Who does the CCPA/CPRA apply to?

The CCPA/CPRA applies to for-profit businesses that collect California residents' personal information and meet at least one threshold: $25 million+ annual gross revenue, buy/sell/share personal information of 100,000+ consumers or households, or derive 50%+ of annual revenue from selling/sharing personal information.

What is the penalty for violating the CCPA/CPRA?

Penalties are up to $2,500 per unintentional violation and $7,500 per intentional violation. Consumers also have a private right of action for certain data breaches, which can result in statutory damages between $100 and $750 per consumer per incident.

Do businesses need to honor Global Privacy Control (GPC)?

Yes. Under the CPRA and CPPA regulations, businesses must treat GPC signals as valid opt-out of sale/sharing requests. Failure to honor GPC can result in enforcement action.

Is there a cure period under the CCPA/CPRA?

No. The CPRA eliminated the 30-day cure period that was originally in the CCPA. Businesses can now face enforcement immediately upon a violation being identified.

California Privacy Law

California Consumer Privacy Act / California Privacy Rights Act

Effective: January 1, 2020Active

Overview

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive state privacy law in the United States. Originally enacted in 2018 and effective January 1, 2020, the CPRA amendments took effect on January 1, 2023, significantly expanding consumer rights and business obligations. California's law serves as the benchmark against which all other state privacy laws are measured. The CCPA/CPRA grants California residents extensive rights over their personal information, including the right to know, delete, correct, and port their data, as well as the right to opt out of the sale or sharing of personal information. The law also created the California Privacy Protection Agency (CPPA), the first dedicated state privacy enforcement agency in the nation. Businesses must honor Global Privacy Control (GPC) signals as valid opt-out requests. The law applies to for-profit businesses that collect California residents' personal information and meet one of three thresholds: annual gross revenue exceeding $25 million, buying/selling/sharing the personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenue from selling or sharing personal information. Penalties can reach $7,500 per intentional violation, and consumers have a private right of action for data breaches involving certain categories of unencrypted personal information.

Applicability Thresholds

Conditions are joined by OR — meeting ANY one triggers applicability.

$25M+

Annual gross revenue

100,000+

California consumers' data processed

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

Delete Act DROP platform launched January 1, 2026 — consumers can now submit one-stop deletion requests to all registered data brokers
Data brokers must begin processing DROP deletion requests by August 1, 2026 (check every 45 days)
CPPA launched Data Broker Enforcement Strike Force in January 2026, actively fining non-compliant brokers
California AG secured record $2.75M CCPA settlement with Disney (February 2026) for opt-out violations
Potential CPPA rulemaking on automated decision-making technology (ADMT) and risk assessments
Expanded enforcement actions as CPPA fully staffs and exercises its regulatory authority

Enforcement Details

Enforced By

California Privacy Protection Agency (CPPA) and California Attorney General

Penalty Per Violation

$7,500

Cure Period

None — immediate enforcement

Private Right of Action

Yes — consumers can sue directly

Sensitive Data Categories

Consent model: opt-in

Social Security number and government identifiersFinancial account information with credentialsPrecise geolocation dataRacial or ethnic originReligious or philosophical beliefsBiometric information for identification

Universal Opt-Out / GPC Requirements

GPC / Universal Opt-Out Required

Businesses must honor Global Privacy Control (GPC) and other opt-out preference signals as valid opt-out requests under the CPRA. The CPPA has issued regulations clarifying technical requirements for recognizing these signals.

Effective: March 29, 2024

Minor / Child Protections

Businesses must obtain opt-in consent before selling or sharing personal information of consumers under 16. For children under 13, a parent or guardian must provide consent. The CPRA tripled penalties for violations involving minors to $7,500 per violation.

Compliance Checklist

1Conduct a comprehensive data inventory and mapping exercise to identify all personal information collected, used, and shared
2Update privacy notices to include all CPRA-required disclosures, including retention periods and sensitive data categories
3Implement mechanisms to honor Global Privacy Control (GPC) signals and other universal opt-out preferences
4Establish processes for responding to consumer rights requests within the 45-day statutory deadline
5Conduct data protection assessments for high-risk processing activities such as profiling and selling personal information
6Review and update service provider and contractor agreements to include CPRA-mandated provisions
7Train employees handling consumer inquiries on CCPA/CPRA requirements and response procedures

California Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.