CCPA Compliance Guide for US Businesses | What You Must Do in 2025

What Is the CCPA and Who Does It Apply To?

The California Consumer Privacy Act (CCPA), effective January 1, 2020 and significantly expanded by the California Privacy Rights Act (CPRA) in 2023, is the most comprehensive US state-level data privacy law. It applies to for-profit businesses that collect personal information from California residents and meet at least one of the following thresholds: annual gross revenues exceeding $25 million, buying, selling, or sharing the personal information of 100,000 or more consumers or households per year, or deriving 50% or more of annual revenues from selling or sharing consumers' personal information. Even if your business is based outside California, CCPA applies if you serve California residents.

What Rights Does CCPA Give Consumers?

Under CCPA and CPRA, California residents have the right to know what personal information a business collects about them, the right to delete their personal information (with exceptions), the right to opt out of the sale or sharing of their personal information, the right to correct inaccurate personal information, the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising any of these rights. Businesses must respond to consumer requests within 45 days.

CCPA Compliance Checklist

Update Your Privacy Policy

Your privacy policy must disclose the categories of personal information you collect, the purposes for which you use it, the categories of third parties with whom you share it, and a description of consumers' CCPA rights with instructions on how to exercise them. It must be updated at least annually and accessible from your homepage.

Add a "Do Not Sell or Share My Personal Information" Link

If you sell or share personal information (including sharing data with advertising platforms like Google or Meta for targeted advertising), you must display a clear and conspicuous "Do Not Sell or Share My Personal Information" link on your homepage. Clicking this link must take users to an opt-out mechanism that actually works.

Establish a Consumer Request Process

You must provide at least two methods for consumers to submit requests — typically a web form and a toll-free telephone number. You must verify consumer identity before fulfilling deletion or access requests. Maintain records of all requests received and your responses for at least 24 months.

Review Data Sharing with Third Parties

Audit all third-party data sharing relationships. Under CPRA, sharing data for cross-context behavioural advertising counts as "sharing" even if you receive no direct payment. This means most businesses using Facebook Pixel, Google Ads remarketing, or similar tools technically share personal information under CCPA and must provide opt-out rights.

CCPA Penalties

The California Privacy Protection Agency (CPPA) can impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Data breaches involving certain categories of personal information also expose businesses to a private right of action of $100 to $750 per consumer per incident, regardless of whether actual damages occurred.

Generate Your CCPA-Compliant Privacy Policy Free

ClauseKit's privacy policy generator includes CCPA-specific disclosures covering consumer rights, opt-out mechanisms, and data sharing practices. Download in minutes, no account required.