What Is CCPA? California Consumer Privacy Act Explained (2026)
The California Consumer Privacy Act (CCPA) is a landmark data privacy law that gives California residents significant control over how businesses collect, use, and sell their personal information. Codified at Cal. Civ. Code 1798.100-1798.199.100, the CCPA took effect on January 1, 2020, and has since been amended by the California Privacy Rights Act (CPRA) to expand consumer protections further.
As of 2026, the CCPA stands as one of the most comprehensive data privacy statutes in the United States, enforced by both the California Attorney General and the California Privacy Protection Agency (CPPA).
How the CCPA Came to Be
The CCPA has an unusual origin story for major legislation. In 2017, San Francisco real estate developer Alastair Mactaggart began drafting a ballot initiative after a Google engineer reportedly told him at a dinner party that consumers would be "really worried" if they understood how much data companies collected about them.
Mactaggart and his organization, Californians for Consumer Privacy, gathered more than 629,000 signatures to qualify the initiative for the November 2018 ballot. The campaign raised over $3 million, with Mactaggart personally funding the vast majority.
Rather than let voters decide directly, the California Legislature struck a deal. On June 28, 2018, lawmakers passed Assembly Bill 375 in a matter of days. Governor Jerry Brown signed it the same day. In exchange, Mactaggart withdrew the ballot initiative.
The CCPA took effect on January 1, 2020, making California the first state in the nation to grant consumers broad rights over their personal data.
Who the CCPA Applies To
The CCPA covers for-profit businesses that collect personal information from California residents and meet at least one of three thresholds. The CPPA adjusts the revenue threshold biennially to account for inflation.
Business Applicability Thresholds (2025 Adjustment)
| Threshold | Requirement |
|---|---|
| Gross annual revenue | $26.625 million or more in the preceding calendar year |
| Data volume | Buys, sells, or shares personal information of 100,000 or more California residents or households |
| Revenue from data sales | Derives 50% or more of annual revenue from selling or sharing California residents' personal information |
A business only needs to meet one of these thresholds to fall under the CCPA.
The law applies regardless of where the business is physically located. A company based in New York or Texas that collects data from California residents and meets a threshold is subject to the CCPA.
Who Is NOT Covered
Nonprofit organizations and government agencies are generally exempt. Certain types of data are also carved out, including medical information governed by HIPAA or the Confidentiality of Medical Information Act (CMIA), data covered by the Gramm-Leach-Bliley Act (financial institutions), and information regulated under the Fair Credit Reporting Act.
What Counts as Personal Information
The CCPA defines "personal information" broadly. It includes any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household.
Categories of Personal Information
- Identifiers: Name, postal address, email address, Social Security number, driver's license number, passport number, IP address, account name
- Customer records: Financial information, insurance information, education history, employment history
- Protected classifications: Race, ethnicity, religion, sexual orientation, gender identity, disability, veteran status
- Commercial information: Purchase records, consuming histories, property records
- Biometric information: Fingerprints, faceprints, voiceprints, iris scans, keystroke patterns
- Internet activity: Browsing history, search history, interaction data with websites or apps
- Geolocation data: Precise physical location
- Sensory data: Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment information: Current or past job history, performance evaluations
- Education information: Records maintained by educational institutions
- Inferences: Profiles reflecting preferences, characteristics, behavior, attitudes, or predispositions
Sensitive Personal Information
The CPRA amendments created a special category called "sensitive personal information" with additional protections. This includes:
- Social Security, driver's license, state ID, or passport numbers
- Account login credentials combined with required security codes or passwords
- Precise geolocation
- Racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership
- Contents of mail, email, and text messages (unless the business is the intended recipient)
- Genetic data
- Biometric data used to uniquely identify a consumer
- Health information, sex life, or sexual orientation data
- Neural data (added by SB 1223, effective 2025)
Consumers have the right to limit how businesses use and disclose their sensitive personal information.
Consumer Rights Under the CCPA
The CCPA grants California residents several specific rights. Businesses must honor these rights without charging extra or providing a lower quality of service (the "right to non-discrimination").
Right to Know
Consumers can request that a business disclose:
- What categories of personal information it has collected
- The sources from which it collected the information
- The business or commercial purpose for collecting or selling the information
- The categories of third parties with whom the business shares or sells the information
- The specific pieces of personal information the business has collected about the consumer
Businesses must respond to verified requests within 45 calendar days, with the option to extend by another 45 days (90 total) if they notify the consumer.
Right to Delete
Consumers can request deletion of personal information a business has collected from them. The business must also direct its service providers and contractors to delete the information, subject to certain exceptions (such as completing a transaction, detecting security incidents, or complying with a legal obligation).
Right to Opt Out of Sale or Sharing
Consumers can direct businesses to stop selling or sharing their personal information. "Sharing" specifically refers to making personal information available to third parties for cross-context behavioral advertising, a distinction added by the CPRA in 2023.
Businesses that sell or share personal information must post a clear "Do Not Sell or Share My Personal Information" link on their homepage.
Right to Correct
Added by the CPRA effective January 1, 2023, consumers can request that a business correct inaccurate personal information it maintains about them.
Right to Limit Use of Sensitive Personal Information
Also added by the CPRA, consumers can direct businesses to limit their use of sensitive personal information to purposes that are necessary to provide the goods or services the consumer requested.
Right to Non-Discrimination
Businesses cannot deny goods or services, charge different prices, provide a different quality of service, or suggest they will do any of these things because a consumer exercised their CCPA rights.
Business Obligations
Businesses covered by the CCPA must take several steps to comply, as outlined by the California Attorney General and the CPPA.
Privacy Policy Requirements
Every covered business must maintain a privacy policy that discloses:
- Categories of personal information collected in the preceding 12 months
- Categories of sources from which the information was collected
- The business or commercial purpose for collecting, selling, or sharing the information
- Categories of third parties to whom the business discloses personal information
- A description of each consumer right and how to exercise them
"Do Not Sell or Share" Link
Businesses that sell or share personal information must include a clear, conspicuous "Do Not Sell or Share My Personal Information" link on their website homepage. Businesses must also honor opt-out preference signals such as Global Privacy Control (GPC).
Request Handling
Businesses must provide at least two methods for consumers to submit requests (for online-only businesses, email and a web form suffice). They must verify the identity of requesters and respond within 45 days.
Data Minimization
Businesses may only collect personal information that is reasonably necessary and proportionate for the purposes disclosed in the privacy policy.
Penalties and Enforcement
The CCPA provides for both administrative enforcement and a limited private right of action.
Administrative Penalties
The CPPA adjusts penalty amounts biennially for inflation. As of the 2025 adjustment:
| Violation Type | Penalty Per Violation |
|---|---|
| Unintentional violation | Up to $2,663 |
| Intentional violation | Up to $7,988 |
| Violations involving minors | Up to $7,988 |
Both the California Attorney General and the CPPA share enforcement authority. The AG has exercised this power through several high-profile enforcement actions.
Notable Enforcement Actions
- Sephora (2022): $1.2 million settlement for selling personal information without proper disclosure and failing to honor Global Privacy Control signals
- DoorDash (2023): $375,000 settlement for selling customer personal information without notice or opt-out options
- Disney (2024): $2.75 million settlement, the largest CCPA settlement in California history, for failing to allow consumers to fully opt out of data sale and sharing
- Tractor Supply Company (2025): $1.35 million fine from the CPPA for CCPA violations
- American Honda Motor Co. (2025): $632,500 settlement with the CPPA over privacy violations
Private Right of Action for Data Breaches
Under Cal. Civ. Code 1798.150, consumers whose nonencrypted or nonredacted personal information is exposed in a data breach caused by a business's failure to maintain reasonable security procedures may file a civil lawsuit. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.
This private right of action is limited to data breaches. Other CCPA violations can only be enforced by the Attorney General or the CPPA.
The CPPA: California's Dedicated Privacy Enforcer
Proposition 24 (the CPRA) established the California Privacy Protection Agency as the first dedicated privacy enforcement agency in the United States. The CPPA began enforcement operations on July 1, 2023, sharing authority with the Attorney General.
The CPPA's responsibilities include:
- Implementing and enforcing the CCPA through administrative proceedings
- Adopting regulations to clarify and operationalize the law
- Educating the public about consumer privacy rights
- Operating the Delete Request and Opt-Out Platform (DROP), which launched January 1, 2026, allowing consumers to send deletion requests to all registered data brokers with a single submission
How the CCPA Differs from the CPRA
The CPRA is not a separate law. It amended the existing CCPA, effective January 1, 2023. The key additions include:
- New consumer rights: Right to correct inaccurate data and right to limit use of sensitive personal information
- Expanded opt-out: Sale opt-out expanded to include "sharing" for cross-context behavioral advertising
- Sensitive personal information: Created a new category with additional restrictions
- CPPA creation: Established a dedicated enforcement agency
- Contractor obligations: Extended requirements beyond service providers to include contractors
- Risk assessments and cybersecurity audits: Required for certain businesses (regulations finalized 2025, effective 2026)
- Automated decisionmaking: New transparency and opt-out requirements for businesses using automated decisionmaking technology (effective January 1, 2027)
For a detailed comparison, see our guide on CCPA vs CPRA: Key Differences Explained.
2026 Regulatory Updates
The CPPA finalized a major package of new regulations in September 2025, all effective January 1, 2026. These include:
- Cybersecurity audits: Certain businesses must conduct annual cybersecurity audits and submit attestations to the CPPA by April 1, 2028
- Risk assessments: Businesses must complete privacy risk assessments for processing activities that present significant risk to consumers
- Automated decisionmaking technology (ADMT): Consumers gain the right to access information about and opt out of significant decisions made using ADMT (compliance deadline: January 1, 2027)
- Insurance regulations: Clarification of when insurance companies must comply with the CCPA
- DROP platform: The Delete Request and Opt-Out Platform went live, letting consumers delete data from all registered data brokers in one step
Related California Privacy Topics
California's data privacy framework extends beyond the CCPA. Explore related topics:
- California Data Privacy Laws (parent hub covering all California privacy statutes)
- CCPA vs CPRA: Key Differences Explained
- CCPA Compliance Checklist
- CCPA Opt-Out Rights
- California Biometric Privacy Laws
- California Data Breach Notification Laws
This article provides general legal information, not legal advice. Privacy law is complex and fact-specific. Consult an attorney for advice specific to your situation.
More California Laws
Sources and References
- CCPA Full Text (Cal. Civ. Code 1798.100-1798.199.100)(leginfo.legislature.ca.gov).gov
- California Consumer Privacy Act (CCPA) Overview(oag.ca.gov).gov
- CPPA Official Website and FAQ(cppa.ca.gov).gov
- CCPA Statute Effective January 1, 2026(cppa.ca.gov).gov
- Updated Monetary Thresholds (CPI Adjustment)(cppa.ca.gov).gov
- Cal. Civ. Code 1798.150 (Private Right of Action)(leginfo.legislature.ca.gov).gov
- CPPA Enforcement: 2025 Penalty Increases(cppa.ca.gov).gov
- AG Settlement with Sephora ($1.2M)(oag.ca.gov).gov
- AG Settlement with Disney ($2.75M)(oag.ca.gov).gov
- AG Settlement with DoorDash ($375K)(oag.ca.gov).gov
- CPPA Settlement with Honda ($632,500)(cppa.ca.gov).gov
- CCPA Updates, Cybersecurity Audits, Risk Assessments, ADMT Regulations(cppa.ca.gov).gov
- Delete Request and Opt-Out Platform (DROP)(cppa.ca.gov).gov
- Global Privacy Control (GPC)(oag.ca.gov).gov
- SB 1223 (Neural Data as Sensitive PI)(leginfo.legislature.ca.gov).gov