If you process personal information of California residents, CCPA likely applies to you. This page covers what CCPA requires, the 2026 regulatory changes, and how to build a compliant program.
Key takeaways
- CCPA applies if you handle the personal information of California residents and meet the size or revenue thresholds.
- The 2026 regulatory changes expand obligations, so a program built earlier likely needs a review.
- CCPA and GDPR differ in scope and mechanics, so GDPR compliance does not automatically cover CCPA.
- If several US state laws apply, CCPA can run as part of one combined multi-state program.
Does CCPA apply to you
CCPA applies to for-profit entities doing business in California that collect personal information of California residents and meet at least one of three thresholds: annual gross revenue over $26.6 million (inflation-adjusted), annual buying selling or sharing personal information of 100,000 or more consumers or households, or deriving 50 percent or more of annual revenue from selling or sharing personal information.
If you have California users or customers and your company is above any of these thresholds, CCPA applies regardless of where your company is headquartered.
What CCPA requires
A compliant privacy notice. The notice must include specific CCPA-required content covering categories of personal information collected, purposes of collection, categories of sources, categories of third parties with whom information is shared, sale and sharing practices, retention periods, and consumer rights.
Consumer rights operational capability. Consumers have the right to know what personal information you have, the right to delete personal information, the right to correct inaccurate personal information, the right to opt out of sale or sharing, the right to limit use of sensitive personal information, and the right to data portability. You need operational processes to honor each.
Service provider contracts. Vendors processing California personal information on your behalf must be bound by service provider agreements meeting CCPA requirements.
Sale and sharing disclosures. If you sell or share personal information (including for targeted advertising in many cases), you need clear opt-out mechanisms including a “Do Not Sell or Share My Personal Information” link.
Universal opt-out signal recognition. California requires recognition of universal opt-out mechanisms including Global Privacy Control signals.
2026 regulatory changes
The California Privacy Protection Agency finalized regulations covering three major areas in 2025, with applicability in January 2026.
Automated Decision-Making Technology regulations. Businesses using ADMT to make decisions affecting consumers must conduct risk assessments, provide notices, and respect consumer rights to opt out and access information about the ADMT.
Cybersecurity audit requirements. Businesses meeting specific thresholds must conduct annual cybersecurity audits of processing activities posing significant risk to consumer privacy or security.
Risk assessment obligations. Businesses must conduct documented risk assessments before initiating processing that presents significant risk to consumer privacy.
These obligations apply on a staggered basis depending on company size. Larger businesses are subject earlier; smaller businesses have additional time but should plan now.
Enforcement landscape
The California Attorney General and the CPPA both enforce CCPA. The largest settlement to date was 1.55 million USD against an online health publisher in July 2025 for inadequate cookie consent and opt-out compliance.
Investigations have focused on cookie banner compliance, dark patterns in consent flows, inadequate response to consumer rights requests, and unclear “Do Not Sell” mechanisms.
Private right of action exists for data breaches but not for general CCPA violations. Statutory damages of 100 to 750 USD per consumer per incident in data breach cases.
How CCPA differs from GDPR
Most tech companies that comply with GDPR find CCPA relatively easy to add on top. The main additional requirements:
- CCPA has the “Do Not Sell or Share” link requirement that GDPR does not.
- CCPA includes household-level data, which is broader than GDPR’s “natural person” focus.
- CCPA’s enforcement under the CPPA’s 2026 regulations creates some operational obligations (cybersecurity audits, ADMT risk assessments) that GDPR does not directly require.
- CCPA’s private right of action for breaches creates litigation risk that GDPR does not have.
- GDPR has broader extra-territorial reach. CCPA only applies if you do business in California.
Combining CCPA with multi-state compliance
CCPA is one of 20 US state comprehensive privacy laws in effect as of 2026. The others (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Indiana CDPA, Kentucky CDPA, Rhode Island Data Transparency and Privacy Protection Act, plus 12 more) follow broadly similar frameworks.
Most companies build a single compliance program that meets the strictest applicable standard and then handles state-specific variations through notice content and operational processes.
How Engage Compliance helps
CCPA compliance is included in our DPO services for any client serving California residents. Specific work includes:
- Privacy notice drafting with CCPA-specific sections.
- Consumer rights process design including DSAR, deletion, correction, opt-out of sale/sharing, and limit use of sensitive personal information.
- Service provider contract templates and review.
- ADMT risk assessment and notices.
- Cybersecurity audit coordination where required.
- Multi-state harmonization across CCPA and the other 19 US state laws.
Get started
Book a consultation to discuss your CCPA needs.