Skip to content
PrivaBaseBeta
FeaturesPricingCompareGuidesBlogGlossaryTools
Log InStart Free

CALIFORNIA PRIVACY COMPLIANCE GUIDE

Complete CCPA/CPRA Compliance Guide 2026

The definitive guide to California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) compliance. Learn about consumer rights, data collection disclosures, opt-out requirements, and building a comprehensive privacy program.

20 min read
California Focus
Last updated: February 2026

Table of Contents

1. What is CCPA/CPRA?2. Who Must Comply?3. Personal Information Categories4. Consumer Rights5. Disclosure Requirements6. Opt-Out Requirements7. Penalties & Enforcement8. Compliance Checklist

What is CCPA/CPRA?

The California Consumer Privacy Act (CCPA), which took effect in 2020, was significantly expanded by the California Privacy Rights Act (CPRA) in 2023. Together, they create comprehensive privacy rights for California residents and obligations for businesses that collect their personal information.

CCPA (2020)

  • • Right to know what data is collected
  • • Right to delete personal information
  • • Right to opt out of data sales
  • • Right to non-discrimination

CPRA Enhancements (2023)

  • • Right to correct inaccurate information
  • • Right to limit use of sensitive data
  • • Expanded definition of "sharing"
  • • California Privacy Protection Agency

Significant Penalties

CCPA violations can result in fines up to $7,500 per intentional violation. The CPRA increases penalties to $7,500 per violation for businesses and up to $2,500 per consumer record for unintentional violations involving minors' data.

Who Must Comply with CCPA/CPRA?

CCPA/CPRA applies to for-profit businesses that do business in California and meet at least one of the following thresholds:

$25M

Annual Revenue

Gross annual revenues exceeding $25 million in the preceding calendar year

100K

Consumer Records

Buy, sell, or share personal information of 100,000 or more consumers or households annually

50%

Revenue from Data

Derive 50% or more of annual revenues from selling or sharing consumers' personal information

Categories of Personal Information

CCPA defines personal information broadly as any information that identifies, relates to, or could reasonably be linked with a California consumer or household. This includes:

Identifiers

NameAddressEmailPhoneSSNDriver's LicenseIP AddressDevice IDs

Protected Classifications

RaceReligionSexual orientationGender identityDisability statusCitizenship

Commercial Information

Purchase historyPurchasing tendenciesProduct interestsConsumer profiles

Biometric Information

FingerprintsVoiceprintsFacial recognition dataKeystroke patterns

Internet Activity

Browsing historySearch historyWebsite interactionsApp usage

Geolocation Data

Precise locationGeneral locationMovement patternsLocation history

Sensory Information

Audio recordingsVisual recordingsThermal dataOlfactory data

Employment Information

Employment historyPerformance evaluationsSalary informationBenefits data

Education Information

Student recordsTranscriptsEducational historyTest scores

Inferences

PreferencesCharacteristicsPredispositionsBehavior predictions

Consumer Rights Under CCPA/CPRA

CCPA/CPRA grants California consumers six fundamental rights regarding their personal information:

Right to Know

Request information about data collection and use

Right to Delete

Request deletion of personal information

Right to Opt-Out

Opt out of sale or sharing of personal information

Right to Non-Discrimination

No discrimination for exercising rights

Right to Correct

Request correction of inaccurate information (CPRA)

Right to Limit Use

Limit use of sensitive personal information (CPRA)

Response Timeline

Businesses must respond to consumer requests within 45 days (with a possible 45-day extension for complex requests). Requests must be fulfilled free of charge, with verification of the consumer's identity.

Privacy Policy Disclosure Requirements

Your privacy policy must include specific CCPA/CPRA disclosures:

Categories of personal information collected
Categories of sources of personal information
Business or commercial purposes for collection
Categories of third parties with whom information is shared
Categories of personal information sold or shared (if any)
Consumer rights and how to exercise them
Contact information for privacy inquiries
Date the privacy policy was last updated

Opt-Out Requirements

If you sell or share personal information, you must provide clear opt-out mechanisms:

"Do Not Sell" Link

Prominently display a "Do Not Sell My Personal Information" link on your homepage and wherever personal information is collected.

Do Not Sell My Personal Information

Global Privacy Control

Under CPRA, you must honor Global Privacy Control (GPC) signals as valid opt-out requests.

GPC Signal Detection Required

Penalties & Enforcement

CCPA/CPRA enforcement includes both regulatory penalties and private rights of action:

Regulatory Enforcement

  • • Up to $2,500 per violation (unintentional)
  • • Up to $7,500 per violation (intentional)
  • • Additional penalties for violations involving minors
  • • California Privacy Protection Agency oversight

Private Right of Action

  • • $100-$750 per consumer per incident
  • • Only for data breaches involving personal information
  • • 30-day cure period for first violations
  • • Class action lawsuit potential

CCPA/CPRA Compliance Checklist

1

Determine CCPA/CPRA Applicability

Assess if your business meets the revenue, data, or revenue thresholds

2

Conduct Data Mapping

Identify all personal information collection, use, and sharing practices

3

Update Privacy Policy

Include required CCPA disclosures and consumer rights information

4

Implement Consumer Request Process

Create systems to verify identity and respond to requests within 45 days

5

Add "Do Not Sell" Links

Provide clear opt-out mechanisms on your website

6

Review Third-Party Contracts

Ensure service providers and contractors comply with CCPA requirements

7

Train Your Team

Educate employees on CCPA requirements and consumer request procedures

8

Establish Ongoing Monitoring

Regular audits and assessments to maintain compliance

Automate Your CCPA/CPRA Compliance

Managing CCPA/CPRA compliance manually is complex and risky. PrivaBase automates consumer request processing, data mapping, privacy policy management, and ongoing monitoring to keep you compliant with California's evolving privacy laws.

Start Free TrialView Pricing

Related Resources

GDPR Compliance Guide

European data protection regulation requirements

HIPAA Compliance Guide

Healthcare privacy compliance requirements

Privacy Policy Generator

Generate CCPA-compliant privacy policies

Consumer Rights Requests

How to exercise your CCPA privacy rights

PrivaBaseBeta

Automated privacy compliance for modern teams.

Product

  • Features
  • Pricing
  • Privacy Policy Generator
  • Compare

Resources

  • GDPR Guide
  • HIPAA Guide
  • CCPA Guide
  • UK GDPR Guide
  • Privacy Glossary
  • Blog

Legal

  • Terms of Service
  • Privacy Policy
  • Your Privacy Choices
  • Do Not Sell My Personal Information
  • Cookie Policy
  • DPA
  • Subprocessors

Company

  • Security
  • Data Requests
  • Accessibility
  • Contact
  • API Docs
  • Status

Your Privacy Rights

You have the right to know what personal data we collect, request its deletion, opt out of data sales or sharing, and exercise these rights without discrimination. To submit a privacy request, email privacy@privabase.com or visit our Data Request page.

Data Protection Officer

For GDPR inquiries or data protection concerns, contact our DPO at dpo@privabase.com. Spoon Seller LLC · 110 Coliseum Crossing #5392, Hampton, VA 23666

© 2026 Spoon Seller LLC. All rights reserved.
TermsPrivacyDo Not Sell My InfoData Requests