CCPA

CCPA stands for the California Consumer Privacy Act, a state law that gives California residents control over how businesses collect, use, and sell their personal information. It took effect on January 1, 2020, and was expanded by the California Privacy Rights Act (CPRA) on January 1, 2023. CCPA is the most far-reaching consumer privacy law in the United States.
Why CCPA Matters
CCPA set the template for privacy law across the US. Since it passed, states including Virginia, Colorado, and Connecticut have adopted similar rules. Any business that markets to Americans now has to account for CCPA-style rights.
The law reaches beyond California’s borders. It applies to any qualifying business that handles the personal information of California residents, no matter where the company is based. A New York or London company with California customers must comply.
CCPA also treats data broadly. Personal information includes names, email addresses, IP addresses, browsing history, geolocation, and inferences drawn from that data. This wide definition pulls most digital marketing activity into scope.
Who Must Comply
CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds:
- Revenue. Annual gross revenue over 25 million dollars.
- Volume. Buys, sells, or shares the personal information of 100,000 or more California consumers or households per year.
- Data sales. Earns 50% or more of annual revenue from selling or sharing personal information.
A business only needs to meet one threshold to fall under the law. Nonprofits and government agencies are generally exempt.
Consumer Rights Under CCPA
CCPA grants California residents six core rights over their personal information. Businesses must respond to verified requests within 45 days:
- Right to know. What data is collected, used, shared, or sold.
- Right to delete. Request removal of collected personal information.
- Right to opt out. Stop the sale or sharing of personal information.
- Right to correct. Fix inaccurate personal information (added by CPRA).
- Right to limit. Restrict use of sensitive personal information (added by CPRA).
- Right to non-discrimination. Receive equal service and pricing after exercising rights.
The opt-out right is the most visible. Covered sites must post a clear “Do Not Sell or Share My Personal Information” link.
CCPA vs GDPR
CCPA and the EU’s GDPR both protect personal data, but they work differently. The core distinction is consent: GDPR requires opt-in before tracking, while CCPA uses an opt-out model where tracking is allowed until the user declines.
| Feature | CCPA | GDPR |
|---|---|---|
| Region | California residents | EU and EEA residents |
| Consent model | Opt-out | Opt-in |
| Who it covers | Businesses meeting thresholds | Any org processing EU data |
| Signature control | “Do Not Sell or Share” link | Cookie consent banner |
| Max penalty | 7,500 dollars per violation | 20M euros or 4% of turnover |
Many companies comply with both by applying GDPR’s stricter opt-in standard everywhere. That approach covers the widest audience with one system.
CCPA for Marketing
CCPA reshaped how marketers use tracking and data in the US. Under CPRA, “sharing” data for cross-context behavioral advertising counts the same as selling it, so most ad retargeting now triggers opt-out rights.
Key implications for marketing teams:
- Honor opt-out signals. Businesses must respect the Global Privacy Control (GPC) browser signal as a valid opt-out request.
- Post the opt-out link. A “Do Not Sell or Share” link is required if you share data for ads.
- Track without personal data where possible. UTM parameters sit in the URL, not in a cookie, and do not identify individuals on their own. That makes them a privacy-friendly way to attribute campaigns even when users opt out of tracking.
CCPA Penalties
CCPA carries two enforcement paths. The California Privacy Protection Agency and the state Attorney General can impose civil penalties of up to 2,500 dollars per violation, rising to 7,500 dollars for each intentional violation or violation involving minors.
Consumers also have a private right of action for data breaches. They can sue for 100 to 750 dollars per consumer per incident, or actual damages if higher. This breach provision is unique to CCPA among US state privacy laws.
Frequently Asked Questions
What does CCPA stand for?
CCPA stands for the California Consumer Privacy Act. It is a state law, passed in 2018 and effective January 1, 2020, that gives California residents rights over their personal information. The California Privacy Rights Act (CPRA) later expanded it.
What is the difference between CCPA and GDPR?
The main difference is the consent model. GDPR requires opt-in consent before any tracking, while CCPA lets businesses track by default and requires an opt-out option. GDPR applies to EU residents; CCPA applies to California residents. GDPR fines can reach 4% of global revenue, far above CCPA’s per-violation penalties.
Who has to comply with CCPA?
Any for-profit business doing business in California that meets one of three thresholds: over 25 million dollars in annual revenue, handling data on 100,000 or more consumers, or earning half its revenue from selling data. Location does not matter if the business handles California residents’ data.
Does CCPA apply to cookies?
Yes. Cookies and tracking identifiers count as personal information under CCPA when they can be linked to a consumer or household. Sharing that data for targeted advertising triggers the right to opt out.
To keep campaign attribution accurate even when users opt out of tracking, tag your links with the free UTM builder at linkutm.