Does Your Business Need to Comply with CCPA?
The California Consumer Privacy Act (amended by CPRA effective January 1, 2023) applies to for-profit businesses that collect California residents' personal information AND meet at least one of these thresholds:
- Revenue: $25 million+ in gross annual revenue
- Data volume: Buys, sells, receives, or shares personal information of 100,000+ consumers or households per year
- Revenue from data: Derives 50%+ of annual revenue from selling or sharing consumers' personal information
Threshold 2 is the most commonly overlooked. An e-commerce company with 100,000+ website visitors whose data is shared with ad platforms can qualify even with under $25M revenue. Source: Cal. Civ. Code §1798.100 et seq., as amended by AB 375 and Prop 24.
The CPRA Compliance Checklist
1. Privacy Notice (Required Before or At Collection)
- Disclose what categories of personal information you collect
- Disclose the purposes for which each category is used
- Disclose whether each category is sold or shared with third parties
- Disclose the retention period for each category (new under CPRA)
- Include a link to your full privacy policy from every page where data is collected
2. Consumer Rights You Must Honor
- Right to Know: Respond to requests for data disclosure within 45 days (15-day extension available)
- Right to Delete: Delete personal information upon verified request (with exceptions: security, legal obligations, completing a transaction)
- Right to Correct: Correct inaccurate personal information (new under CPRA)
- Right to Opt-Out: Honor opt-out requests from sale or sharing of personal information. Add a “Do Not Sell or Share My Personal Information” link to your homepage.
- Right to Limit Sensitive PI: Limit use of sensitive personal information (SSN, financial data, health data, biometrics) to what's necessary for the service (new under CPRA)
- Right to Non-Discrimination: Cannot deny service or charge different prices for exercising CCPA rights
3. Data Inventory (Foundational)
Document what personal information you collect, where it comes from, how it's used, who it's shared with, and how long it's retained. Without this, you cannot accurately respond to consumer requests or write an accurate privacy notice. A basic data inventory spreadsheet tracking 8–12 data categories is sufficient for most small businesses.
4. Vendor Contracts
Every third-party vendor that processes California consumers' personal information on your behalf must have a written contract that limits their use of the data to the specified service purpose. This includes your email platform, CRM, analytics provider, ad networks, and payment processor. Update contracts accordingly or ensure vendors have standard DPA (Data Processing Addendum) terms available.
5. Request Intake Process
Designate a method for consumers to submit data rights requests: a webform, a dedicated email address, or a toll-free number (required for businesses that operate primarily online). Process for identity verification before responding. Response within 45 days, with one 45-day extension upon notice.
6. Annual Cybersecurity Audit (New Under CPRA)
Businesses that process personal information presenting “significant risk” must conduct annual cybersecurity audits and risk assessments and submit results to the California Privacy Protection Agency (CPPA). Rules for exactly which businesses qualify are still being finalized by CPPA rulemaking.
Penalties for Non-Compliance
- Unintentional violations: $2,500 per violation (enforced by California AG)
- Intentional violations: $7,500 per violation
- Data breach private right of action: $100–$750 per consumer per incident, or actual damages if higher
The CA AG's first CCPA enforcement action (Sephora, 2022) resulted in a $1.2M settlement and mandatory compliance overhaul. CPPA began independent enforcement authority in 2023. Sources: Cal. Civ. Code §1798.150, CA AG CCPA enforcement guide, CPPA final regulations (2023).
When to Get Legal Help
If your business meets the thresholds, a one-time privacy attorney review of your privacy policy and data practices costs $1,500–$5,000 and can prevent seven-figure exposure. Annual compliance maintenance: $500–$2,000 via a privacy-specialized attorney or platform like OneTrust, TrustArc, or Osano.