CCPA applies to for-profit businesses that do business in California (which includes selling online to California residents) and meet at least one of the following thresholds as of 2025:

Annual gross revenues exceeding $25 million Annually buys, sells, or shares the personal information of 100,000 or more consumers or households Derives 50% or more of annual revenues from selling or sharing consumers' personal information If none of these apply to you, you're not technically required to comply with CCPA — though voluntary compliance is increasingly expected and builds consumer trust.

That said, if your business grows, or if you use advertising platforms (Google Ads, Meta) that aggregate data from your site and sell or share it, the second threshold may be closer than you think. Pixels and third-party tracking tools effectively make your website a data-sharing participant.

CCPA grants California residents a set of rights over their personal information. Understanding these is the foundation of compliance.

Right to know. Consumers can request what personal information a business has collected about them, the categories of sources, the purposes for collection, the categories of third parties the information was shared with, and the specific pieces of personal information collected.

Right to delete. Consumers can request deletion of their personal information. There are exceptions — you can retain data you need to complete a transaction, detect security incidents, comply with legal obligations, or use for other specifically permitted purposes.

Right to correct. The CPRA added the right to correct inaccurate personal information.

Right to opt out of sale or sharing. Consumers can opt out of the sale or sharing of their personal information. "Sharing" under CPRA includes sharing for cross-context behavioral advertising — even if no money changes hands. This is a critical point: if your site uses Facebook Pixel or Google Ads tags, you may be "sharing" personal data for advertising purposes, which triggers the opt-out requirement.

Right to limit use of sensitive personal information. CPRA created a new category — sensitive personal information (which includes Social Security numbers, financial account information, health data, precise geolocation, racial or ethnic origin, and more) — and gives consumers the right to limit how businesses use it.

Right to non-discrimination. Businesses cannot discriminate against consumers for exercising their CCPA rights — denying service, charging higher prices, or providing degraded service quality.

Update your privacy policy. Your privacy policy must disclose, at a minimum: categories of personal information collected in the past 12 months, purposes for collection, categories of third parties the data is shared with (and whether it's sold or shared for advertising), consumer rights under CCPA and how to exercise them, contact information for submitting requests, and a "Do Not Sell or Share My Personal Information" link if you sell or share data. The privacy policy must be updated at least once every 12 months.

Add a "Do Not Sell or Share My Personal Information" link. If your business sells or shares personal information (including through advertising pixels), this link must be conspicuous — in the footer of every page. Clicking it should allow users to opt out of all data sale and sharing, and that opt-out must actually work technically. That means your cookie management platform needs to suppress advertising tags for users who opt out.

Honor opt-out signals. This is significant: as of 2023, businesses must honor Global Privacy Control (GPC) signals — browser-level privacy settings that automatically send opt-out signals. If a user has GPC enabled in their browser, your site must recognize that signal and treat it as an opt-out from data sale/sharing, without requiring the user to manually click anything. This requires integration at the cookie/consent management level.

Establish a consumer request process. Build a mechanism for consumers to submit requests — access, deletion, correction, and opt-out requests. Options include a dedicated email address, a web form, or a toll-free phone number (required for businesses that collect phone numbers from California residents). You must respond to verifiable requests within 45 days, with a possible extension to 90 days. Verification matters: you need to confirm the person making the request is who they say they are. For deletion and access requests, use a reasonable verification process — sending a confirmation email to the address on file is a standard approach.

Service provider agreements. CCPA uses the term "service provider" for companies that process data on your behalf (similar to GDPR's "data processor"). You need contracts with your service providers that include specific CCPA-required provisions: they may only use the data for the purposes outlined in the contract, they can't sell or share the data, and they must delete it when the relationship ends. Major platforms — your email service provider, payment processor, cloud host — typically have pre-drafted service provider terms available. Review and accept them.

If you're also navigating GDPR, it helps to understand how these two frameworks differ:

CCPA is generally an opt-out framework (users have to take action to stop data sharing), while GDPR is more opt-in (you need a lawful basis before you process). If you're complying with GDPR, much of the groundwork transfers.

The California Privacy Protection Agency has enforcement authority and can impose fines of $2,500 per unintentional violation and $7,500 per intentional violation. Violations involving children's data are automatically treated as intentional. Additionally, CCPA includes a private right of action for data breaches — consumers can sue for $100–$750 per consumer per incident.

Enforcement has been growing. The CPPA has made clear that it views CCPA enforcement as a priority, and 2024–2025 has seen increased enforcement activity. Businesses that don't comply should treat enforcement as a matter of "when," not "if."

1. Determine if you meet CCPA's applicability thresholds 2. Map all personal information you collect, process, and share 3. Update your privacy policy to include all required disclosures 4. Implement a "Do Not Sell or Share My Personal Information" link if applicable 5. Configure your cookie/consent platform to honor GPC signals 6. Create a consumer request process (email, form, or phone) 7. Review service provider contracts for CCPA-compliant terms 8. Train anyone who handles consumer data requests

CCPA is the tip of the spear. Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and a growing list of states have enacted their own comprehensive privacy laws with similar (though not identical) frameworks. Compliance with CCPA builds the foundation for a nationally consistent privacy program. The businesses that get ahead of this now will spend far less time — and money — catching up later.

Download NoBossly's CCPA compliance workbook and build your privacy program step by step.

Most small sites are under CCPA thresholds but not GDPR's, which has none. Either way, your privacy policy must describe real practices, and cookie consent needs a deliberate answer rather than a copied banner.