Five things every business should know.
Threshold-based applicability
$25M+ annual revenue OR 100K+ CA consumer records OR 50%+ revenue from selling CA data. If any → CCPA applies.
5 consumer rights
Right to Know, Delete, Correct (CPRA), Opt-out of Sale/Share, Non-Discrimination. Each with its own response workflow.
Fines up to $7,500
Per intentional violation. CPRA created California Privacy Protection Agency (CPPA) for enforcement.
"Do Not Sell" link
Required prominent homepage link letting users opt out. Global Privacy Control (GPC) signal must be honored.
Vendor contracts
CCPA-required terms with any vendor processing CA consumer data: limit use, allow audit, return/delete on termination.
Private right of action
Limited (data breaches only) but real. $100-$750 per consumer per incident statutory damages.
One-time, or part of your BOS.
- Threshold checker
- Plain-language result
- Implementation roadmap
- Free resources library
- No credit card
- Privacy attorney review
- Custom privacy notice
- Vendor agreement updates
- Consumer request workflow
- Staff training
- 60 days post-launch support
Common questions.
Where does CCPA apply?
Based on whose data, not where you're located. Process California-resident data + hit thresholds → CCPA applies regardless of business location.
What's the difference between CCPA and CPRA?
CPRA (2023) amended CCPA. Added: right to correct, opt-out of sharing + sensitive data + automated decisions, expanded "sale" definition, created CPPA enforcement agency.
Do small businesses qualify for exemption?
Below the thresholds (revenue + data volume + revenue from CA data), CCPA does NOT apply. But B2B contracts often require CCPA-compliant practices regardless.
How fast must I respond to consumer requests?
45 days from receipt. Extendable to 90 days with notice. Failure to respond is a violation.
Need full implementation help?
Yes → see our CCPA + CPRA Compliance page for full counsel-reviewed implementation program.