CCPA / CPRA
The California Consumer Privacy Act (CCPA, 2018) and its amendment the California Privacy Rights Act (CPRA, 2020) — the strongest US state privacy law, GDPR-adjacent in spirit, enforced by the California Privacy Protection Agency since 2023 and binding on any business worldwide that hits the thresholds while handling California residents' data.
The California Consumer Privacy Act (CCPA), signed in 2018 and effective 1 January 2020, was the first comprehensive US state privacy law. The California Privacy Rights Act (CPRA), passed by ballot in November 2020 and fully effective 1 January 2023, amended it substantially and created the California Privacy Protection Agency (CPPA) — the first US dedicated data-protection regulator. In 2026, when people say “CCPA” they almost always mean the post-CPRA, CPPA-enforced version. The full text lives at Cal. Civ. Code § 1798.100 ff. and the implementing regulations at cppa.ca.gov.
Who it covers (thresholds)
Any for-profit business that does business in California and meets at least one of:
- Gross annual revenue > $25M in the preceding calendar year, or
- Buys, sells, or shares personal information of 100,000+ California consumers or households annually, or
- Derives ≥ 50% of annual revenue from selling or sharing California consumers’ personal information.
Note: there is no California-establishment requirement. A SaaS hosted in Paris that lets California residents sign up and that crosses the 100,000-record threshold is in scope. The CCPA explicitly applies to “businesses doing business in California”, which the Attorney General reads broadly.
What California residents can do
- Right to know what personal information a business collects, where it came from, and to whom it is disclosed or sold (close to GDPR Article 15).
- Right to delete personal information, with exceptions (legal obligation, fraud prevention, free-speech contexts).
- Right to correct inaccurate personal information (added by CPRA).
- Right to opt out of sale or sharing for cross-context behavioural advertising — including via the Global Privacy Control signal, which businesses must honour.
- Right to limit use of sensitive personal information (geolocation, health data, biometric IDs, sexual orientation, etc.) — new under CPRA.
- Right to data portability (a copy in a machine-readable format).
- Right to non-discrimination for exercising these rights.
Businesses must respond to verifiable consumer requests within 45 days (extendable by another 45 with notice).
What businesses must do
- A “Notice at collection” at or before the point of collection, listing categories of personal information collected, purposes, and rights.
- A public privacy policy with the same content, refreshed at least annually.
- A “Do Not Sell or Share My Personal Information” link (or “Your Privacy Choices” link with the official icon) prominently on the homepage.
- Honour Global Privacy Control signals as a valid opt-out — failing to do so was the basis of the CPPA’s enforcement action against Sephora in 2022 ($1.2M settlement) and is the area most companies still get wrong.
- Data Protection Impact Assessments for processing that presents significant risk to consumers — modelled on GDPR DPIAs.
- Contracts with service providers and third parties that mirror CCPA obligations (sub-processor language similar to GDPR Article 28).
- Annual cybersecurity audits and risk assessments for high-risk processing, when the CPPA’s pending implementing regulations come into force.
CCPA vs GDPR — the practical difference
| Dimension | GDPR (EU) | CCPA / CPRA (California) |
|---|---|---|
| Default | Opt-in for non-essential processing | Opt-out for sale/sharing |
| Legal bases | Six legal bases (Art. 6) | No legal-basis framework; centred on notice + opt-out |
| Sensitive data | Special category (Art. 9), narrow processing conditions | ”Sensitive PI”; right to limit use |
| Regulator | National DPAs + EDPB | California Privacy Protection Agency (CPPA), plus AG |
| Fines | Up to €20M or 4% of global turnover | $2,500 per violation, $7,500 per intentional or minor violation; no global-turnover ceiling |
| Right to compensation | Yes (Art. 82) | Limited private right of action — only for certain breaches |
| Cross-border transfers | Heavily restricted (Schrems II framework) | No specific transfer regime |
The practical effect: a GDPR-compliant company is mostly CCPA-ready, but not entirely. The two big traps are (a) the public-facing “Do Not Sell or Share” link and Global Privacy Control honouring, which has no GDPR equivalent, and (b) the broader US service-provider contract language, which the CPPA has been progressively strengthening.
The other US state privacy laws
CCPA was the first. As of 2026, comprehensive state privacy laws are in force in: California, Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Florida (FDBR), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), Tennessee (TIPA), New Hampshire, New Jersey, Indiana, and a growing list. Each has different thresholds, definitions, and timelines — but the architecture (notice + consumer rights + opt-out + assessments + contracts) is largely converging. A privacy program designed around GDPR + CCPA tends to cover the others without major additional work.
For SaaS startups serving US enterprise customers from anywhere in the world, the practical floor in 2026 is: GDPR-aligned privacy policy + a “Your Privacy Choices” link with Global Privacy Control support + a verifiable consumer-request process + service-provider contracts that mirror CCPA language. That covers ~95% of US state requirements for ~95% of buyers. The remaining 5% is jurisdiction-specific notice variations.
Related terms
- GDPR Article 32The GDPR clause requiring controllers and processors to implement appropriate technical and organizational measures — increasingly read to include behavioral controls.
- HIPAAUS federal law governing protected health information — the Security Rule explicitly mandates a security awareness and training program for the workforce.
- SOC 2AICPA attestation framework based on five Trust Services Criteria — the de facto B2B SaaS sales gate for North American buyers.
- DPO (Data Protection Officer)The GDPR-mandated role responsible for monitoring an organization's compliance with EU data-protection law and acting as the contact point for the supervisory authority.