CCPA / CPRA Compliance

California privacy law applies to your website

The California Consumer Privacy Act (CCPA) and its amendment (CPRA) give California residents control over their personal data. If your site has California visitors, these rules apply.

Scan your site free

$7,500

Per intentional violation

$2,500

Per unintentional violation

$750

Per consumer per data breach

40M

California residents online

Who must comply?

CCPA applies to for-profit businesses that collect personal information from California residents AND meet any one of these thresholds:

A Annual gross revenue exceeds $25 million

B Buy, sell, or share personal information of 100,000+ consumers, households, or devices annually

C Derive 50% or more of annual revenue from selling or sharing consumers' personal information

Website compliance checklist

01 "Do Not Sell or Share My Personal Information" link. Must be clearly visible on your website. Required if you sell personal data or share it for cross-context behavioral advertising. CCPA §1798.135(a)

02 "Limit the Use of My Sensitive Personal Information" link. Required under CPRA if you collect sensitive data (SSN, financial info, precise geolocation, race, health data). CPRA §1798.121

03 Privacy policy updated within 12 months. Must disclose: categories of personal information collected, purposes, categories of third parties, consumer rights, and how to exercise them. CCPA §1798.130(a)(5)

04 Two methods for consumer requests. Provide at least two methods for consumers to submit data requests (e.g., toll-free number + web form or email). CCPA §1798.130(a)(1)

05 Respond to requests within 45 days. Acknowledge receipt and fulfill access, deletion, and opt-out requests within 45 calendar days. One 45-day extension allowed with notice. CCPA §1798.145(g)

06 Honor Global Privacy Control (GPC). CPRA requires businesses to treat GPC browser signals as valid opt-out requests. Your site must detect and honor the `Sec-GPC` header. CPRA §1798.135(e)

07 No retaliation for exercising rights. Cannot deny goods/services, charge different prices, or provide lesser quality to consumers who exercise their privacy rights. CCPA §1798.125

08 Service provider agreements. Contracts with third parties that receive personal data must restrict them from selling it or using it beyond the business purpose. CCPA §1798.140(ag)

09 Minors' data. Cannot sell personal information of consumers under 16 without affirmative opt-in. For children under 13, a parent or guardian must consent. CCPA §1798.120(c)-(d)

10 Data minimization (CPRA). Collection, use, retention, and sharing of personal information must be reasonably necessary and proportionate to the disclosed purpose. CPRA §1798.100(c)

Consumer rights under CCPA/CPRA

Right to know

Consumers can request what personal information you've collected, the sources, purposes, and third parties you've shared it with.

§1798.100, §1798.110

Right to delete

Consumers can request deletion of their personal information. You must also direct service providers to delete it.

§1798.105

Right to opt out

Consumers can opt out of the sale or sharing of their personal information at any time.

§1798.120

Right to correct

Consumers can request correction of inaccurate personal information. Added by CPRA.

§1798.106 (CPRA)

Right to limit use

Consumers can limit the use and disclosure of their sensitive personal information to what's necessary.

§1798.121 (CPRA)

Right to non-discrimination

Businesses cannot retaliate against consumers for exercising their privacy rights.

§1798.125

CCPA vs GDPR

Scope California residents EU/EEA residents

Consent model Opt-out (can sell until told not to) Opt-in (must consent first)

Right to delete Yes Yes (right to erasure)

Right to correct Yes (CPRA) Yes

Data portability Yes Yes

Private right of action Data breaches only Yes (any violation)

Max fine $7,500 per violation 4% global turnover / 20M EUR

GPC signal required Yes (CPRA) Not specified

Check your CCPA compliance

Gridwork Privacy Scanner checks for "Do Not Sell" links, detects trackers that share data with third parties, and audits your privacy policy for required CCPA disclosures.

npx gridwork-privacy click to copy

View source on GitHub