CCPA Compliance: The Complete Guide for Website Owners (2026)

What is the CCPA?

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, giving California residents unprecedented control over their personal information. In 2023, the California Privacy Rights Act (CPRA) expanded these protections, creating new requirements and establishing the California Privacy Protection Agency (CPPA) to enforce the law.

Often called "GDPR for California," the CCPA grants consumers specific rights over their personal data and requires businesses to be transparent about data collection and use. Unlike GDPR, which applies based on where you're located, CCPA applies if you serve California residents—regardless of where your business is based.

Does CCPA Apply to Your Business?

CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds:

• Revenue: Annual gross revenues exceeding $25 million
• Data volume: Buys, sells, or shares personal information of 100,000 or more California residents or households
• Data revenue: Derives 50% or more of annual revenue from selling or sharing California residents' personal information

Common Misconceptions

Many small business owners assume CCPA doesn't apply to them, but the "100,000 residents" threshold is easier to hit than you might think. This includes:

• Website visitors, not just customers
• Anonymous visitors tracked via cookies and analytics
• Email subscribers and mailing list members
• Social media followers who click through to your site

A moderately popular website can easily reach 100,000 California visitors in a year. Even if you're technically below the threshold, implementing CCPA-compliant practices is considered best practice and demonstrates respect for user privacy.

Key Definitions Under CCPA

Understanding CCPA starts with understanding its key terms:

Personal Information

CCPA defines personal information broadly as any information that identifies, relates to, or could reasonably be linked with a particular California resident or household. This includes:

• Identifiers (name, email, IP address, device ID)
• Commercial information (purchase history, browsing behavior)
• Biometric information
• Internet activity (browsing history, search history, interactions with websites)
• Geolocation data
• Professional or employment information
• Education information
• Inferences drawn from any of the above to create a consumer profile

Selling Personal Information

Under CCPA, "selling" personal information has a broader definition than you might expect. It includes sharing or disclosing personal information to third parties for monetary or other valuable consideration. This means:

• Sharing data with advertising networks (Google Ads, Facebook Ads)
• Using analytics tools that share data with third parties
• Embedding social media pixels that track visitors
• Data brokers or list rental services

Many businesses unknowingly "sell" data under this definition simply by using common marketing tools.

Sharing Personal Information (CPRA Addition)

The CPRA introduced a new category: "sharing" personal information for cross-context behavioral advertising. This covers retargeting campaigns and personalized advertising based on user behavior across different websites.

Consumer Rights Under CCPA

California residents have seven key rights under CCPA/CPRA. Your business must facilitate these rights and respond to requests within specific timeframes.

1. Right to Know

Consumers can request detailed information about what personal information you collect, use, disclose, and sell or share. You must provide:

• Categories of personal information collected
• Specific pieces of personal information collected about them
• Categories of sources from which you collected their information
• Business or commercial purposes for collecting or selling their information
• Categories of third parties with whom you share personal information
• If sold or shared: categories sold/shared and to which categories of third parties

Response deadline: 45 days, with one possible 45-day extension if necessary

2. Right to Delete

Consumers can request deletion of their personal information, with certain exceptions (such as completing transactions, detecting fraud, complying with legal obligations, or exercising free speech).

Response deadline: 45 days, with one possible 45-day extension

3. Right to Correct

Consumers can request correction of inaccurate personal information you maintain about them. This CPRA addition recognizes that accurate data is essential.

Response deadline: 45 days, with one possible 45-day extension

4. Right to Opt Out of Sale or Sharing

If you sell or share personal information, consumers have the right to opt out. You must provide a clear "Do Not Sell or Share My Personal Information" link on your homepage.

Response requirement: Immediate—consumers should not have to create an account or complete multiple steps

5. Right to Limit Use of Sensitive Personal Information

CPRA created a new category of "sensitive personal information" (SSN, precise geolocation, health data, financial account details, etc.). Consumers can limit how you use this data to only what's necessary to perform services or provide goods.

6. Right to Non-Discrimination

You cannot discriminate against consumers who exercise their CCPA rights by:

• Denying goods or services
• Charging different prices or rates
• Providing a different level or quality of service
• Suggesting they'll receive a different price or level of service

You can offer financial incentives for data collection if reasonably related to the value of the data, but consumers must be able to opt in and opt out easily.

7. Right to Data Portability

When consumers request their personal information, you must provide it in a readily usable format that allows them to transmit it to another entity without hindrance.

Required Disclosures in Your Privacy Policy

CCPA mandates specific disclosures in your privacy policy. It's not enough to have a generic policy—you must include CCPA-specific information.

Notice at Collection

At or before the point of collection, you must inform consumers about:

• Categories of personal information to be collected
• Purposes for which personal information will be used
• Whether personal information is sold or shared
• How long you intend to retain each category of personal information
• Link to your full privacy policy

Privacy Policy Requirements

Your privacy policy must include:

• Categories of personal information collected in the last 12 months
• Categories of sources from which personal information is collected
• Business or commercial purposes for collecting or selling personal information
• Categories of third parties with whom you share personal information
• If applicable: categories of personal information sold or shared and to whom
• Consumers' CCPA rights and how to exercise them
• How to submit a verifiable consumer request
• Non-discrimination statement
• Date of last update

Implementing "Do Not Sell or Share My Personal Information"

If you sell or share personal information (which includes most sites using advertising or analytics tools), you must provide an opt-out mechanism.

Required Implementation

• Homepage link: Clear and conspicuous link titled "Do Not Sell or Share My Personal Information"
• No account required: Consumers should not have to create an account or log in to opt out
• Simple process: Maximum of two clicks to complete opt-out
• Universal opt-out: Honor the Global Privacy Control (GPC) browser signal
• No sale/share after opt-out: Stop selling or sharing that consumer's information
• 12-month minimum: Don't ask consumers to re-authorize sale/sharing for at least 12 months

Global Privacy Control (GPC)

As of 2026, you must recognize and honor the Global Privacy Control—a browser setting that automatically communicates a user's opt-out preference. Major browsers including Firefox, Safari, and Chrome support GPC.

Technical implementation typically involves detecting the Sec-GPC: 1 HTTP header and disabling third-party tracking scripts for those users.

Handling Consumer Requests

When consumers exercise their CCPA rights, you must have systems in place to handle their requests efficiently and securely.

Providing Request Methods

You must provide at least two methods for submitting requests, typically:

• Toll-free phone number (if you operate a website)
• Website request form or email address
• For businesses that operate online only, an email address may suffice

Verifying Consumer Identity

You must verify the identity of consumers making requests, using a "reasonably reliable" method. The level of verification depends on the request type and risk:

• Know/access requests: Match at least two data points you already have on file
• Deletion requests: Match at least two or three data points depending on sensitivity
• Account holders: Can verify through existing authentication

If you cannot verify identity, you must explain why and allow the consumer to provide additional information.

Response Requirements

• Acknowledge: Confirm receipt within 10 days
• Respond: Provide substantive response within 45 days
• Extension: You can extend by 45 days if necessary—notify consumer of extension and reason
• Free of charge: First two requests per 12-month period must be free
• Denial: If you deny a request, explain why and inform the consumer of their right to appeal

Service Providers and Contractors

CCPA distinguishes between "service providers" (who process data on your behalf under contract) and "third parties" (who receive data for their own purposes).

Service Provider Requirements

To qualify as a service provider (which has different obligations than selling data), you must have a written contract that:

• Prohibits the service provider from selling or sharing the personal information
• Prohibits retaining, using, or disclosing the information for any purpose other than performing services
• Prohibits combining the information with information from other sources
• Grants the business the right to audit the service provider's compliance

Major SaaS providers (Shopify, Stripe, Mailchimp, etc.) typically have CCPA-compliant service provider agreements available. Review and document these agreements.

CCPA and Sensitive Data

CPRA introduced special protections for "sensitive personal information," which includes:

• Social Security, driver's license, passport, or state ID numbers
• Account log-in credentials with security questions/answers
• Precise geolocation
• Racial or ethnic origin, religious beliefs, union membership
• Mail, email, or text message contents (unless you're the intended recipient)
• Genetic data, biometric data
• Health data, sex life, or sexual orientation

If you collect sensitive personal information, consumers can limit its use to only what's necessary to perform services or provide goods (unless an exception applies). You must disclose this right and provide an opt-out mechanism similar to the "Do Not Sell" requirement.

Penalties for Non-Compliance

CCPA violations can result in significant penalties, enforced by the California Privacy Protection Agency (CPPA) and California Attorney General.

Regulatory Enforcement

• Intentional violations: Up to $7,500 per violation
• Unintentional violations: Up to $2,500 per violation
• 30-day cure period: You have 30 days to cure a violation after notice (for some violations)

Private Right of Action

Unlike most privacy laws, CCPA allows consumers to sue directly for data breaches involving certain personal information. Consumers can recover:

• $100-$750 per consumer per incident, or
• Actual damages, whichever is greater

This has led to numerous class-action lawsuits against businesses with inadequate data security.

CCPA Compliance Checklist

Use this checklist to ensure your business meets CCPA requirements:

• ☐ Determine if CCPA applies to your business
• ☐ Create or update your privacy policy with CCPA-required disclosures
• ☐ Add "Notice at Collection" at data collection points
• ☐ Implement "Do Not Sell or Share My Personal Information" link (if applicable)
• ☐ Enable Global Privacy Control (GPC) support
• ☐ Create processes to handle consumer requests (know, delete, correct)
• ☐ Establish identity verification procedures
• ☐ Review and update service provider contracts
• ☐ Audit third-party data sharing and tracking tools
• ☐ Train staff on CCPA compliance and consumer request handling
• ☐ Document your data inventory and data flows
• ☐ Implement reasonable security measures to protect personal information
• ☐ Establish a process for annual privacy policy reviews

Creating a CCPA-Compliant Privacy Policy

Given the complexity of CCPA requirements, creating a compliant privacy policy requires careful attention to detail. Generic templates often miss critical CCPA-specific disclosures.

LegalForge generates CCPA-compliant privacy policies that include all required disclosures, consumer rights explanations, and "Do Not Sell" implementation guidance—customized for your specific business practices and data collection methods.

Beyond California: Other State Privacy Laws

California led the way, but other states have followed with their own privacy laws. As of 2026, comprehensive privacy laws are in effect in:

• Virginia (VCDPA)
• Colorado (CPA)
• Connecticut (CTDPA)
• Utah (UCPA)
• Florida (FDBR)
• Texas (TDPSA)
• Oregon (OCPA)
• Montana (MCDPA)

While these laws have similarities to CCPA, each has unique requirements. If your business operates nationally, consider implementing privacy practices that comply with the strictest requirements across all states.

Final Thoughts

CCPA compliance isn't just about avoiding penalties—it's about respecting consumer privacy and building trust with your customers. California residents are increasingly aware of their privacy rights and more likely to do business with companies that transparently handle their data.

While CCPA compliance may seem daunting, the core principles are straightforward: be transparent about data collection, give consumers control over their information, and implement reasonable security measures. Start with a comprehensive privacy policy, implement necessary technical controls, and establish processes to handle consumer requests.

Need help creating a CCPA-compliant privacy policy? LegalForge generates customized legal pages that include all CCPA-required disclosures, consumer rights information, and implementation guidance—updated for 2026 requirements.