What Is CCPA? Guide to the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is the most significant state-level privacy law in the United States. Since it took effect on January 1, 2020 – and was substantially strengthened by the California Privacy Rights Act (CPRA) in 2023 – it has set the standard for US consumer data protection.
If your website has visitors from California, CCPA likely applies to you. With California’s population of nearly 40 million and its outsized share of US internet traffic, most publishers with a US audience need to understand this law. This guide explains what CCPA is, what it requires, how the CPRA changed it, and what publishers need to do to comply.
What Is CCPA?
CCPA stands for the California Consumer Privacy Act. It was signed into law in June 2018 and became enforceable on January 1, 2020. It was the first comprehensive consumer privacy law in the United States, giving California residents specific rights over their personal information and imposing obligations on businesses that collect it.
The law was a direct response to growing concerns about how companies – particularly large tech platforms – collect, sell, and share personal data. It was partly inspired by the European Union’s General Data Protection Regulation (GDPR), though it takes a distinctly American approach by focusing on the right to opt out rather than requiring prior consent.
CCPA is enforced by the California Attorney General and, since the CPRA amendments, by the California Privacy Protection Agency (CPPA) – the first dedicated state privacy enforcement body in the US.
Who Does CCPA Apply To?
CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of the following thresholds:
- Annual gross revenue exceeds $25 million.
- Data volume – the business buys, sells, or shares the personal information of 100,000 or more California consumers, households, or devices per year.
- Revenue from data – the business earns 50% or more of its annual revenue from selling or sharing consumers’ personal information.
For publishers, the revenue threshold is the most common trigger. If your website generates over $25 million in annual revenue and serves California visitors, CCPA applies. Smaller publishers may also be covered if they serve enough California traffic to meet the data volume threshold, or if data sharing through programmatic advertising constitutes a significant portion of revenue.
It is worth noting that CCPA does not require a business to be based in California – or even in the United States. Any for-profit entity doing business in California and meeting the thresholds is subject to the law.
What Is Personal Information Under CCPA?
CCPA defines personal information broadly as any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
For publishers, the most relevant categories include:
- Identifiers – names, email addresses, IP addresses, account names
- Internet activity – browsing history, search history, interactions with a website or advertisement
- Geolocation data – approximate location derived from IP addresses
- Device identifiers – cookies, advertising IDs, device fingerprints
- Inferences – profiles created from collected data reflecting preferences, behavior, or interests
This broad definition means that much of the data collected through standard ad tech operations – cookie-based tracking, audience segmentation, real-time bidding signals – falls under CCPA.
CCPA Consumer Rights
CCPA grants California consumers a set of rights over their personal information. These rights were expanded by the CPRA amendments, making the current framework more comprehensive than the original 2020 version.
Right to Know
Consumers can request that a business disclose what personal information it has collected about them, the sources it came from, the business purpose for collecting it, the categories of third parties it was shared with, and the specific pieces of data collected.
Right to Delete
Consumers can request that a business delete the personal information it has collected about them. Businesses must also direct their service providers to delete the data, with limited exceptions (such as completing a transaction, detecting security incidents, or complying with a legal obligation).
Right to Opt Out of Sale or Sharing
This is CCPA’s signature provision. Consumers have the right to tell a business to stop selling or sharing their personal information. Under the CPRA amendments, “sharing” was added alongside “selling” to explicitly cover the transfer of personal data for cross-context behavioral advertising – which is directly relevant to programmatic advertising.
Businesses that sell or share personal information must provide a clear “Do Not Sell or Share My Personal Information” link on their website.
Right to Correct
Added by the CPRA, consumers can request that a business correct inaccurate personal information it holds about them.
Right to Limit Use of Sensitive Personal Information
Also added by the CPRA, consumers can direct businesses to limit the use and disclosure of sensitive personal information – such as precise geolocation, race, health data, or financial information – to what is strictly necessary for providing the requested service.
Right to Non-Discrimination
Businesses cannot discriminate against consumers who exercise their CCPA rights – for example, by charging higher prices, providing inferior service, or denying services entirely.
What Is CPRA? How It Changed CCPA
The California Privacy Rights Act (CPRA) was approved by California voters in November 2020 as Proposition 24. It took effect on January 1, 2023, and amended and expanded the original CCPA rather than replacing it. The combined law is often referred to as “CCPA as amended by the CPRA” or simply “CCPA/CPRA.”
Key changes the CPRA introduced:
- New category: “sharing” – CPRA added “sharing” of personal information as a regulated activity alongside “selling.” Sharing means transferring data for cross-context behavioral advertising, regardless of whether money changes hands. This directly covers the data flows in programmatic advertising.
- Sensitive personal information – CPRA created a new category of sensitive data (Social Security numbers, precise geolocation, racial or ethnic origin, health data) with additional consumer rights to limit its use.
- Right to correct – Consumers gained the right to request corrections to inaccurate personal information.
- Data minimization – Businesses must limit data collection and retention to what is “reasonably necessary and proportionate” for the stated purpose.
- California Privacy Protection Agency (CPPA) – CPRA established a dedicated enforcement agency with rule-making authority, supplementing the California Attorney General’s enforcement powers.
- Expanded contractual requirements – Stricter rules for contracts with service providers, contractors, and third parties that process personal information.
- Risk assessments – Businesses must conduct regular cybersecurity audits and risk assessments for high-risk processing activities.
CCPA vs GDPR: Key Differences
CCPA and GDPR are both comprehensive privacy laws, but they take fundamentally different approaches. Understanding the differences is essential for publishers who serve audiences in both California and Europe.
| Aspect | CCPA/CPRA | GDPR |
|---|---|---|
| Consent model | Opt-out (consumers must actively choose to stop data sales/sharing) | Opt-in (businesses must obtain consent before processing) |
| Scope | For-profit businesses meeting revenue/data thresholds | All organizations processing EU/EEA personal data |
| Who is protected | California residents (“consumers”) | Anyone in the EU/EEA (“data subjects”) |
| Definition of personal data | Includes household-level data | Limited to identified or identifiable natural persons |
| Legal basis for processing | Not required – businesses can process data unless consumer opts out | One of six lawful bases required (consent, contract, legitimate interest, etc.) |
| Sensitive data | Right to limit use (CPRA) | Processing generally prohibited without explicit consent |
| Enforcement | California AG + CPPA; private right of action for data breaches | National data protection authorities; fines up to 4% of global revenue |
| Penalties | Up to $2,500 per violation; $7,500 per intentional violation | Up to 20 million EUR or 4% of global annual revenue |
The most important difference for publishers is the consent model. Under GDPR, you must obtain affirmative consent before setting advertising cookies or sharing data with ad tech vendors. Under CCPA, you can process data by default but must provide a way for consumers to opt out of the sale or sharing of their information.
In practice, publishers serving both audiences need to support both models – opt-in for European visitors and opt-out for Californians. A consent management platform (CMP) that handles both frameworks simplifies this significantly.
CCPA Compliance for Publishers
Meeting CCPA requirements involves several practical steps. Here is what publishers need to have in place.
1. Determine Whether CCPA Applies to You
Review the applicability thresholds: $25 million in annual revenue, 100,000+ California consumers’ data processed, or 50%+ of revenue from selling/sharing personal information. If you meet any one of these, you must comply.
Even if you are below the thresholds, keep in mind that other US state privacy laws (such as those in Virginia, Colorado, Connecticut, and others) may still apply, and many follow a similar opt-out model.
2. Provide the Required Opt-Out Links
If you sell or share personal information – and programmatic advertising generally qualifies as “sharing” under the CPRA definition – you must display a “Do Not Sell or Share My Personal Information” link on your website. This link must be clearly visible and functional.
You must also honor the Global Privacy Control (GPC) signal. GPC is a browser-level setting that automatically communicates a consumer’s opt-out preference. Under CCPA regulations, businesses must treat a GPC signal as a valid opt-out request.
3. Update Your Privacy Policy
CCPA requires specific disclosures in your privacy policy, including:
- The categories of personal information collected in the past 12 months
- The purposes for which each category is collected and used
- The categories of third parties with whom personal information is shared
- Whether personal information is sold or shared, and the categories involved
- The consumer rights available under CCPA and how to exercise them
- The retention period for each category of personal information (added by CPRA)
The privacy policy must be updated at least once every 12 months.
4. Handle Consumer Requests
You must provide at least two methods for consumers to submit requests (for example, a toll-free phone number and a web form). Requests must be responded to within 45 days, with the option to extend by another 45 days for complex cases.
You also need a process to verify the identity of consumers making requests, to prevent unauthorized access to personal information.
5. Implement a Consent Management Platform
For publishers running programmatic advertising, a consent management platform is essential for CCPA compliance. A CMP handles the opt-out mechanism, processes GPC signals, manages the “Do Not Sell or Share” functionality, and ensures that your ad tech vendors respect consumer choices.
Clickio Consent supports US privacy laws through the IAB’s Global Privacy Platform (GPP) National framework. It provides built-in support for targeted advertising opt-outs, GPC signal recognition, sensitive data processing opt-outs, and children’s data protections. You can configure it to cover only states that legally require opt-out mechanisms, or to apply nationwide for broader compliance.
6. Review Service Provider and Contractor Agreements
CCPA/CPRA requires specific contractual provisions with any service providers, contractors, or third parties that process personal information on your behalf. These contracts must restrict how the recipient can use the data and require them to comply with CCPA obligations.
CCPA Penalties and Enforcement
CCPA enforcement is handled by two bodies: the California Attorney General and the California Privacy Protection Agency (CPPA).
Penalties for non-compliance include:
- Up to $2,500 per unintentional violation
- Up to $7,500 per intentional violation
- Up to $7,500 per violation involving minors’ data (under CPRA, no cure period for these violations)
These penalties are assessed per violation, per consumer – meaning that a systematic failure affecting thousands of California consumers can result in substantial fines. The CPRA also removed the 30-day cure period that the original CCPA provided, though the CPPA may still grant one at its discretion.
Additionally, CCPA includes a private right of action for data breaches. If a business fails to implement reasonable security measures and a data breach exposes consumers’ personal information, affected consumers can sue for statutory damages of $100 to $750 per consumer per incident, or actual damages – whichever is greater.
CCPA and the Broader US Privacy Landscape
CCPA was the first comprehensive state privacy law in the US, but it is no longer the only one. Since 2021, a growing number of states have enacted their own consumer privacy laws, many of which follow a similar opt-out model.
States with comprehensive privacy laws now in effect include Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and others. While the details vary, most share common elements with CCPA: consumer rights to access, delete, and opt out of data sales or targeted advertising.
For publishers, this patchwork of state laws reinforces the importance of having a consent management solution that supports multiple jurisdictions. Rather than building separate compliance mechanisms for each state, a CMP that covers the full range of US state privacy laws provides a practical, scalable approach.
Frequently Asked Questions About CCPA
Does CCPA apply to non-profit organizations?
No. CCPA applies only to for-profit businesses that meet the applicability thresholds. Non-profit organizations and government agencies are generally exempt, though for-profit subsidiaries of non-profits are covered.
Does programmatic advertising count as “selling” or “sharing” data?
Under the CPRA definition, transferring personal information for cross-context behavioral advertising qualifies as “sharing” – even if no money changes hands. This means that real-time bidding and most forms of programmatic advertising involve “sharing” under CCPA/CPRA, triggering the opt-out requirements.
What is the Global Privacy Control (GPC) and do I need to support it?
The Global Privacy Control is a browser-based signal that communicates a user’s opt-out preference. Under CCPA regulations, businesses must treat a GPC signal as a legally binding opt-out request. Supporting GPC is not optional for businesses covered by CCPA.
How is CCPA different from CPRA?
CPRA is not a separate law – it is an amendment to CCPA that took effect on January 1, 2023. CPRA expanded CCPA by adding new consumer rights (correction, limiting sensitive data use), creating the CPPA enforcement agency, introducing data minimization requirements, and broadening the definition of regulated data activities to include “sharing.” When people refer to “CCPA,” they generally mean the law as amended by CPRA.
Can I comply with both CCPA and GDPR at the same time?
Yes, but you need to apply different mechanisms based on the visitor’s location. European visitors require opt-in consent (GDPR), while California visitors need an opt-out mechanism (CCPA). A consent management platform that supports both the GDPR consent framework and US state privacy laws can handle this automatically, showing the appropriate interface based on the visitor’s jurisdiction.
Conclusion
The California Consumer Privacy Act – as strengthened by the CPRA – has established the benchmark for consumer privacy in the United States. For publishers, the key requirements are clear: provide opt-out mechanisms for the sale and sharing of personal data, honor GPC signals, maintain transparent privacy policies, and handle consumer requests promptly.
With more states following California’s lead, investing in a robust privacy compliance setup now will pay off as the regulatory landscape continues to expand. A consent management platform that supports both GDPR and US state privacy laws lets you handle compliance across jurisdictions from a single solution – saving time and reducing the risk of violations.
Clickio Consent provides comprehensive US privacy law support through the IAB GPP framework, including CCPA opt-out management, GPC signal processing, and coverage for 20+ state privacy laws – alongside full GDPR and TCF v2.3 compliance for your European audience.