The California Consumer Privacy Act — CCPA — is the most important US privacy law for small businesses. Even if you've never heard of it, it may already apply to you. This guide explains everything you need to know in plain English.
What is the CCPA?
The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. It was then strengthened by the California Privacy Rights Act (CPRA), which took effect on January 1, 2023. Together, they give California residents significant rights over their personal data and impose obligations on businesses that collect it.
Think of it as California's version of the EU's GDPR — but with some key differences in scope, rights, and enforcement.
Does CCPA apply to my business?
The CCPA applies to for-profit businesses that do business in California and meet at least one of the following thresholds:
- Annual gross revenue exceeding $25 million
- Buys, sells, or shares personal data of 100,000 or more California consumers or households annually
- Derives 50% or more of annual revenue from selling or sharing California consumers' personal data
I'm a small business — does CCPA apply to me?
If your revenue is under $25 million and you process data for fewer than 100,000 California consumers, the CCPA technically doesn't apply to you. However, there are compelling reasons to comply anyway:
- Other state privacy laws (Virginia, Colorado, Texas) have lower thresholds
- Stripe, PayPal, and other payment processors require privacy policies
- App stores (Apple, Google) require privacy policies for all apps
- Privacy policies build customer trust — increasingly important for conversions
- Your business may grow into CCPA scope sooner than you expect
What rights does CCPA give consumers?
Under the CCPA and CPRA, California residents have the following rights:
Right to Know
Consumers can request to know what personal data you've collected about them, where it came from, what you use it for, and whether you sell or share it.
Right to Delete
Consumers can request that you delete their personal data. There are limited exceptions — for example, you can retain data needed to complete a transaction or comply with a legal obligation.
Right to Correct
Added by the CPRA — consumers can request correction of inaccurate personal data you hold about them.
Right to Opt-Out of Sale or Sharing
Consumers can opt out of the sale or sharing of their personal data for cross-context behavioural advertising. If you use Facebook Pixel or Google Ads remarketing, this applies to you.
Right to Limit Sensitive Data
Consumers can limit the use of sensitive personal information (social security numbers, financial data, health data, precise geolocation) to only what is necessary to provide the service.
Right to Non-Discrimination
You cannot discriminate against consumers who exercise their CCPA rights — for example, by charging them more or providing a lower quality of service.
Under the CPRA, consumers must be able to submit privacy requests easily — through a dedicated email address, a web form, or a toll-free number. You must respond within 45 days.
What does "selling" personal data mean?
This is one of the most misunderstood parts of CCPA. "Selling" under CCPA has a broader definition than you might expect. It includes sharing personal data with third parties for monetary or other valuable consideration.
This means that if you share customer data with advertising networks — even for free, in exchange for advertising services — that may count as a "sale" under CCPA.
⚠ If you use Google Ads, Facebook Pixel, or LinkedIn Insight Tag, you may be "selling" or "sharing" personal data under CCPA and must include a "Do Not Sell or Share My Personal Information" link on your website.
What must I include in my Privacy Policy for CCPA compliance?
A CCPA-compliant Privacy Policy must disclose:
- Categories of personal information collected in the past 12 months
- The purposes for which personal information is used
- Categories of third parties personal information is shared with
- Whether you sell or share personal information
- The rights of California residents and how to exercise them
- How long you retain personal information
- Contact details for submitting privacy requests
What are the penalties for non-compliance?
The California Privacy Protection Agency (CPPA) enforces the CCPA and CPRA. Penalties are:
- $2,500 per unintentional violation
- $7,500 per intentional violation
- $7,500 per record for violations involving minors' data
Private individuals can also sue for data breaches involving unencrypted personal data, with statutory damages of $100–$750 per consumer per incident.
How to comply with CCPA as a small business
- Create a compliant Privacy Policy — disclosing all required information about your data practices
- Add a "Do Not Sell or Share My Personal Information" link — if you use advertising cookies or share data with ad networks
- Set up a process for privacy requests — a dedicated email address like privacy@yourcompany.com
- Audit your data practices — know what data you collect, where it goes, and how long you keep it
- Review your third-party vendors — ensure any processors handling California data have appropriate agreements
The bottom line
CCPA compliance doesn't need to be complicated or expensive for small businesses. The core requirement is having a clear, accurate Privacy Policy that discloses your data practices — and a process for handling privacy requests. DataShark generates a personalised, CCPA-compliant Privacy Policy specific to your business in under 3 minutes, from $19.
Ready to generate your GDPR policy?
Answer a few questions about your business and get a personalised, legally-structured document in minutes.
Start free — from £29 →