California Consumer Privacy Act (CCPA)

What is the CCPA?

The California Consumer Privacy Act (CCPA) is the most comprehensive personal data protection law in the United States. The CCPA creates consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.

The CCPA applies to all businesses, regardless of location, that meet the following criteria:

• Has annual revenue of $25 million or more
• Controls or possesses the data of 100,000 or more California residents
• Derives 50% or more of its revenue from the sale of personal data

For organizations that meet the applicability criteria, here is a breakdown of what is required for CCPA compliance:

• Businesses must honor a consumer’s request for the categories and specific elements of their personal information the business has collected. Consumers also have the right to request their personal data be deleted (exemptions apply)
• Businesses must give consumers the ability to opt out of the sale of personal data
• Businesses are prohibited from discriminating against consumers that exercised any of their CCPA rights
• Organizations are required to provide four types of notices: 1 Privacy Policy, 2. Notice at Collection 3. Notice of Financial Incentive and 4. a “Just-in-Time” Notice

Personal Data Under the CCPA

Under the CCPA, personal information is any data that identifies, relates to, or could reasonably be linked to you or your household, including:

• Name or nickname
• Email address
• Purchase history
• Browsing history
• Location data
• Employment data
• IP address
• Profiles businesses create about you, including pseudonymous profiles

Sensitive Personal Information Under the CCPA

The CCPA gives consumers the right to limit a business’s use and disclosure of sensitive personal information, which includes:

• Social security or passport number, driver’s license, or state ID
• Financial account credentials
• A consumer’s precise geolocation
• Racial or ethnic origin, citizen or immigration status, religious or philosophical beliefs, or union membership
• Contents of messages (e.g., emails, texts, chats), unless it’s directed to the business
• Genetic data
• Biometrics, like facial recognition
• Information concerning your health, sex life, or sexual orientation

Vendor requirements

Businesses must determine whether vendors that process the personal information of California consumers on their behalf are considered a “service provider” or a “third party” as defined under the CCPA. Businesses that lack a contract or the specific language required in contracts with vendors may be subject to the sale of personal information requirements based on the relationship. The definitions are as follows:

Service provider: a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.

Third party: a person or business entity who is NOT:

• The business that collects the PI from consumers; or
• The recipient of PI from a business for a business purpose pursuant to a written contract (contract must prohibit the sale of the PI or other use outside of the written contract).

Contracts must be updated or put in place and include specific requirements regarding personal information processing activities. Contractual provisions must outline that the service provider is prohibited from:

• Selling personal information;
• Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract; and
• Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.

Contracts must also include a statement confirming that the service provider understands the restrictions outlined above.

Achieving CCPA Compliance

To achieve CCPA compliance organizations need to have the appropriate privacy controls implemented to honor consumer rights, address proper disclosure requirements, and maintain records of processing. A data privacy assessment is typically the first step toward compliance. The assessment will provide organizations with a roadmap by helping them understand their CCPA obligations, risk exposure, and if their current controls satisfy CCPA requirements.

The Risk of Noncompliance

The California Attorney General’s office can levy penalties of $2,500 for each violation or $7,500 for each intentional violation. Penalties levied for CCPA violations include:

• In August of 2022, personal care and beauty product company Sephora had a $1.2m settlement issued against it for CCPA violations. Sephora was fined for its failure to disclose information about the sale of personal data, the lack of a “Do Not Sell My Personal Information” button, and not honoring Global Privacy Control (GPC) signals. Sephora was provided with the 30-day right to cure notice but did not remedy the issues, thus leading to the fine.
• In February 2023, DoorDash was hit with a $375,000 fine. A California Department of Justice investigation found DoorDash violated the CCPA by selling customers’ personal information without notice or providing the opportunity to opt out of the sale. The company sold the data in a marketing cooperative, where businesses exchange customer data for the chance to market their products and services to each other’s customers. According to the Attorney General, in January 2020, DoorDash traded the names, addresses, and transaction histories of customers to a cooperative in a single transfer.
• In March 2025, Honda was fined $632,500. An investigation concluded the automaker violated Californians’ privacy rights in the following ways:
  • Requiring excessive personal information to exercise privacy rights
  • A longer opt-out process than opting-in
  • Creating barriers for consumers using Authorized Agents
  • Failure to produce contracts with advertising technology vendors

How we can Help

CompliancePoint provides a full suite of services that help organizations manage and respond effectively to privacy requirements, including CCPA, GDPR, and other state laws. We help organizations proactively identify their gaps, build out frameworks to meet compliance requirements, and can manage their privacy program on an ongoing basis to maintain compliance.