CCPA / CPRA — California consumer privacy

Scope and territorial reach

Where it applies — 1 jurisdictions

🇺🇸California

US-CA

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

01

Notice at collection §1798.100(b)

Inform consumers at or before the point of collection about the categories of personal information collected, the purposes for which it is used, whether it is sold or shared, and the retention period for each category. Notice must be readily available, accessible, and provided in the languages in which the business ordinarily provides contracts.
02

Disclosure obligations §1798.110, §1798.115

On verifiable consumer request, a business must disclose the categories and specific pieces of personal information collected, sources, business or commercial purpose, categories of third parties to whom it was sold or shared, and categories disclosed for a business purpose, covering the 12 months preceding the request (or longer for requests made after 2023-01-01).
03

Deletion rights §1798.105

Honor verifiable consumer requests to delete personal information the business has collected, and direct service providers and contractors to delete it. Limited statutory exceptions exist (transactional, security, legal compliance, internal uses reasonably aligned with consumer expectations).
04

Opt-out of sale and sharing §1798.120

Provide consumers a clear and conspicuous right to opt out of the sale of personal information and (CPRA-added) the sharing of personal information for cross-context behavioral advertising. A 'Do Not Sell or Share My Personal Information' link or alternative opt-out mechanism is required, including recognition of opt-out preference signals such as Global Privacy Control.
05

Limit use of sensitive personal information §1798.121

CPRA-added obligation. Consumers may direct a business to limit its use and disclosure of sensitive personal information (precise geolocation, race, religion, health, sexual orientation, biometric, government IDs, contents of mail/email/texts, financial account credentials) to that necessary to perform the services or provide the goods reasonably expected by the consumer.
06

Non-discrimination §1798.125

A business shall not discriminate against a consumer for exercising any CCPA right — no denial of service, different prices, different quality, or threats. Financial incentives tied to data collection are permitted only if reasonably related to the value of the data and offered through opt-in consent.
07

Reasonable security §1798.150

Implement reasonable security procedures and practices appropriate to the nature of the personal information. Failure to do so creates a private right of action for consumers in the event of a breach involving non-encrypted, non-redacted personal information ($100–$750 statutory damages per consumer per incident).
08

Children's data — opt-in for under-16 §1798.120(c)

Businesses must obtain affirmative opt-in consent before selling or sharing the personal information of consumers under 16. For consumers under 13, parental consent is required; for 13–15, the consumer may consent directly. Actual knowledge of minor status is the trigger; willful disregard is treated as actual knowledge.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

§1798.140(e)(1)

Auditing related to interactions

Auditing the current interaction with the consumer and concurrent transactions, including counting ad impressions, verifying positioning and quality, and auditing compliance.

Common for: Ad delivery audits, frequency capping verification

§1798.140(e)(2)

Detecting security incidents

Helping to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate.

Common for: Fraud detection, account takeover prevention, abuse monitoring

§1798.140(e)(3)

Debugging to identify and repair errors

Identifying and repairing errors that impair existing intended functionality.

Common for: Error logging, crash reporting, QA

§1798.140(e)(4)

Short-term, transient use

Performing services on behalf of the business or contextual customization that does not build a profile, alter the consumer's experience outside the interaction, or disclose data to a third party.

Common for: Non-personalized contextual ads, single-session UI customization

§1798.140(e)(5)

Performing services on behalf of the business

Maintaining or servicing accounts, customer service, processing orders and transactions, verifying customer information, processing payments, financing, fulfillment, advertising or marketing services, analytics, or providing similar services.

Common for: Order fulfillment, customer support, internal analytics by service providers

§1798.140(e)(6)

Internal research for technological development

Undertaking internal research for technological development and demonstration.

Common for: Product R&D, performance benchmarking, ML model improvement

§1798.140(e)(7)

Quality and safety maintenance

Undertaking activities to verify or maintain the quality or safety of a service or device owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device.

Common for: Device telemetry, software updates, safety recalls

Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

Right	Article	Response	Scope
Right to know	§1798.110, §1798.115	45 days	Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and recipients of sale/share/disclosure. Extendable once by 45 additional days with notice.
Right to delete	§1798.105	45 days	Request deletion of personal information collected from the consumer, subject to nine statutory exceptions (transaction completion, security, legal compliance, etc.).
Right to correct inaccurate personal information	§1798.106	45 days	CPRA-added (effective 2023-01-01). Request correction of inaccurate personal information held by the business; the business must use commercially reasonable efforts to correct it.
Right to opt-out of sale or sharing	§1798.120	15 days	Direct a business to stop selling or sharing personal information. Must be honored within 15 business days of receipt; opt-out preference signals (e.g., Global Privacy Control) must be treated as a valid request.
Right to limit use of sensitive personal information	§1798.121	15 days	CPRA-added. Direct a business to limit use of sensitive PI to purposes necessary to provide the goods or services reasonably expected. Honor within 15 business days.
Right to non-discrimination	§1798.125	At collection	A business may not discriminate against a consumer for exercising any CCPA right (denial of service, different prices, lower quality).
Right to access for known minors (and parents)	§1798.120(c), §1798.130	45 days	Parents may exercise rights on behalf of children under 13; consumers aged 13–15 must be provided opt-in mechanisms before sale or sharing.
Right to data portability	§1798.100(d), §1798.130(a)(2)	45 days	When responding to an access request, deliver specific pieces of personal information in a portable and, to the extent technically feasible, readily usable format that allows transmission to another entity without hindrance.

Topic: DSARs in practice Template: DSR reply (Art 15)

Fines & enforcement

Maximum administrative penalty: €20.0M or 4% of global annual turnover (Art 83(5)). Tiered structure: Art 83(4) = 2% / €10M for procedural failures.

2025-07 €1.4M

Healthline Media AG · US-CA · §1798.100, §1798.120, §1798.121, §1798.135

Largest CCPA settlement to date at time of announcement. Health-information website disclosed sensitive health-related browsing data to third-party advertisers via tracking pixels (Meta, Google) without honoring consumer opt-outs or treating health-related URLs as sensitive PI requiring enhanced controls.
2025-09 €1.2M

Tractor Supply Company CPPA · US-CA · §1798.100, §1798.105, §1798.130, §1798.135

CPPA enforcement order. Failed to provide notice at collection, used opt-out interface that did not function for known browsers, failed to recognize Global Privacy Control signals, and lacked service-provider contracts with multiple ad-tech vendors. Required to retain a privacy program assessor for three years.
2022-08 €1.1M

Sephora AG · US-CA · §1798.100, §1798.115, §1798.120, §1798.135

First major CCPA settlement. Failure to disclose that PI was being sold, failure to honor opt-out signals (including Global Privacy Control), and failure to cure within the (then-applicable) 30-day window. Established that automatic cookie data flowing to ad-tech vendors constitutes a 'sale' under CCPA.
2025-03 €580k

American Honda Motor Co. CPPA · US-CA · §1798.105, §1798.120, §1798.121, §1798.130, §1798.135

First major CPPA enforcement order. Honda required excessive verification for opt-out and limit-sensitive-PI requests, did not provide a symmetric easy opt-out, used confusing cookie-management interface, and shared CA consumer data with ad-tech vendors without proper service-provider contracts.
2024-06 €460k

Tilting Point Media AG · US-CA · §1798.120(c), §1798.99.31 (CalOPPA)

Mobile-game publisher collected and shared children's personal information through ad-SDK pixels (including TikTok, Meta) without obtaining opt-in consent for users under 16, violating CCPA's children's data provisions and COPPA-aligned CalOPPA requirements.
2024-02 €345k

DoorDash AG · US-CA · §1798.100, §1798.115, §1798.120, §1798.135

Sold California consumers' personal information by participating in a marketing co-op without notice or opt-out mechanism, and without recognizing that the data exchange constituted a 'sale' under §1798.140(ad). Required to overhaul vendor contracts and notice-at-collection.
2025-11 €320k

Todd Snyder Inc. CPPA · US-CA · §1798.100, §1798.120, §1798.135

Apparel retailer required consumers to provide more information to opt out of sale than to make a purchase, and dropped third-party trackers before consent. CPPA found violations of symmetric-choice requirement (11 CCR §7004) and notice-at-collection.
2020-09 €230k

Glow Inc. AG · US-CA · Cal. B&P Code §22576 (CalOPPA), §17200

Pre-CCPA-effective enforcement. Fertility-tracking app exposed sensitive health information through insecure password-change flows. Landmark for sensitive health data and forerunner to the Healthline approach. Settlement under CalOPPA + Unfair Competition Law.

Sources: national supervisory-authority press releases. Full enforcement database available via CMS Law tracker.

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

Country	National act	Stricter than GDPR baseline?	Note
🇺🇸 California US-CA	CCPA + CPRA (Cal. Civ. Code §1798.100 et seq.)	Stricter	Primary regulation. CPPA + AG dual enforcement; 30-day cure period removed by CPRA effective 2023-01-01.
🇺🇸 Virginia US-VA	Virginia Consumer Data Protection Act (VCDPA)	Aligned	Effective 2023-01-01. AG-only enforcement; 30-day cure period; no private right of action; opt-in for sensitive data.
🇺🇸 Colorado US-CO	Colorado Privacy Act (CPA)	Aligned	Effective 2023-07-01. Universal opt-out mechanism (UOOM) recognition mandatory since 2024-07-01; AG + district attorneys enforce.
🇺🇸 Connecticut US-CT	Connecticut Data Privacy Act (CTDPA)	Aligned	Effective 2023-07-01. Opt-in for sensitive data and minors 13–17; UOOM mandatory since 2025-01-01.
🇺🇸 Utah US-UT	Utah Consumer Privacy Act (UCPA)	Aligned	Effective 2023-12-31. Most business-friendly: opt-out only for sensitive data, no rulemaking authority, AG enforcement.
🇺🇸 Texas US-TX	Texas Data Privacy and Security Act (TDPSA)	Aligned	Effective 2024-07-01. No revenue threshold — applies to any business processing personal data of TX residents (small-business carve-out).
🇺🇸 Florida US-FL	Florida Digital Bill of Rights (FDBR)	Aligned	Effective 2024-07-01. Narrow applicability ($1B+ revenue) but adds rights to opt out of voice/facial recognition collection.
🇺🇸 Oregon US-OR	Oregon Consumer Privacy Act (OCPA)	Aligned	Effective 2024-07-01. Includes nonprofits in scope (unique among state laws); AG enforcement with 30-day cure (sunsets 2026-01-01).
🇺🇸 Montana US-MT	Montana Consumer Data Privacy Act (MCDPA)	Aligned	Effective 2024-10-01. Lower applicability thresholds than most states (50K consumers or 25K + 25% revenue from sale).
🇺🇸 Iowa US-IA	Iowa Consumer Data Protection Act	Aligned	Effective 2025-01-01. No right to correct; no UOOM requirement; opt-out for sensitive data only.
🇺🇸 Delaware US-DE	Delaware Personal Data Privacy Act	Aligned	Effective 2025-01-01. Lowest thresholds (35K consumers); includes nonprofits.
🇺🇸 New Hampshire US-NH	NH Privacy Act (SB 255)	Aligned	Effective 2025-01-01. Mirrors CT/CO; UOOM mandatory by 2025-01-01.
🇺🇸 New Jersey US-NJ	New Jersey Data Privacy Act	Aligned	Effective 2025-01-15. Stricter on sensitive data (financial info, status as transgender/non-binary added); rulemaking authority.
🇺🇸 Maryland US-MD	Maryland Online Data Privacy Act (MODPA)	Stricter	Effective 2025-10-01. Strictest US state law to date — bans sale of sensitive PI outright; data minimization required (not just disclosure).
🇺🇸 Minnesota US-MN	Minnesota Consumer Data Privacy Act	Aligned	Effective 2025-07-31. Adds right to question profiling decisions and right to a list of third parties to whom data was disclosed.
🇺🇸 Tennessee US-TN	Tennessee Information Protection Act (TIPA)	Aligned	Effective 2025-07-01. Unique NIST CSF 'safe harbor' affirmative defense to enforcement actions.
🇺🇸 Indiana US-IN	Indiana Consumer Data Protection Act	Aligned	Effective 2026-01-01. Mirrors VCDPA; AG enforcement; 30-day cure period.
🇺🇸 Kentucky US-KY	Kentucky Consumer Data Protection Act	Aligned	Effective 2026-01-01. Mirrors VCDPA; narrow applicability; 30-day cure.
🇺🇸 Rhode Island US-RI	Rhode Island Data Transparency and Privacy Protection Act	Aligned	Effective 2026-01-01. Adds disclosure of all third parties (not just categories) — unique among state laws.
🇺🇸 Nebraska US-NE	Nebraska Data Privacy Act	Aligned	Effective 2025-01-01. Mirrors TDPSA — no revenue threshold, applies to any business processing personal data of NE residents.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES

GDPR vs CCPA / CPRA

Opt-in EU baseline against opt-out California — same rows on each side.

COMPARE · 2 ENTITIES

GDPR vs UK GDPR

Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.

COMPARE · 2 ENTITIES

GDPR vs LGPD

EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does CCPA apply to my non-California business?

Yes if your business is for-profit, does business in California, collects California residents' personal information, and meets one of three thresholds (§1798.140(d)): (1) annual gross revenue over $25M; (2) buys, sells, or shares PI of 100,000+ California consumers/households per year; or (3) derives 50%+ of revenue from selling or sharing PI. Physical presence in California is not required; serving CA residents online suffices.

What's the difference between CCPA and CPRA?

CCPA (effective 2020-01-01) was the original law. CPRA (effective 2023-01-01) amended it: created the CPPA agency, added the right to correct (§1798.106) and right to limit sensitive PI (§1798.121), introduced the 'sharing' concept for cross-context behavioral advertising (§1798.140(ah)), removed the mandatory 30-day cure period, and expanded employee/B2B coverage. The combined statute is often called 'CCPA, as amended by CPRA' or simply 'the CCPA.'

Do I need a 'Do Not Sell or Share' link?

Yes if you sell personal information or share it for cross-context behavioral advertising (§1798.135(a)). Common tracking pixels (Meta, TikTok, Google Ads remarketing) typically constitute 'sharing' under §1798.140(ah). The link must be titled 'Do Not Sell or Share My Personal Information' and placed in a clear and conspicuous location on the homepage. If you also use sensitive PI beyond business-necessary purposes, add a separate 'Limit the Use of My Sensitive Personal Information' link.

What is sensitive personal information under CPRA?

§1798.140(ae) defines sensitive PI as: SSN, driver's license, state ID, passport; account log-in credentials with password; precise geolocation; race, ethnicity, religion, union membership; contents of mail, email, and text messages (unless you are the intended recipient); genetic data; biometric data for unique identification; health data; and sex life or sexual orientation. Consumers can direct businesses to limit use to purposes necessary to provide the service (§1798.121).

What's the maximum CCPA fine?

Civil penalties under §1798.155(a): $2,500 per unintentional violation and $7,500 per intentional violation or violation involving a minor under 16. Penalties are per-violation and per-consumer — Sephora's $1.2M (2022) and Healthline's $1.55M (2025) settlements aggregate per-consumer counts. Additionally, §1798.150 creates a private right of action for breaches involving non-encrypted PI: $100–$750 per consumer per incident, or actual damages, whichever is greater.

Who enforces CCPA — AG or CPPA?

Both. The California Attorney General has enforcement authority under §1798.155, and the California Privacy Protection Agency (created by CPRA, §1798.199) has parallel administrative enforcement, rulemaking, and audit authority. As of 2026 the CPPA is increasingly active — Honda (Mar 2025) was its first major order, followed by Tractor Supply (Sep 2025) and Todd Snyder (Nov 2025). Both can investigate the same conduct, but generally coordinate to avoid duplicative actions.

Do I need to honor Global Privacy Control?

Yes. 11 CCR §7025 requires businesses to treat opt-out preference signals such as Global Privacy Control (GPC) as valid opt-out requests under §1798.120. The Sephora 2022 settlement was specifically grounded in failure to recognize GPC. Detection should occur on every page load before any 'sale' or 'share' fires, and the signal must persist across the session for the originating browser/device.

How do CCPA and GDPR differ on consent?

GDPR requires opt-in consent (Art 6(1)(a)) — affirmative action before any processing on a consent basis. CCPA is opt-out for adults: businesses can sell or share PI by default until the consumer opts out, except for consumers under 16 (§1798.120(c)) who require opt-in. CCPA has no general 'lawful basis' framework like GDPR Art 6 — it permits processing for the seven enumerated business purposes (§1798.140(e)) without consent, subject to notice, opt-out, and limit-sensitive-PI rights.

Is the CCPA cure period still 30 days?

No, the mandatory 30-day cure period was removed by CPRA effective 2023-01-01. Under amended §1798.155, the AG and CPPA have discretion to allow a cure but are not required to. Prior CCPA enforcement (2020–2022) commonly resolved without penalties when the business cured within 30 days; post-2023 enforcement increasingly bypasses cure offers, especially for repeat or willful violations (the 2025 CPPA orders against Honda and Todd Snyder did not include cure offers).

How does CCPA interact with other state privacy laws?

As of 2026, 19+ US states have comprehensive privacy laws. California remains the strictest on opt-out scope (sale + share), private right of action for breaches, and dual-agency enforcement. Most other states (VA, CO, CT, UT, etc.) require opt-in for sensitive data and offer no private right of action. Maryland (effective Oct 2025) is now arguably stricter on data minimization. A multi-state compliance program typically maps to California as the baseline and adds state-specific deltas (e.g., Colorado UOOM, Connecticut minor protections, Maryland minimization).