California was the first US state to pass a consumer privacy law, and it remains the most significant. If your business has customers in California, you need to understand whether this law applies to you and what it requires.
What Is the CCPA/CPRA?
The California Consumer Privacy Act (CCPA) was signed into law in June 2018 and became operative on 1st January 2020. It gave California residents new rights over their personal information and placed obligations on businesses that collect that data.
In November 2020, California voters passed the California Privacy Rights Act (CPRA) through a ballot initiative. CPRA amended and strengthened the original CCPA, taking effect on 1st January 2023. The amendments added new consumer rights, raised some thresholds, and created a dedicated enforcement agency: the California Privacy Protection Agency (CPPA).
Today, the law is often referred to as CCPA/CPRA or simply “California privacy law.” The CPPA now handles most enforcement, alongside the California Attorney General.
What Changed from CCPA to CPRA?
The CPRA significantly strengthened California’s privacy framework. Here are the key changes:
| Area | CCPA (Original) | CPRA (Amended) |
|---|---|---|
| Data volume threshold | 50,000 consumers/devices | 100,000 consumers/households |
| “Sharing” definition | Only “sale” of data covered | “Sharing” for cross-context behavioural advertising also covered |
| Sensitive personal information | No special category | New SPI category with stricter protections (SSN, precise location, health, etc.) |
| Right to correct | Not included | Consumers can request correction of inaccurate data |
| Right to limit SPI use | Not included | Consumers can limit use of sensitive personal information |
| Cure period | 30-day cure period before enforcement | No cure period—immediate enforcement possible |
| Enforcement agency | Attorney General only | New California Privacy Protection Agency (CPPA) plus AG |
| Data minimisation | Not required | Collection limited to what is “reasonably necessary” |
| Risk assessments | Not required | Required for high-risk processing activities |
| Minors’ data | Opt-in required under 16 | Same, plus 12-month wait after opt-out refusal |
Does It Apply to Your Business?
The law applies to for-profit businesses that collect personal information from California residents and meet any one of three threshold tests. You do not need to be based in California—the law has extraterritorial reach.
The Three Threshold Tests
For 2025, the thresholds are:
Revenue threshold: Your business has annual gross revenue exceeding $26,625,000. This is worldwide revenue, not just revenue from California customers. A company with $30 million in total revenue but only $2 million from California still meets this test.
Data volume threshold: Your business annually buys, sells, or shares the personal information of 100,000 or more California consumers, households, or devices. This does not require 100,000 customers. The law counts unique identifiers such as cookies, device IDs, and IP addresses. If your website averages around 275 daily visitors from California and uses tracking tools like Google Analytics or Meta Pixel, you likely meet this threshold.
Data revenue threshold: Your business derives 50% or more of its annual revenue from selling or sharing personal information. Under CPRA, “sharing” includes behavioural advertising and cross-site tracking, which expands this category beyond traditional data brokers.
These monetary thresholds are adjusted for inflation every odd-numbered year. Some entities regulated by laws like HIPAA or GLBA have partial exemptions, though certain obligations may still apply.
Key Consumer Rights
California residents have several rights under the law:
- Right to know: Consumers can request what personal information a business has collected about them, where it came from, why it was collected, and who it has been shared with.
- Right to delete: Consumers can request deletion of their personal information, with some exceptions.
- Right to opt-out: Consumers can direct businesses not to sell or share their personal information.
- Right to correct: Added by CPRA, consumers can request correction of inaccurate personal information.
- Right to limit sensitive data use: Added by CPRA, consumers can limit how businesses use sensitive personal information such as precise geolocation, race, health data, or financial information.
- Right to non-discrimination: Businesses cannot discriminate against consumers for exercising their privacy rights.
Business Obligations
Businesses covered by the law must:
- Provide clear privacy notices at or before the point of collection
- Respond to consumer requests within 45 days (extendable by another 45 days with notice)
- Include a “Do Not Sell or Share My Personal Information” link on their website
- Honour opt-out preference signals such as Global Privacy Control
- Implement reasonable security measures to protect personal information
- Train staff who handle consumer privacy inquiries
- Conduct risk assessments for certain types of data processing
Failing to honour opt-out signals has been a focus of enforcement. Several businesses have been fined for having opt-out links that did not actually stop data sharing.
Enforcement Cases: Real-World Examples
The CPPA and California Attorney General have pursued significant enforcement actions. These cases illustrate common compliance failures and their consequences:
Tractor Supply Company — $1.35 Million (2025)
The largest CPPA penalty to date. Tractor Supply failed to provide consumers with an effective mechanism to opt out of the sale or sharing of their personal information. The company also failed to notify California consumers—including job applicants—of their privacy rights in its privacy policy. This was the first enforcement action addressing CCPA compliance for employee and job applicant data.
Jam City — $1.4 Million (2024)
The mobile gaming company failed to provide methods for consumers to opt out of the sale of their personal information in its 21 mobile apps. Despite collecting and sharing consumer data almost exclusively through mobile games, Jam City did not offer CCPA-compliant opt-outs in any of its apps. The case also involved failures to protect children’s privacy.
Sephora — $1.2 Million (2022)
The first major CCPA enforcement action. Sephora failed to disclose that it was selling consumer personal information, failed to process opt-out requests via Global Privacy Control signals, and did not cure violations within 30 days. This case established that sharing data with third parties for analytics and advertising can constitute a “sale” under the law.
American Honda Motor Co. — $632,500 (2025)
Honda was required to change its business practices and pay over $600,000 for CCPA violations related to its data handling practices.
DoorDash — $375,000 (2024)
DoorDash sold customer personal information through “marketing cooperatives” without providing notice or the opportunity to opt out. Customer data was subsequently disclosed to non-participating businesses and to a data broker that resold the data multiple times.
Todd Snyder, Inc. — $345,178 (2025)
The clothing retailer required consumers to submit excessive personal information—including a photograph holding their identity document—for all privacy requests. This violated the CCPA by applying verification standards to opt-out requests (which don’t require verification) and collecting more information than necessary.
Key lessons from enforcement: Opt-out mechanisms must actually work. Global Privacy Control signals must be honoured. Privacy notices must be accurate. Verification requirements for opt-out requests must be minimal. Employee and job applicant data is covered.
Penalties
The CPPA and California Attorney General share enforcement responsibilities. The CPPA has reported hundreds of investigations and enforcement actions in progress.
Penalties for 2025 are:
- Civil penalties range from $2,663 to $7,988 per violation
- Violations involving minors under 16 can attract the maximum $7,988 per violation
- Statutory damages for data breaches range from $107 to $799 per affected individual
Critically, each affected consumer can be counted as a separate violation. This means fines can escalate quickly for widespread non-compliance. The CPPA has stated it can investigate conduct dating back to the CCPA’s operative date of 1st January 2020.
CPRA vs GDPR: How Do They Compare?
If your organisation also operates in Europe, you may be wondering how California’s law compares to the EU’s General Data Protection Regulation. While both aim to protect consumer privacy, they differ in fundamental ways:
| Aspect | CPRA (California) | GDPR (EU/UK) |
|---|---|---|
| Consent model | Opt-out (collect data, let consumers say no later) | Opt-in (get consent before collecting) |
| Who must comply | For-profit businesses meeting revenue/data thresholds | Any organisation processing EU residents’ data |
| Revenue threshold | $26.6 million annual revenue | No revenue threshold |
| Maximum penalties | $7,988 per violation (can stack per consumer) | €20 million or 4% of global turnover |
| Private right of action | Yes, for data breaches | Limited—primarily regulatory enforcement |
| Data minimisation | Required (added by CPRA) | Required |
| Right to be forgotten | Yes (right to delete) | Yes (right to erasure) |
| Data portability | Yes | Yes |
| DPO requirement | No | Yes, for certain organisations |
| Cross-border transfer rules | No specific requirements | Strict adequacy/safeguard requirements |
If you’re already GDPR-compliant, you’ll have a head start with CPRA—but the consent models differ fundamentally. GDPR’s opt-in approach means you should already be minimising data collection. CPRA’s opt-out model means you need robust mechanisms for consumers to exercise their rights after the fact.
Key Dates
- 28th June 2018: CCPA signed into law
- 1st January 2020: CCPA became operative
- 3rd November 2020: CPRA passed by California voters
- 1st January 2023: CPRA amendments took effect; 30-day cure period eliminated
- 1st July 2023: CPRA enforcement began
- 1st January 2025: Updated penalty amounts and thresholds took effect
Frequently Asked Questions
Does the CCPA/CPRA apply to non-US businesses?
Yes. The law has extraterritorial reach. If your business collects personal information from California residents and meets any of the three thresholds, you must comply—regardless of where your business is located. A UK company with California customers could be subject to the law.
What is Global Privacy Control and do I need to honour it?
Global Privacy Control (GPC) is a browser setting that sends an automated opt-out signal to websites. Under CPRA, businesses must treat GPC signals as valid opt-out requests for the sale or sharing of personal information. Failing to honour GPC has been a focus of enforcement actions, including the Sephora case.
What counts as “selling” personal information?
The definition is broader than you might expect. Selling includes sharing data with third parties for monetary or other valuable consideration. This can include sharing customer data with analytics providers, advertising networks, or marketing cooperatives—even if no money changes hands directly. The DoorDash case demonstrated that participation in marketing cooperatives can constitute a sale.
Does the law apply to employee data?
Yes. The Tractor Supply enforcement action confirmed that employee and job applicant data is covered by the CCPA/CPRA. Businesses must provide privacy notices to California employees and job applicants explaining how their personal information is collected and used.
Is there still a cure period to fix violations?
No. The CPRA eliminated the 30-day cure period that existed under the original CCPA. Since 1st January 2023, enforcement can proceed immediately without giving businesses an opportunity to fix violations first. This makes proactive compliance essential.
How does CPRA compare to other US state privacy laws?
California’s law is the most comprehensive and has the most active enforcement. Other states have passed similar laws with varying thresholds and requirements. Virginia, Colorado, Connecticut, and Utah were early adopters. Texas, Oregon, Montana, and several other states have since followed. If you operate across multiple states, you may need to comply with multiple frameworks.
Official Resources
- Full legal text: California Civil Code §§ 1798.100-1798.199.100
- CPPA website: cppa.ca.gov
- Regulations: cppa.ca.gov/regulations
- FAQs: cppa.ca.gov/faq.html
- Enforcement actions: California AG Privacy Enforcement
- Announcements: cppa.ca.gov/announcements
Getting Started
California privacy law is the most established consumer privacy framework in the United States. With enforcement increasing and fines that can stack up per consumer, businesses should take compliance seriously.
Start by assessing whether your business meets any of the three thresholds. If it does, review your privacy notices, ensure your opt-out mechanisms actually work, and implement support for Global Privacy Control signals. The CPPA’s FAQ section provides practical guidance for common compliance questions.
If your team handles personal data, consider whether they need data protection training. While California law doesn’t mandate specific training programmes, staff who handle privacy requests need to understand their obligations—and training helps demonstrate compliance if you’re ever investigated.
