifiable consumer request within 45 calendar days. The business may extend this period by an additional 45 days if it notifies the consumer. Consumers can make this request up to twice per year at no cost.

Right to Delete

Consumers can ask businesses to delete the personal information collected from them. The business must also direct its service providers and contractors to delete the data.

There are exceptions to the right to delete. A business may retain data that is needed to complete a transaction, detect security incidents, comply with a legal obligation, or exercise free speech rights, among other reasons listed in Section 1798.105.

Right to Correct

Added by the CPRA and effective since January 1, 2023, consumers can request that a business correct inaccurate personal information it maintains about them. The business must use commercially reasonable efforts to correct the information within 45 calendar days of receiving a verified request.

Right to Opt-Out of Sale or Sharing

Consumers have the right to direct a business to stop selling or sharing their personal information. Businesses that sell or share personal information must provide a clear and conspicuous link on their website titled "Do Not Sell or Share My Personal Information."

Businesses must also honor Global Privacy Control (GPC) signals sent by a consumer's browser or device. Once a consumer opts out, the business must wait at least 12 months before asking the consumer to opt back in.

Right to Limit Use of Sensitive Personal Information

Consumers can direct businesses to limit their use of sensitive personal information to what is necessary to perform the services or provide the goods the consumer requested. Businesses must provide a link titled "Limit the Use of My Sensitive Personal Information" or combine it with the opt-out link.

This right is particularly important for data categories like precise geolocation, financial account details, and biometric or genetic information.

Right to Non-Discrimination

Businesses cannot penalize consumers for exercising their CCPA rights. A business may not deny goods or services, charge different prices, provide a different level of quality, or suggest that exercising a privacy right will result in different treatment.

Business Obligations and Compliance Requirements

Businesses subject to the CCPA must meet several operational requirements beyond simply responding to consumer requests.

Privacy Notice Requirements

Businesses must provide a notice at collection that lists the categories of personal information being collected and the purposes for each category. The notice must be provided at or before the point of collection.

Businesses must also maintain a comprehensive privacy policy that includes all categories of personal information collected in the past 12 months, the sources of that information, the business or commercial purposes for collecting it, the categories of third parties to whom it is disclosed, and a description of each consumer right.

Request Handling Procedures

Businesses must provide at least two methods for consumers to submit requests, including at minimum a toll-free telephone number and a website address. They must acknowledge receipt of a request within 10 business days and respond substantively within 45 calendar days.

For opt-out requests, businesses must comply as soon as feasibly possible, up to a maximum of 15 business days.

Service Provider Contracts

Businesses that share personal information with service providers must have written contracts in place. These contracts must prohibit the service provider from selling or sharing the data, using it for purposes other than those specified in the contract, or retaining it after the business relationship ends.

Child Privacy Protections

The CCPA provides additional protections for minors. Businesses cannot sell or share the personal information of consumers they know to be under 16 years old unless they receive affirmative authorization.

For children under 13, a parent or guardian must provide opt-in consent. For consumers between 13 and 15 years old, the minor themselves must opt in. The California AG has actively enforced these child privacy provisions against mobile gaming and streaming companies.

2026 CCPA Regulation Updates

The California Privacy Protection Agency finalized a major package of new regulations that took effect on January 1, 2026. The Office of Administrative Law approved the regulations on September 22, 2025. These rules cover four major areas.

Automated Decisionmaking Technology (ADMT)

The new regulations give consumers the right to receive notice about, access information regarding, and opt out of businesses' use of automated decisionmaking technology. ADMT includes technology that processes personal information to make decisions that produce legal or similarly significant effects.

Compliance deadlines for ADMT requirements are phased in beginning in 2027 and 2028.

Cybersecurity Audits

Certain businesses whose processing of personal information presents significant risk to consumer privacy or security must complete annual cybersecurity audits. The regulations define which businesses are subject to this requirement based on the type and volume of data they process.

Risk Assessments

Businesses engaged in processing activities that present significant risk to consumer privacy must conduct and submit risk assessments. These assessments evaluate the benefits and risks of processing activities and identify safeguards to address those risks.

Insurance Company Requirements

The 2026 regulations clarify when and how insurance companies must comply with CCPA requirements, addressing a gap in the prior regulatory framework.

CCPA Penalties and Enforcement

The CCPA is enforced by two bodies: the California Privacy Protection Agency (CPPA) and the California Attorney General (AG). Consumers also have a limited private right of action for data breaches.

Administrative and Civil Penalties

As of January 2025, penalties have been adjusted for inflation. The current penalty structure is:

Violation Type	Penalty Amount
Unintentional violation	Up to $2,663 per violation
Intentional violation	Up to $7,988 per violation
Violations involving minors under 16	Up to $7,988 per violation

These amounts are adjusted every odd-numbered year based on changes to the California Consumer Price Index.

Private Right of Action for Data Breaches

Consumers have the right to sue businesses directly, but only in data breach cases. Under Section 1798.150, a consumer may bring a civil action if their unencrypted and unredacted personal information is stolen due to a business's failure to maintain reasonable security measures.

Statutory damages range from $107 to $799 per consumer per incident, or actual damages, whichever is greater. Before filing suit, consumers must provide the business with 30 days' written notice and an opportunity to cure the violation.

California Privacy Protection Agency (CPPA)

The CPRA created the CPPA as the first dedicated data privacy enforcement agency in the United States. The CPPA has the authority to investigate potential violations, conduct audits, issue regulations, and bring administrative enforcement actions.

Consumers can file complaints with the CPPA for violations occurring on or after July 1, 2023.

Recent Enforcement Actions

Both the CPPA and the Attorney General have been actively enforcing the CCPA. Notable recent enforcement actions include:

• Tractor Supply Company (2025): The CPPA issued a $1,350,000 fine, its largest to date, for failing to maintain proper privacy notices, failing to inform job applicants of their privacy rights, lacking effective opt-out mechanisms including Global Privacy Control, and sharing data with third parties without contractual privacy protections.

• American Honda Motor Co. (2025): The CPPA fined Honda $632,500 for CCPA violations related to its privacy practices.

• Todd Snyder, Inc. (2025): The clothing retailer paid a $345,178 fine for failing to properly configure its opt-out mechanism, requesting excessive information from consumers, and requiring identity verification for opt-out requests.

• Disney (2026): The AG secured a $2,750,000 settlement for failing to honor opt-out requests across Disney+, Hulu, and ESPN+.

• Google LLC (2023): The AG obtained a $93,000,000 settlement for deceptive practices regarding location data collection and user profiling.

• Blackbaud, Inc. (2024): A $6,750,000 settlement for a data breach caused by failure to implement basic security measures like deleting old backups and using multi-factor authentication.

California Data Breach Notification Law

California's data breach notification law, codified at Civil Code Section 1798.82, was one of the first of its kind in the nation when enacted in 2003.

When Notification Is Required

A business or person that conducts business in California and owns or licenses computerized data containing personal information must notify affected California residents when their unencrypted personal information is acquired, or reasonably believed to have been acquired, by an unauthorized person.

If encrypted data is breached and the encryption key or security credential is also compromised, notification is still required.

What Personal Information Triggers Notification

A breach notification is required when the compromised data includes a person's first name or initial and last name combined with any of the following:

• Social Security number
• Driver's license number or California identification card number
• Financial account number or credit/debit card number combined with any required access code
• Medical information or health insurance information
• Biometric data collected for authentication purposes
• A unique biometric identifier generated from measurements of physical characteristics
• Genetic data
• Tax identification number, passport number, or military identification number

A breach of a username or email address combined with a password or security question and answer also triggers notification.

Notification Timeline and Requirements

Businesses must disclose the breach within 30 calendar days of discovery or notification. A reasonable delay is permitted for law enforcement purposes or to determine the scope of the breach.

The notification must be written in plain language with a font size of at least 10 points and must include five sections: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information."

When a breach affects more than 500 California residents, the business must submit a sample copy of the notification to the Attorney General within 15 days.

California's Delete Act and the DROP Platform

California's Delete Act, signed in 2023, created a groundbreaking mechanism for consumers to exercise control over their personal information held by data brokers.

The law established the Delete Request and Opt-Out Platform (DROP), a state-hosted website where California residents can submit a single deletion request that applies to every registered data broker in the state. The DROP launched in January 2026.

Data Broker Registration Requirements

Businesses that operated as data brokers in the prior year must register with the CPPA by January 31 each year and pay an annual fee of $6,000. As of January 1, 2024, the CPPA manages the data broker registry, which was transferred from the Attorney General.

How the DROP Works

Starting August 1, 2026, registered data brokers must access the DROP at least every 45 days to retrieve and process consumer deletion requests. If a consumer's information matches the data broker's records, the broker must delete all associated personal data, including inferences, unless a legal exemption applies. Data brokers must report the status of each deletion request within 45 days of retrieving it.

The CPPA has launched a data broker enforcement strike force and has already brought enforcement actions against unregistered data brokers, including a $45,000 fine against Rickenbacher Data LLC for selling personal information of millions of people with serious health conditions without registering.

Other California Privacy Laws

Beyond the CCPA, California has enacted several other privacy statutes that protect residents' data.

California Online Privacy Protection Act (CalOPPA)

CalOPPA, codified in the Business and Professions Code Sections 22575-22579, was enacted in 2003 and requires operators of commercial websites and online services that collect personal information from California residents to conspicuously post a privacy policy.

The privacy policy must identify the categories of personal information collected, the categories of third parties with whom the information may be shared, the process for a consumer to review and request changes to their information, and how the operator notifies consumers of material changes to the policy.

CalOPPA also requires the policy to disclose how the operator responds to "Do Not Track" browser signals.

Shine the Light Law

California's "Shine the Light" law, codified at Civil Code Sections 1798.83-1798.84, gives consumers the right to learn how companies share their personal information with third parties for direct marketing purposes.

Once per year, a consumer can request a list of the categories of personal information shared and the names and addresses of the third parties that received it. Businesses can comply by either providing this information upon request or offering consumers a choice to opt out of such sharing.

Student Online Personal Information Protection Act (SOPIPA)

Enacted as SB 1177 in 2014, SOPIPA protects K-12 students by imposing strict obligations on operators of educational technology services.

SOPIPA prohibits EdTech operators from:

• Using student information to build profiles for non-educational purposes
• Selling student information
• Engaging in targeted advertising based on student data
• Using collected information to create advertising profiles

EdTech operators must also implement and maintain reasonable security procedures to protect student information from unauthorized access.

Age-Appropriate Design Code Act

California enacted the Age-Appropriate Design Code Act (AB 2273) in 2022, which would require online businesses likely to be accessed by children to conduct data protection impact assessments and implement privacy protections by default. However, as of early 2026, enforcement remains blocked by a federal court injunction following a legal challenge. The California Attorney General has appealed the decision.

How California Compares to Other State Privacy Laws

California's privacy framework is the most expansive in the United States. Key differences from other state privacy laws include:

• Dedicated enforcement agency: California is the only state with a standalone privacy enforcement agency (the CPPA). Other states rely on their Attorney General.
• Private right of action: California allows consumers to sue directly for data breaches. Most other state privacy laws do not include any private right of action.
• Data broker registry: California is the only state requiring data brokers to register and providing a centralized deletion mechanism through the DROP platform.
• Revenue threshold: The $26.625 million revenue threshold is unique to California. Other states like Virginia, Colorado, and Connecticut do not have a revenue threshold.
• Sensitive data protections: California's treatment of sensitive personal information, including the 2024 addition of neural data, is among the broadest in the country.

More California Laws

Explore related California legal guides on our site:

• California Recording Laws - Consent rules for recording conversations
• California Background Check Laws - Employment screening rules and Ban the Box
• California Hit and Run Laws - Penalties and legal obligations
• California Dog Bite Laws - Liability and victim rights
• [How Long Is a Life Sentence in California](/how-long-is-a-life-sentence/california) - Sentencing guide
• All Data Privacy Laws by State - Compare privacy laws across all 50 states

Sources and References

• CCPA Full Text (Cal. Civ. Code 1798.100-1798.199.100) - California Legislative Information
• CCPA Overview - California Attorney General
• CCPA Statute Effective January 1, 2026 - California Privacy Protection Agency
• CCPA FAQs - California Privacy Protection Agency
• 2025 Penalty Adjustments - California Privacy Protection Agency
• CCPA Updates: Cybersecurity Audits, Risk Assessments, ADMT, Insurance - California Privacy Protection Agency
• Privacy Enforcement Actions - California Attorney General
• Data Breach Notification Law (Cal. Civ. Code 1798.82) - California Legislative Information
• Data Breach Reporting Requirements - California Attorney General
• Delete Request and Opt-Out Platform (DROP) - California Privacy Protection Agency
• SB 1223: Neural Data as Sensitive Personal Information - California Legislature
• CalOPPA (Bus. & Prof. Code 22575-22579) - California Legislative Information
• Shine the Light Law (Civ. Code 1798.83) - California Legislative Information
• SOPIPA (SB 1177) - California Legislature
• Age-Appropriate Design Code Act (AB 2273) - California Legislature
• Tractor Supply Company Enforcement - California Privacy Protection Agency
• Todd Snyder Enforcement - California Privacy Protection Agency
• Data Broker Enforcement Actions - California Privacy Protection Agency

This article provides general legal information about California data privacy laws. It is not legal advice. Laws and regulations change frequently, and enforcement interpretations evolve over time. Consult an attorney for advice specific to your situation.