CCPA (2018) · amended by the CPRA · enforced by the CPPA

The CCPA,
explained.

California gave its residents the strongest consumer-privacy rights in the United States. Here's the whole shape in one read — who has to comply, what you can demand, the difference between "sell" and "share," and what changed for 2026.

~9 min read 2 interactive demos Newcomer-friendly 2026-current

The one idea to hold onto

Your information is being
traded. This is the off-switch.

Behind the scenes, businesses collect, sell, and "share" data about you for advertising. The CCPA's core move is simple: it hands you a set of controls over that trade — and one big switch to stop it.

You can see what's collected, correct or delete it, and tell a business "do not sell or share" — and it can't punish you for asking. See · fix · stop: that's the whole consumer side.

"You don't have to accept being the product. You get an off-switch — and the right to use it without penalty."
1

See
Know & access your data

2

Fix
Correct or delete it

3

Stop
Opt out of the sale

Civil Code § 1798.140 · try it

Does the CCPA apply to a business?

It only covers for-profit businesses that do business in California and meet at least one of three thresholds. Adjust the dials to see when a business is caught.

Coverage checker

meet any one = covered

Non-profits and government agencies generally aren't covered at all.

Total global revenue, not just California.
$15.0M
trips at > $26.625M (2026, inflation-adjusted)
Personal info bought, sold, shared, or processed.
40,000
trips at ≥ 100,000
How much of the business is the data trade itself.
10%
trips at ≥ 50%
Verdict
Likely exempt
Adjust the dials — meeting any single threshold pulls the business into scope.

What you can demand

Your CCPA rights.

The distinction that trips everyone up

"Sell" and "share" are not the same word.

The CPRA added "share" precisely because companies argued they weren't "selling" data when no money changed hands. Now both are covered by one opt-out.

Sell

For money or value

Disclosing personal information to another business or third party for monetary or other valuable consideration. The classic "we sold your data to a broker."

Share

For ad targeting

Disclosing personal information for cross-context behavioral advertising — targeting you across sites and apps — even when no money changes hands. This is the CPRA addition.

A single "Do Not Sell or Share My Personal Information" link must let you switch off both. Once you opt out, the business can't resume unless you later say yes — and the opt-out has to be at least as easy as opting in.

A category of its own

Sensitive personal information.

Some data is treated as higher-stakes. For these, you have an extra right: tell a business to limit its use to only what's needed to provide what you asked for — no profiling, no extras.

Social Security / ID numbers Financial account + login Precise geolocation Race or ethnicity Religious beliefs Contents of messages Genetic data Biometric ID Health information Sex life / orientation

What it costs to get wrong

Penalties, per violation — and they add up.

The CPPA and the Attorney General enforce the law. Fines are charged per violation, so a single bad practice across many consumers multiplies fast. Amounts shown are inflation-adjusted (2025).

$2,663
Per unintentional violation (was $2,500 before the 2025 CPI adjustment).
$7,988
Per intentional violation, or any violation involving a consumer under 16 (was $7,500).
$107–$799
Per consumer, per incident — statutory damages in the private lawsuit consumers can bring after certain data breaches.

What changed for 2026

The next wave of rules.

In 2026 California finalized regulations on automated decision-making, risk assessments, and cybersecurity audits — phased in by company size over the following years.

Jan 1, 2026

New regulations take effect

Rules on automated decision-making technology (ADMT), privacy risk assessments, and cybersecurity audits become operative. Request and consent flows must be symmetrical — the privacy-protective choice can't be made harder.

Jan 1, 2026 →

Risk assessments begin

Businesses must start conducting risk assessments for higher-risk processing activities.

Jan 1, 2027

ADMT rules bite for existing systems

Compliance obligations for automated decision-making technology already in use take effect.

Apr 2028 – 2030

Cybersecurity audits, phased by revenue

First audits due Apr 1, 2028 for businesses over $100M revenue; Apr 1, 2029 for $50M–$100M; Apr 1, 2030 for under $50M.

Test yourself

Did it stick?