CCPA and CPRA: A Practical Compliance Guide for Small Businesses

California has the most comprehensive and heavily enforced consumer privacy framework in the United States. The California Consumer Privacy Act, which took effect in January 2020, was already a landmark piece of legislation when California voters approved Proposition 24 in November 2020 and enacted the California Privacy Rights Act. The CPRA amended and significantly expanded the CCPA, and its major substantive provisions have been in effect since January 2023. Together, the CCPA and CPRA create a framework that gives California consumers extensive rights over their personal information and imposes meaningful obligations on the businesses that collect and use it. For small and medium-sized businesses that serve California customers, understanding this framework is not optional.

Does California’s Privacy Law Apply to Your Business?

Not every business is subject to the CCPA and CPRA. The law applies to for-profit businesses that do business in California and meet at least one of the following thresholds: the business has annual gross revenues in excess of $25 million; the business buys, sells, or shares the personal information of 100,000 or more California consumers or households per year; or the business derives 50% or more of its annual revenues from selling California consumers’ personal information.

Two aspects of these thresholds deserve attention. First, the revenue threshold applies regardless of whether the business is physically located in California. Any business that sells products or services to California customers and meets the revenue threshold is covered, even if it operates entirely out of another state. Second, the 100,000-consumer threshold can be reached more quickly than businesses expect. A business that collects email addresses, tracks website visitors through cookies, or processes online orders from California consumers may cross this threshold without realizing it. The threshold applies to consumers and households, not just paying customers — which means that website visitors whose data is collected through analytics or advertising tools count toward the total.

What Is Personal Information Under California Law?

California defines personal information very broadly. It includes any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular California consumer or household. This covers obvious categories like name, address, email, and Social Security number, but it extends much further. It includes commercial information such as purchase records and customer histories, internet or other electronic network activity including browsing history and search history, geolocation data, professional and employment-related information, education information, and inferences drawn from any of this information to create a profile about a consumer.

The law distinguishes between personal information generally and a subset called sensitive personal information. Sensitive personal information includes Social Security numbers and other government-issued ID numbers, financial account information with access credentials, precise geolocation, contents of personal communications, genetic data, biometric data processed to uniquely identify a person, health information, and data about a person’s racial or ethnic origin, religious beliefs, union membership, sexual orientation, and immigration status. Consumers have stronger rights over sensitive personal information, and businesses face heightened obligations when they collect it.

Consumer Rights Under the CCPA and CPRA

The CCPA and CPRA give California consumers a comprehensive set of rights over their personal information. Businesses must have systems in place to honor these rights within the timeframes specified by law, which is generally 45 days with the possibility of a 45-day extension.

The right to know gives consumers the right to request that a business disclose what personal information it has collected about them, the categories and specific pieces of information, the sources from which it was collected, the purposes for which it was collected, and the categories of third parties with whom it has been shared. The right to delete gives consumers the right to request that a business delete the personal information it has collected from them, subject to exceptions for completing transactions, legal compliance, security, and a handful of other purposes. The right to correct gives consumers the right to request correction of inaccurate personal information.

The right to opt out of the sale or sharing of personal information is one of the most operationally significant rights. Under the CPRA, businesses must provide California consumers with the ability to opt out of both the sale of their personal information to third parties and the sharing of their personal information with third parties for cross-context behavioral advertising — which means targeted advertising based on a consumer’s activity across different websites and apps. This right applies even when no money changes hands for the sharing.

The right to limit the use of sensitive personal information gives consumers the right to direct a business to limit its use of their sensitive personal information to certain specified purposes. The right of non-discrimination prohibits businesses from discriminating against consumers who exercise their privacy rights by denying goods or services, charging different prices, or providing a lower quality of service.

Privacy Notice Requirements

California’s privacy law requires businesses to provide consumers with a comprehensive privacy notice at or before the point of collection of their personal information. The notice must identify all categories of personal information the business collects, the purposes for which each category is collected, whether each category is sold or shared, and how long the business retains each category. The notice must also explain consumers’ rights and provide clear instructions for how to exercise them.

For businesses that operate websites, this means a privacy policy that is actually accurate and complete — not a generic template that does not reflect the business’s real data practices. The law requires the privacy policy to be updated at least every twelve months and to include a list of the categories of personal information sold or disclosed in the prior twelve months, broken down by category and by the type of third party recipient.

Businesses that sell or share personal information must also provide a clearly visible ‘Do Not Sell or Share My Personal Information’ link on their website homepage. Businesses that use sensitive personal information beyond the permitted default purposes must provide a ‘Limit the Use of My Sensitive Personal Information’ link. California has also adopted a universal opt-out mechanism standard, which means that browsers and devices can send a signal indicating that the consumer does not want their data sold or shared, and businesses must honor that signal.

Service Provider and Contractor Agreements

Under California law, if you share personal information with a vendor that processes it on your behalf, that vendor is either a service provider or a contractor depending on how the relationship is structured. In either case, you must have a written contract in place that limits the vendor’s use of the personal information to the specific purposes of providing services to your business and prohibits the vendor from using the data for its own commercial purposes, selling it, or retaining it beyond what is needed to fulfill the contract.

This requirement has significant practical implications. Many standard vendor agreements do not include these provisions, and many common business tools — marketing platforms, analytics services, advertising networks — may be using your customers’ data in ways that California’s law considers a sale or sharing of personal information. Auditing your vendor relationships and updating your contracts is a necessary step in building a compliant California privacy program.

Enforcement and Penalties

The California Privacy Protection Agency is the dedicated enforcement authority for California’s privacy law. The agency has authority to investigate complaints, conduct audits, issue regulations, and impose administrative fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. The agency has been actively engaged in rulemaking and enforcement since its establishment and has made clear that it will pursue violations across businesses of all sizes.

In addition to agency enforcement, the CCPA creates a private right of action for consumers whose non-encrypted or non-redacted personal information is subject to unauthorized access, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security. Statutory damages in these private actions range from $100 to $750 per consumer per incident or actual damages, whichever is greater. Class actions based on data breaches have become a significant source of litigation risk for businesses that do not maintain adequate security over customer information.

Getting Compliant: A Practical Roadmap

For a business starting its California privacy compliance journey, the first step is a data inventory: understanding what personal information you collect, where it comes from, why you collect it, how long you keep it, who you share it with, and whether any of it qualifies as sensitive personal information. This inventory is the foundation on which everything else is built.

From there, you need to update your privacy policy to accurately reflect your data practices and include all required disclosures. You need to implement a process for receiving, verifying, and responding to consumer rights requests. You need to add opt-out mechanisms for the sale or sharing of personal information if applicable. You need to review and update your vendor contracts. And you need to assess your data security practices to ensure they are reasonable for the type and volume of personal information you handle.

California’s privacy regulations are detailed and continue to be updated by the California Privacy Protection Agency. Businesses that operate in California and collect significant amounts of consumer data should work with a privacy attorney to ensure their compliance program is complete, current, and defensible in the event of a regulatory inquiry or enforcement action.