California's privacy law runs on a single statute. The CCPA created it in 2018 and the CPRA amended it in 2020, so the live rules today are the CCPA as amended by the CPRA, enforced by the California Privacy Protection Agency. If your for-profit business handles California consumers' personal information and clears one of three thresholds (over 25 million dollars in revenue, the data of 100,000 or more consumers or households, or half your revenue from selling or sharing personal information), the law applies. It gives consumers the right to know, delete, correct, opt out of sale or sharing, and limit the use of sensitive personal information. Most of the trouble starts when a team treats it like the GDPR, because the two laws are built differently.
Most teams meet California privacy law twice. The first time is a vendor questionnaire or a customer's data-processing addendum that asks whether you honor opt-out signals. The second time is when someone realizes the answer was guessed at. California built the first comprehensive consumer privacy regime in the United States, gave it its own enforcement agency, and wired in rights that touch nearly every customer-facing system a company runs.
This guide is a practitioner's walk through the live framework: who the law covers, the rights it grants, the sale-versus-share distinction that confuses everyone, how service providers differ from contractors and third parties, what the notice at collection has to say, who enforces it, and where California diverges from the GDPR. Privacy law moves, and the regulations get amended. Treat this as the working map and verify the current statutory and regulatory text against the source before you rely on a specific figure.
One law, two names
The naming trips people up, so start here. The California Consumer Privacy Act (CCPA) took effect in 2020. In 2020 voters passed Proposition 24, the California Privacy Rights Act (CPRA), which did not replace the CCPA. It amended and expanded it, with most provisions operative from January 2023. When a practitioner says CCPA today, they almost always mean the CCPA as amended by the CPRA. The CPRA is the upgrade that added the right to correct, the sensitive-personal-information category, the share concept for cross-context advertising, and a dedicated regulator.
Who has to comply
The law reaches a business: a for-profit entity that does business in California, determines the purposes and means of processing consumers' personal information, and meets at least one of three thresholds. Nonprofits and government agencies generally fall outside the definition. Clearing any one threshold is enough.
| Threshold | What it means |
|---|---|
| Revenue | Annual gross revenue over 25 million dollars in the prior calendar year. Size alone can pull a business in, regardless of how much data it handles. |
| Volume | Buys, sells, or shares the personal information of 100,000 or more California consumers or households in a year. Note that the threshold counts consumers and households, not just paying customers. |
| Data revenue | Derives 50 percent or more of annual revenue from selling or sharing consumers' personal information. A data-driven business can fall under the law well below the revenue and volume marks. |
A consumer is a natural person who is a California resident. The law also reaches the employees and job applicants of covered businesses and the personnel of business-to-business contacts, an expansion the CPRA made permanent after an early exemption sunset. If your customer base is national, assume some of them are Californians and that the law applies to that slice.
The consumer rights
The rights are the part customers see and the part a regulator will test against your actual systems. There are six.
| Right | What the consumer can do |
|---|---|
| Know | Request the categories and specific pieces of personal information a business has collected, the sources, the purposes, and the categories of parties it was disclosed to. |
| Delete | Request deletion of personal information the business collected from them, subject to statutory exceptions such as completing a transaction or complying with a legal obligation. |
| Correct | Request correction of inaccurate personal information. Added by the CPRA. |
| Opt out of sale or sharing | Direct a business to stop selling or sharing their personal information. This is the right behind the Do Not Sell or Share My Personal Information link. |
| Limit use of sensitive personal information | Direct a business to limit its use and disclosure of sensitive personal information to what is necessary to provide the requested service. Added by the CPRA. |
| No retaliation | The right not to face discrimination or be denied service, charged a different price, or given a lower quality of service for exercising any privacy right. |
The deadlines matter as much as the rights. A business generally has to confirm receipt of a request within 10 business days and respond within 45 calendar days, with one 45-day extension available when reasonably necessary. Most requests require verifying the consumer's identity. The opt-out of sale or sharing and the limit-sensitive-information requests do not require verification, because the law does not want a verification step to become a barrier to opting out.
Sale versus share
This is the distinction that produces the most wrong answers. The CCPA defined a sale broadly: disclosing personal information to a third party for monetary or other valuable consideration. The word valuable does a lot of work. A disclosure can be a sale even when no money moves, if the business gets something of value in return. The CPRA then added share: disclosing personal information to a third party for cross-context behavioral advertising, whether or not consideration changes hands.
Share exists because of advertising technology. A business that drops a third-party advertising pixel and lets a partner use the data to target ads across other sites may not be selling in the old monetary sense, but it is sharing. Both sale and share trigger the consumer's opt-out right, which is why the required link reads Do Not Sell or Share My Personal Information. A business that handles either has to provide that link, honor opt-out requests, and recognize the Global Privacy Control, an opt-out preference signal a browser sends on the consumer's behalf.
Service providers, contractors, and third parties
How you label the parties you hand data to decides whether a disclosure counts as a sale or a share. The law draws three roles, and the contract terms are what separate them.
| Role | What it is | Why it matters |
|---|---|---|
| Service provider | A party that processes personal information on the business's behalf under a written contract that restricts use to the specified business purpose. | A transfer to a properly contracted service provider is generally not a sale or a share. |
| Contractor | A party the business makes personal information available to for a business purpose, also bound by the required contract terms and certifications. | Functionally close to a service provider for compliance purposes. The contract carries the same restrictions. |
| Third party | A party that is neither the business nor a service provider or contractor bound by the required terms. | Disclosure to a third party for value or for cross-context advertising is a sale or a share, with all the opt-out obligations that follow. |
The contract is the control here. The same vendor can be a service provider or a third party depending entirely on the terms you signed. A disclosure you assumed was a routine processing handoff becomes a regulated sale the moment the contract does not contain the required restrictions on the vendor's use of the data. Read the data terms before you assume a vendor is safely a service provider.
Notice at collection
The law requires transparency at the moment of collection, not buried in a policy a consumer never opens. At or before the point a business collects personal information, it has to give a notice at collection that states the categories of personal information collected, the purposes for which they will be used, whether the information is sold or shared, and how long each category is retained. If the business collects sensitive personal information, the notice covers that category and its purposes too.
The notice at collection works alongside a fuller privacy policy that describes the consumer rights and how to exercise them. A business that sells or shares personal information, or collects sensitive personal information for non-exempt uses, also has to post the opt-out and limit links so a consumer can act without hunting for them.
The CPPA and enforcement
The CPRA created the California Privacy Protection Agency (CPPA), the first standalone privacy regulator in the United States. It holds rulemaking authority over California privacy regulations and the power to investigate and bring administrative enforcement actions. The California Attorney General keeps concurrent enforcement authority, so a business answers to two enforcers, not one.
The CPRA also changed the stakes by removing the automatic 30-day right to cure that the original CCPA gave businesses before an enforcement action. A business can no longer assume it will get a grace period to fix a violation once it is found. The law carries civil penalties per violation, with a higher tier for violations involving the personal information of minors. Separately, the CCPA gives consumers a private right of action for certain data breaches that result from a failure to maintain reasonable security, which is a distinct exposure from the regulators' general enforcement authority.
Automated decision-making, risk assessments, and cybersecurity audits
In 2025 the CPPA finalized a package of regulations the CCPA's earlier text had authorized. The Agency's board adopted them on July 24, 2025; the Office of Administrative Law approved them and filed them with the Secretary of State on September 22, 2025; they took effect on January 1, 2026. The package covers automated decision-making technology (ADMT), risk assessments, and annual cybersecurity audits.
The obligations phase in rather than landing at once. A business that uses ADMT to make a significant decision about a consumer has to meet the ADMT requirements, which include a pre-use notice, the right to opt out, and the right to access information about the decision, by January 1, 2027. Risk assessments conducted in 2026 and 2027 are due to the Agency by April 1, 2028. The final ADMT scope is narrower than the early drafts: it reaches technology that replaces or substantially replaces human decision-making, and it dropped the broad references to artificial intelligence the proposed version carried.
If your CCPA program treats automated decisioning as out of scope, that is the gap to close while the compliance date is still ahead of you.
How California differs from the GDPR
Teams that built a GDPR program often assume they can map it onto California one to one. The instinct is reasonable, and it breaks down on the mechanics. The two regimes share a goal and run on different machinery.
| Dimension | CCPA / CPRA (California) | GDPR (EU) |
|---|---|---|
| Who it covers | For-profit businesses meeting one of three thresholds. | Any controller or processor handling EU residents' data, with no revenue or volume threshold. |
| Default posture | Opt-out. A business can process and sell or share until the consumer says stop. | Often opt-in. Many activities need a lawful basis, and consent must be affirmative. |
| Lawful basis | No general lawful-basis requirement to process. Transparency and the opt-out carry the load. | Processing requires one of six lawful bases under Article 6. |
| Sensitive data | Consumer can direct a business to limit use of sensitive personal information. | Special-category data is generally prohibited unless a specific Article 9 condition applies. |
| Data portability | Delivered through the right to know in a portable format. | A standalone right to receive data in a structured, machine-readable form. |
| Regulator | The CPPA plus the California Attorney General. | National supervisory authorities, coordinated under the EDPB. |
The cleanest way to hold the difference: the GDPR asks why you are allowed to process at all and makes you justify it up front. California assumes you can process and gives the consumer levers to stop sale, stop sharing, limit sensitive use, and demand, delete, or correct what you hold. A GDPR program gives you a strong foundation here, but it still leaves real California-specific work to finish.
A readiness checklist
Run this before you tell a customer or a regulator that you are compliant.
- You have confirmed whether the law applies by testing the business against all three thresholds.
- You maintain a data inventory that maps what personal information you collect, the sources, the purposes, retention, and who it goes to.
- You have classified sensitive personal information separately and documented why each use is necessary.
- A notice at collection appears at or before the point of collection, with categories, purposes, retention, and sale or share status.
- Your privacy policy describes all six rights and how to exercise them.
- If you sell or share, the Do Not Sell or Share My Personal Information link is posted and the Global Privacy Control signal is honored.
- You have a verifiable consumer request workflow that meets the 10-day acknowledgment and 45-day response timing.
- Opt-out and limit requests are processed without an identity-verification barrier.
- Every vendor that touches personal information is bound by the service provider or contractor terms the law requires, so the handoff is not an accidental sale.
- Records of requests and responses are retained as evidence the program operates, not just exists.
California privacy law is its own regime, with its own enforcer, its own thresholds, and a sale-and-share concept that reaches activity a company never thought of as selling data. The businesses that get it wrong tend to be the ones that assumed it would feel familiar from their GDPR work. The ones that get it right start by mapping what they hold and reading the contracts that move it. For the working definitions behind every term here, see the CCPA / CPRA glossary.