← All state laws
CA · CCPA / CPRA

California Consumer Privacy Act / California Privacy Rights Act

Applies to for-profit businesses meeting any one of: $25M+ annual revenue, processing 100,000+ California consumers' data, or earning 50%+ of revenue from selling/sharing personal data.

Effective
2020-01-01
Penalty max
$7,500
Cure period
None
Honor GPC
Required

Overview

California's CCPA (effective January 2020) and its amendment the CPRA (operative January 2023) form the most comprehensive consumer privacy framework in the U.S. The law applies to any for-profit business that does business in California and meets at least one of three thresholds: $25M+ in annual revenue, processes 100,000+ California consumers' personal data, or derives 50%+ of revenue from selling or sharing personal information. Consumers have rights to know, delete, correct, and opt out of sale or sharing of their data. Critically, California requires businesses to honor Global Privacy Control (GPC) signals as a valid opt-out request — a regulatory position confirmed in the Sephora settlement. There is no general cure period after January 1, 2023; the AG and CPPA can bring actions immediately upon finding a violation.

Who it applies to

  • Businesses processing personal data of 100,000+ California residents annually.
  • For-profit businesses with $25M+ in annual revenue (CCPA/CPRA-style threshold).

Consumer rights

Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of sharing
Consumers can opt out of the sharing of their personal data for cross-context behavioral advertising.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to limit sensitive data use
Consumers can limit your use of sensitive personal information (precise geolocation, health, etc.).
Right to non-discrimination
You cannot deny service, charge different prices, or provide different quality to consumers who exercise their rights.

What this means for e-commerce

California is the most-enforced state privacy law in the country. The CPPA actively investigates e-commerce sites and has specifically targeted businesses that fail to honor GPC signals or that bury the 'Do Not Sell or Share My Personal Information' link. Penalties are per violation, per consumer — and intentional violations or violations involving minors carry the higher $7,500 cap. Sephora was fined $1.2M in 2022 for failing to disclose data sales and not honoring GPC; Tilting Point Media paid $500K in 2024 for violations involving children's data.

Penalties & enforcement

Enforced by the California Privacy Protection Agency (CPPA) and Attorney General. Penalties range from $2,500 to $7,500 per violation.

The cure period sunset on 2023-01-01 — the AG can bring enforcement actions immediately upon finding a violation, without first giving you time to fix the problem.

Compliance checklist

  • Add 'Do Not Sell or Share My Personal Information' link in the site footer
  • Add 'Limit the Use of My Sensitive Personal Information' link if you process sensitive data
  • Configure your site to detect and honor Global Privacy Control (GPC) signals
  • Update your privacy policy to include CPRA-required disclosures (12-month lookback, sources, purposes, third parties)
  • Implement a process to respond to consumer requests within 45 days (with one 45-day extension if needed)
  • Conduct annual data protection assessments for high-risk processing
  • Update contracts with all service providers and contractors to include CPRA terms
  • Train staff handling consumer requests on verification and response procedures
Does the CCPA / CPRA apply to your business?

Run a free 60-second compliance check across all state privacy laws — including California.

Check my compliance →
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.