What is CCPA? Complete California Privacy Law Guide for 2025

TL;DR: Quick Takeaways

•CCPA is California's comprehensive consumer privacy law protecting personal information
•Applies to businesses with $25M+ revenue, 100K+ consumers, or 50%+ revenue from selling data
•Grants 7 consumer rights including right to know, delete, and opt-out
•Penalties range from $2,500 per violation to $7,500 for intentional violations

When the California Consumer Privacy Act (CCPA) went into effect in 2020, it marked a watershed moment for data privacy in the United States. For the first time, consumers gained comprehensive rights over their personal information, and businesses faced significant obligations—and penalties—for mishandling that data.

Whether you're a SaaS company, e-commerce platform, or any business collecting California resident data, understanding CCPA compliance is no longer optional. With the recent CPRA amendments expanding requirements and enforcement ramping up, getting this right is critical.

In this comprehensive guide, we'll break down everything you need to know about CCPA—from who needs to comply to practical steps for implementation.

What is CCPA?

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California. It gives California consumers unprecedented control over their personal information.

Think of CCPA as California's answer to Europe's GDPR—though there are important differences. The law applies to any for-profit business that collects California residents' personal information and meets certain thresholds.

Key Components of CCPA

Consumer Rights:Seven fundamental rights over personal information
Business Obligations:Transparency, security, and response requirements
Enforcement:California Attorney General and private right of action
CPRA Updates:Enhanced protections and new Privacy Protection Agency

📊

CCPA Framework Diagram

Who Needs CCPA Compliance?

CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds:

💰

Revenue Threshold

Annual gross revenues exceed

$25 Million

👥

Volume Threshold

Buy, sell, or share data of

100K+ Consumers

📈

Revenue Source

Derive 50%+ of revenue from

Selling Data

💡 Pro Tip:

Even if you don't meet these thresholds today, implementing CCPA-compliant practices early is smart business. Consumer privacy expectations are rising, and other states are following California's lead with similar laws.

The Seven Consumer Rights Under CCPA

CCPA grants California consumers seven fundamental rights over their personal information. Understanding these rights is essential for compliance:

1. Right to Know

Consumers can request details about what personal information you've collected, how you're using it, who you're sharing it with, and why.

2. Right to Delete

Consumers can request deletion of their personal information (with certain exceptions for legal obligations, security, etc.).

3. Right to Opt-Out

Consumers can opt-out of the sale or sharing of their personal information. You must provide a clear "Do Not Sell My Personal Information" link.

4. Right to Correct

Consumers can request correction of inaccurate personal information (added by CPRA).

5. Right to Limit Use

Consumers can limit the use and disclosure of sensitive personal information (added by CPRA).

6. Right to Non-Discrimination

You cannot discriminate against consumers for exercising their CCPA rights (e.g., denying service, charging different prices).

7. Right to Data Portability

Consumers can request their personal information in a portable, machine-readable format.

Need Help with CCPA Compliance?

Get a free privacy assessment and discover how to implement CCPA-compliant data handling practices across your organization.

Book Free Assessment Download CCPA Checklist

Business Obligations Under CCPA

Complying with CCPA requires implementing specific processes and documentation. Here are the key obligations:

📄 Transparency Requirements

• Updated privacy policy with CCPA-specific disclosures
• Notice at collection explaining data practices
• Clear "Do Not Sell My Personal Information" link
• Privacy policy must be updated at least annually

⚡ Request Response Process

• Process to verify consumer identity
• 45-day response deadline (can extend 45 more days)
• Toll-free number and website for requests
• Free responses (no charge to consumers)
• Track and document all requests

🔒 Data Security

• Implement reasonable security measures
• Data breach notification requirements
• Encryption of personal information
• Regular security assessments

🤝 Vendor Management

• Service provider agreements with CCPA clauses
• Vendor security assessments
• Contractual obligations for data protection
• Regular vendor audits

📊 Record Keeping

• Document data inventory and flows
• Maintain records of consumer requests
• Track opt-out preferences
• Retention for 24 months minimum

CCPA vs GDPR: Key Differences

Both CCPA and GDPR are comprehensive privacy laws, but they have important differences:

Aspect	CCPA	GDPR
Geography	California residents	EU residents
Scope	For-profit businesses only	All organizations
Consent	Opt-out model	Opt-in model (stricter)
Penalties	$2,500-$7,500 per violation	Up to €20M or 4% revenue
DPO Required	No	Sometimes

Good News: If you're already GDPR compliant, you're about 70% of the way to CCPA compliance. The major differences are the opt-out vs opt-in consent models and some specific disclosure requirements.

CCPA Penalties and Enforcement

Understanding the penalty structure helps prioritize compliance efforts:

Attorney General Enforcement

$2,500per unintentional violation
$7,500per intentional violation
30-daycure period before fines

Private Right of Action

$100-$750per consumer per incident
Data breachesonly (not general violations)
Class actionspossible (most expensive risk)

⚖️

Enforcement Timeline

Automate CCPA Compliance

LowerPlane helps you implement CCPA-compliant data handling, automated request workflows, and comprehensive privacy documentation.

✓Automated data mapping and inventory
✓Consumer request portal and tracking
✓CCPA-compliant privacy policy templates
✓Vendor assessment workflows

See How It Works

Key Takeaways

1
CCPA applies to businesses with $25M+ revenue, 100K+ consumers, or 50%+ revenue from data sales—but implementing privacy-first practices benefits all businesses.
2
The seven consumer rights under CCPA require robust processes for handling requests, typically within 45 days.
3
Penalties range from $2,500 to $7,500 per violation, with private right of action for data breaches creating class action risk.
4
CPRA amendments (effective 2023) added new rights, sensitive data protections, and a dedicated Privacy Protection Agency for enforcement.
5
Automation is essential for scaling CCPA compliance—manual processes become unmanageable as request volume grows.

Frequently Asked Questions

Does CCPA apply to my business if I'm not in California?

Yes! CCPA applies to any for-profit business that collects personal information from California residents and meets the threshold requirements, regardless of where the business is located. If you have California customers, you likely need to comply.

What's the difference between CCPA and CPRA?

CPRA (California Privacy Rights Act) is an amendment to CCPA that took effect in January 2023. It adds new consumer rights (right to correct, right to limit sensitive data use), creates a dedicated enforcement agency, expands sensitive personal information protections, and introduces new requirements for automated decision-making.

How long do I have to respond to consumer requests?

You have 45 days to respond to consumer requests under CCPA. You can extend this by an additional 45 days if reasonably necessary, but you must inform the consumer of the extension and the reason within the first 45 days. Responses must be free of charge.

Can I charge for CCPA compliance?

No, you cannot charge consumers for exercising their CCPA rights. Additionally, you cannot discriminate against consumers for exercising their rights, including by charging different prices, providing different quality of service, or denying goods or services. However, you may offer financial incentives for data collection if properly disclosed and optional.

What counts as "selling" personal information under CCPA?

CCPA's definition of "sale" is broader than traditional sales. It includes sharing, renting, releasing, disclosing, or transferring personal information to another business or third party for monetary or other valuable consideration. This can include advertising cookies, data sharing with marketing partners, and analytics sharing—even if no money changes hands.