Why California matters most
California's privacy law is the most comprehensive in the United States and the one most likely to affect your e-commerce business. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), covers any business that collects personal information from California residents and meets certain thresholds.
In 2026, major new requirements took effect — including automated decision-making technology (ADMT) rules, cybersecurity audit requirements, and the DELETE Act DROP platform. If you sell to California customers, this guide covers everything you need to know.
Do you need to comply?
Your business is covered if it collects personal information from California residents AND meets any one of these thresholds:
- Revenue: Annual gross revenue exceeding $26.6 million (adjusted for 2025-2026)
- Data volume: Processes personal data of 100,000 or more California residents or households
- Data sales revenue: Derives 50% or more of annual revenue from selling personal information
Even if you don't meet these thresholds today, growth in your California customer base could trigger coverage. It's worth understanding the requirements now.
Consumer rights you must support
Under CCPA/CPRA, California consumers have the right to:
- Know what personal information you collect, use, share, or sell
- Delete their personal information
- Correct inaccurate personal information
- Portability — receive their data in a portable, machine-readable format
- Opt out of the sale or sharing of their personal information
- Limit the use of sensitive personal information
For e-commerce businesses, this means you need clear processes for handling consumer requests. You must respond to verified requests within 45 days (extendable by another 45 days with notice).
Privacy notice requirements
Your privacy notice must be provided at or before the point of data collection. For an online store, this means a clearly linked privacy policy on your website. It must disclose:
- Categories of personal information collected
- Purposes for which information is used
- Categories of third parties with whom information is shared
- Consumer rights and how to exercise them
- Whether you sell or share personal information
You must also display a conspicuous "Do Not Sell or Share My Personal Information" link if you sell or share data.
New in 2026: ADMT rules
Starting January 2026, businesses that use automated decision-making technology must:
- Disclose the use of ADMT in decisions that produce legal or similarly significant effects
- Provide opt-out rights for consumers subject to ADMT-based decisions
- Offer access to information about the logic involved in automated decisions
For e-commerce, this could apply to fraud detection systems, dynamic pricing algorithms, personalized recommendations that affect pricing or availability, and credit decisions.
New in 2026: Cybersecurity audit requirements
Businesses processing significant volumes of personal information must now conduct annual cybersecurity audits. The audit must assess your security posture and identify vulnerabilities in how you protect consumer data.
If you're an e-commerce business processing payment data alongside personal information, this requirement likely applies to you. Consider engaging a qualified security firm if you don't have internal audit capabilities.
New in 2026: DELETE Act DROP platform
The California Delete Act established the Data Broker Registration and Opt-Out Platform (DROP), which launched January 1, 2026. Key points:
- Data brokers must register and connect to the DROP platform
- Consumers can submit a single deletion request that reaches all registered data brokers
- Non-compliance carries $200/day compounding fines for unfulfilled deletion requests
- This applies to entities that meet the data broker definition, which could include some e-commerce businesses that sell customer data to third parties
Penalties are steep
- Intentional violations: Up to $7,988 per violation
- Unintentional violations: Up to $2,663 per violation
- The CPPA can investigate conduct back to January 1, 2020
- DELETE Act violations: $200/day compounding fines
One enforcement action against a large e-commerce operation could result in millions in penalties. The CPPA has been actively pursuing cases since its formation.
Enforcement: CPPA and Attorney General
California is unique in having a dedicated privacy enforcement agency — the California Privacy Protection Agency (CPPA). Both the CPPA and the California Attorney General can enforce the law. There is no right to cure; enforcement can begin immediately upon discovering a violation.
Practical compliance steps for e-commerce
Audit your data collection. Map every point where you collect personal information — checkout, account creation, cookies, analytics, marketing pixels.
Update your privacy policy. Ensure it meets all CCPA/CPRA disclosure requirements. Review it quarterly.
Implement consumer request workflows. Build or buy systems to handle access, deletion, correction, and opt-out requests within the 45-day timeline.
Add the required links. "Do Not Sell or Share My Personal Information" must be conspicuous on your site.
Review ADMT usage. If you use automated decision-making for pricing, fraud detection, or personalization, ensure you're meeting the new disclosure and opt-out requirements.
Conduct a cybersecurity audit. Schedule your first annual audit and document the findings.
Check data broker status. If you sell customer data to third parties, determine if you meet the data broker definition and need to register with DROP.
Train your team. Everyone handling customer data or responding to privacy requests needs to understand their obligations.
Review vendor agreements. Ensure your data processing agreements with service providers (Shopify apps, analytics tools, email platforms) include CCPA-compliant terms.
Document everything. Maintain records of your compliance efforts, consumer requests, and data processing activities.
Stay on top of changes like these — BriefStack monitors all 20 state privacy laws and delivers what matters to your inbox daily.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.