CCPA Compliance Guide: What California's Privacy Law Means for Your Website

What is the CCPA?

The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. It was subsequently amended by the California Privacy Rights Act (CPRA) in 2023, which strengthened and expanded the original law. Together, these laws give California residents significant rights over their personal data and impose obligations on businesses that collect it.

Unlike GDPR — which applies broadly to almost any website — the CCPA applies only to businesses that meet specific size or revenue thresholds. But those thresholds are lower than many people assume, and the law applies based on where your users are, not where your business is based.

Who needs to comply with the CCPA?

Your business must comply with the CCPA if it is for-profit, does business in California (serving California residents counts), and meets at least one of the following thresholds:

• Annual gross revenues exceeding $25 million
• Buys, sells, or shares the personal information of 100,000 or more California consumers or households per year
• Derives 50% or more of annual revenues from selling or sharing California consumers' personal information

Non-profit organisations and government agencies are generally exempt. Small businesses below all three thresholds are also technically exempt, but having a compliant Privacy Policy is still considered best practice — and if you ever grow, you'll need one anyway.

What rights does CCPA give California residents?

Consumers covered by the CCPA have a set of enforceable rights regarding their personal data:

• Right to Know: Consumers can ask what categories of personal information you collect about them, what purposes you use it for, and what third parties you share it with.
• Right to Delete: Consumers can request that you delete their personal information, with some exceptions (e.g. if you need it to complete a transaction or comply with a legal obligation).
• Right to Correct: Added by CPRA, consumers can ask you to correct inaccurate personal information you hold about them.
• Right to Opt Out of Sale/Sharing: If you sell or share consumer data for cross-context behavioural advertising, consumers can opt out. You must provide a "Do Not Sell or Share My Personal Information" link.
• Right to Limit Use of Sensitive Data: Consumers can restrict how you use sensitive personal information (health data, precise geolocation, financial data, etc.).
• Right to Non-Discrimination: You cannot discriminate against consumers who exercise their CCPA rights — for example, you cannot charge them more or provide a degraded service.

What must your Privacy Policy include?

Your Privacy Policy must be updated to reflect CCPA requirements. Specifically, it must disclose:

• The categories of personal information you collect (e.g. identifiers, commercial information, internet activity, geolocation data)
• The purposes for which you collect each category
• Whether you sell or share personal information, and if so, the categories of third parties you share it with
• How long you retain each category of personal information
• The rights California residents have and how to exercise them
• How consumers can submit requests (you must designate at least two methods: typically a form and a phone number or email)
• The date your Privacy Policy was last updated

Your Privacy Policy must be updated at least every 12 months, even if nothing has changed, to confirm it remains current.

Practical steps to become CCPA compliant

Here is a straightforward checklist of what you need to do if the CCPA applies to your business:

• 1Audit your data collection. Map out every category of personal data you collect — contact forms, analytics, cookies, payment data, user accounts — and document what you collect and why.
• 2Update your Privacy Policy. Include all required CCPA disclosures. Use plain language — the law requires your policy to be understandable to a general audience.
• 3Add a "Do Not Sell or Share" link. If you sell or share data (including via advertising platforms like Google Ads or Meta), add a clearly visible opt-out link in your footer or cookie banner.
• 4Create a request intake process. Set up a way for consumers to submit rights requests (know, delete, correct). You have 45 days to respond.
• 5Train your team. Anyone who handles consumer data or responds to inquiries should understand CCPA obligations.
• 6Review your vendor contracts. If you share data with third parties, update your contracts to include required data processing terms.

CCPA vs GDPR: key differences

Many businesses are familiar with GDPR — the EU's privacy regulation — and wonder how CCPA compares. Here are the key differences:

• Scope: GDPR applies to almost any website serving EU residents. CCPA only applies to for-profit businesses meeting specific thresholds.
• Legal basis: GDPR requires a specific legal basis (like consent or legitimate interest) for processing data. CCPA does not require a legal basis — it focuses on disclosure and opt-out rights.
• Opt-in vs opt-out: GDPR requires consent (opt-in) before processing in many cases. CCPA uses an opt-out model — you can process data unless a consumer objects.
• Sensitive data: Both laws have heightened protections for sensitive categories, but CCPA's list differs somewhat from GDPR's.
• Fines: GDPR can impose fines up to 4% of global annual turnover. CCPA fines are lower ($2,500 per unintentional violation, $7,500 per intentional violation) but the California Attorney General and affected consumers can enforce them.

Generate a CCPA-compliant Privacy Policy

Writing a CCPA-compliant Privacy Policy from scratch is time-consuming and easy to get wrong. LegalyJet generates a personalised Privacy Policy that includes all required CCPA disclosures — based on your actual business, your data collection practices, and your jurisdiction. It takes under 4 minutes and is completely free.