AuditXYZ

Compliance Framework

California Consumer Privacy Act of 2018

The CCPA is California's landmark consumer privacy law granting residents the right to know, delete, and opt out of the sale of their personal information. This guide covers applicability thresholds, consumer rights, and practical compliance steps.

$5,000–$100,0002–6 months2018 (enforced January 1, 2020)
Request a ConsultationSee process
Issuing BodyCalifornia State Legislature
First Published2018-06-28
Latest Version2018 (enforced January 1, 2020)
Typical Cost$5,000–$100,000
Typical Timeline2–6 months
Audit RequiredNo
Audit FrequencyNo mandatory audit. The California Attorney General may investigate and enforce at any time.
Geographyus-california

CCPA: The Complete Guide

The California Consumer Privacy Act was the first comprehensive consumer privacy law in the United States. Signed into law in 2018 and effective January 1, 2020, the CCPA grants California residents significant control over how businesses collect, use, and sell their personal information.

What the CCPA Covers

The CCPA defines personal information broadly, encompassing identifiers, commercial information, biometric data, internet activity, geolocation data, professional information, and inferences drawn from any of this data. It establishes four core consumer rights: the right to know, the right to delete, the right to opt out of the sale of personal information, and the right to non-discrimination.

Businesses must provide clear notice at or before the point of data collection and maintain an updated privacy policy that discloses categories of information collected, purposes, and third-party sharing practices.

Who Needs to Comply

The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of three thresholds: annual gross revenue exceeding $25 million, buying, selling, or sharing the personal information of 100,000 or more consumers or households annually, or deriving 50% or more of annual revenue from selling consumers' personal information.

Service providers and contractors that process personal information on behalf of covered businesses must also comply with specific CCPA obligations through contractual provisions.

Enforcement and Penalties

The California Attorney General enforces the CCPA. Civil penalties reach $2,500 per unintentional violation and $7,500 per intentional violation. The law also provides a private right of action for data breaches resulting from a business's failure to maintain reasonable security, with statutory damages between $100 and $750 per consumer per incident.

Practical Compliance Steps

  1. Assess applicability — Determine whether your business meets CCPA thresholds
  2. Data inventory — Map personal information collection, use, and sharing practices
  3. Update privacy policy — Disclose required categories and consumer rights
  4. Implement opt-out — Provide a "Do Not Sell My Personal Information" link
  5. Consumer request processes — Build intake and verification procedures for rights requests
  6. Vendor contracts — Update agreements with service providers and contractors
  7. Employee training — Train consumer-facing staff on handling privacy requests

Note that the CPRA, effective January 1, 2023, significantly amends and expands the CCPA. Organizations should evaluate compliance against both the original CCPA and CPRA amendments.

Get the CCPA starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

cpragdprvcdpacpactdpa

Get matched with a CCPA auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CPA
Framework
The Colorado Privacy Act grants residents rights over personal data and requires businesses to honor universal opt-out mechanisms, conduct data protection assessments, and obtain consent for sensitive data processing.
View
CPRA
Framework
The CPRA amends and expands the CCPA, introducing new consumer rights, the concept of sensitive personal information, the California Privacy Protection Agency, and mandatory cybersecurity audits for high-risk businesses.
View
CTDPA
Framework
The CTDPA is Connecticut's comprehensive data privacy law, closely modeled on the VCDPA and CPA, with additional provisions for universal opt-out mechanisms and loyalty program disclosures.
View
GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
VCDPA
Framework
The VCDPA is Virginia's comprehensive consumer data protection law, granting residents rights over their personal data and imposing obligations on businesses regarding data processing, consent, and protection assessments.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View