Any for-profit business that collects California residents' personal data AND meets one of these thresholds: annual gross revenue over $25M, buys/sells personal data of 100,000+ consumers or households, or derives 50%+ of revenue from selling personal data. The CPRA (2023 amendment) expanded the law significantly. Relevant for most mid-size to large SaaS, e-commerce, and ad-tech companies with California users.
CCPA is a California state privacy law that gives residents control over how businesses collect, use, and sell their personal information. It took effect on January 1, 2020, and was significantly expanded by the California Privacy Rights Act (CPRA) in January 2023. Together, CCPA/CPRA represent the strongest consumer privacy protections in the United States.
The law is often compared to GDPR, and for good reason. It establishes consumer rights around data access, deletion, and opting out of data sales. But CCPA is narrower in some ways (it only covers California residents and only applies to businesses above certain size thresholds) and broader in others (its definition of "personal information" is extremely wide, and it explicitly regulates the sale and sharing of data for advertising).
Since California is the world's fifth-largest economy, most companies with any US consumer base end up subject to CCPA. And because building one privacy program for California and another for the rest of the US isn't practical, many businesses extend CCPA protections to all US customers.
CCPA applies to any for-profit business that collects personal information from California residents AND meets at least one of these thresholds:
Important details:
California residents can exercise these rights against businesses covered by the law:
Right to know. Consumers can request what personal information you've collected, the sources, the purposes, and who you've shared it with. You must respond within 45 days.
Right to delete. Consumers can ask you to delete their personal information, with some exceptions (completing transactions, legal obligations, security purposes).
Right to opt out of sale/sharing. If you sell personal information or share it for cross-context behavioral advertising, consumers can tell you to stop. You must display a "Do Not Sell or Share My Personal Information" link on your website.
Right to correct. Added by CPRA. Consumers can request corrections to inaccurate personal information.
Right to limit use of sensitive personal information. Added by CPRA. Consumers can restrict how you use sensitive data like Social Security numbers, financial information, precise geolocation, race, health data, and sexual orientation.
Right to non-discrimination. You can't penalize consumers for exercising their privacy rights (no worse service, no higher prices).
CCPA defines personal information very broadly: any information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household. This includes:
The CPRA added a category of "sensitive personal information" with stricter rules: SSNs, driver's license numbers, financial account details, precise geolocation, racial/ethnic origin, religious beliefs, health data, sex life/orientation, biometric data, and contents of communications.
Privacy policy updates. Your privacy policy must disclose the categories of personal information collected, the purposes, consumer rights, and how to exercise them. It must be updated at least annually.
"Do Not Sell or Share" link. If you sell or share personal information (and "share" now includes sharing data with ad networks for targeted advertising), you need this link prominently on your website and a mechanism to honor the request.
Consumer request handling. You need at least two methods for consumers to submit requests (typically a web form and a toll-free number). Requests must be verified and fulfilled within 45 days, with a possible 45-day extension if needed.
Data inventory. You need to know what personal information you collect, where it goes, who you share it with, and how long you keep it. This is the foundation of everything else.
Service provider agreements. If you share personal information with service providers, you need contracts that restrict how they use the data. Similar in concept to GDPR's DPAs.
Employee and job applicant notices. CCPA covers employee and applicant data too. You need separate privacy notices for these groups.
Data minimization and retention. CPRA added requirements to collect only what's necessary for the stated purpose and to define retention periods. No more indefinite data hoarding.
CCPA enforcement comes from two directions:
California Attorney General and CPPA. Can bring enforcement actions with penalties up to $2,500 per unintentional violation and $7,500 per intentional violation. Those per-violation amounts add up fast when you're dealing with thousands or millions of consumer records.
Private right of action. Consumers can sue directly, but only for data breaches resulting from a business's failure to maintain reasonable security measures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages if higher. Class action lawsuits under this provision have resulted in multi-million dollar settlements.
Sephora paid $1.2 million in 2022 for failing to honor opt-out requests and not disclosing data sales. DoorDash settled for $375,000 for sharing customer data with a marketing co-op without proper notices. The CPPA has been ramping up enforcement steadily since it became operational in 2024.
People often lump them together, but they differ in important ways:
Companies compliant with GDPR aren't automatically CCPA-compliant. The opt-out mechanism, sensitive data handling, and service provider agreement requirements are different enough that CCPA demands its own compliance workstream.
The biggest cost for most companies is the internal work: mapping data flows, updating vendor contracts, building request-handling processes, and training staff. The compliance tools and legal fees are secondary.
Compliance automation platforms assist with CCPA by tracking data collection practices, managing consumer request workflows (access, deletion, opt-out), maintaining consent records, and monitoring data sharing with third parties. They can also help with the data inventory that underpins everything else.
CCPA compliance overlaps significantly with GDPR. Companies already using a compliance platform for GDPR can usually extend it to cover CCPA with moderate additional configuration. Of the 17 tools in our database, 15 support CCPA.
Ignoring the "sharing" expansion. The CPRA expanded "sale" to include "sharing" data for cross-context behavioral advertising. Using Google Analytics, Meta Pixel, or similar ad-tech tools may qualify as "sharing" under CCPA. Many companies that don't think they sell data are actually sharing it.
Broken opt-out mechanisms. Having a "Do Not Sell" link that doesn't actually propagate the opt-out to all downstream systems and partners. Regulators test these mechanisms.
Not verifying consumer requests. You need to verify that the person making a request is actually the consumer whose data it concerns. But verification can't be so burdensome that it discourages people from exercising their rights. Finding that balance requires a clear, documented process.
Overlooking employee data. CCPA covers employee personal information too. Companies that build a consumer-facing privacy program but forget about HR data have a gap.
Treating it as separate from other privacy work. If you're also subject to GDPR, building isolated compliance programs is wasteful. Use the same data inventory, the same consent management platform, and the same request-handling workflows where possible.
| Platform | Starting Price | Best For | G2 Rating |
|---|---|---|---|
| Vanta | ~$10,000/yr | Compliance automation | 4.6 |
| Drata | ~$7,500/yr | Compliance automation | 4.8 |
| Secureframe | ~$7,500/yr | Compliance automation | 4.7 |
| Sprinto | ~$6,000/yr | Compliance automation | 4.8 |
| Thoropass | ~$8,700/yr | Compliance automation | 4.7 |
| Hyperproof | ~$12,000/yr | GRC platform | 4.5 |
| AuditBoard (Optro) | ~$30,000/yr | Audit management | 4.6 |
| Strike Graph | ~$9,000/yr | Compliance automation | 4.7 |
| Anecdotes | ~$20,000/yr | GRC platform | 4.8 |
| Tugboat Logic (OneTrust) | Contact sales | Compliance automation | 4.5 |
| Scytale | ~$7,500/yr | Compliance automation | 4.8 |
| Comp AI | ~$2,388/yr | Compliance automation | 4.7 |
| Scrut Automation | ~$15,000/yr | GRC platform | 4.9 |
| Apptega | ~$9,950/yr | GRC platform | 4.8 |
| Ostendio | ~$2,994/yr | GRC platform | 4.8 |