What Is CCPA? The California Consumer Privacy Act Explained for Tech Companies
The CCPA — California Consumer Privacy Act — is a state privacy law that grants California residents specific rights over their personal information and imposes obligations on businesses that collect, sell, or share that data. Effective since January 1, 2020, the CCPA was significantly amended by the California Privacy Rights Act (CPRA) in 2023, which expanded consumer rights, created the California Privacy Protection Agency (CPPA), and introduced new concepts like sensitive personal information. For technology companies — particularly SaaS platforms, data-driven startups, and any company with California users — the CCPA/CPRA is the most consequential US state privacy law, with civil penalties of up to $7,500 per intentional violation and a private right of action for data breaches.
TL;DR — Key Takeaways
- The CCPA applies to for-profit businesses that collect personal information of California residents and meet specific revenue, data volume, or revenue-from-data thresholds
- California residents have five core rights under CCPA/CPRA: the right to know, the right to delete, the right to opt out of sale/sharing, the right to correct, and the right to limit use of sensitive personal information
- Personal information under CCPA is broadly defined — it includes names, IP addresses, browsing history, geolocation, inferences drawn from other data, and much more
- The CPRA amendment (effective 2023) added the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, replacing sole reliance on the Attorney General
- Penalties reach $2,500 per unintentional violation and $7,500 per intentional violation — and consumers have a private right of action for data breaches involving unencrypted or unredacted personal information
- Companies already pursuing SOC 2, ISO 27001, or HIPAA have significant control overlap with CCPA requirements — building a unified compliance program saves time and reduces gaps
Who Does CCPA Apply To?
The CCPA applies to for-profit businesses that collect or process the personal information of California residents and meet any one of the following thresholds:
| Threshold | Criteria |
|---|---|
| Annual gross revenue | Exceeds $25 million |
| Data volume | Buys, sells, or shares the personal information of 100,000 or more California consumers, households, or devices annually |
| Revenue from data | Derives 50% or more of annual revenue from selling or sharing California consumers' personal information |
Key points for tech companies:
- You do not need to be headquartered in California. If you do business in California and meet a threshold, the CCPA applies.
- The 100,000 consumer/household/device threshold is lower than it sounds. A SaaS platform that logs device identifiers, IP addresses, or cookie data can reach this threshold quickly.
- The CCPA does not apply to nonprofits or government agencies. It also exempts data already governed by HIPAA or the Gramm-Leach-Bliley Act.
- The CCPA distinguishes between businesses, service providers (processing on your behalf under contract), and third parties — this distinction matters for vendor agreements.
What Is Personal Information Under CCPA?
The CCPA defines personal information as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." This definition is intentionally broad:
| Data Category | Examples |
|---|---|
| Identifiers | Name, alias, postal address, email, IP address, SSN, passport number |
| Commercial information | Purchase records, purchasing histories |
| Internet/electronic activity | Browsing history, search history, interaction with websites or apps |
| Geolocation data | Precise location from mobile devices or IP-based location |
| Biometric information | Fingerprints, face geometry, voiceprints |
| Professional or employment info | Job title, employer, work history |
| Inferences | Consumer profiles drawn from the above — preferences, behavior, attitudes |
| Sensitive personal information (CPRA) | SSN, financial credentials, precise geolocation, racial/ethnic origin, religious beliefs, genetic data, biometric data, health data, sexual orientation data |
The inferences category is critical for tech companies. If your product uses analytics, recommendation engines, or behavioral targeting, the profiles you build from user data are themselves personal information under CCPA.
Sensitive personal information — added by the CPRA — triggers additional consumer rights, including the right to limit a business's use and disclosure of that data to what is strictly necessary for the service.
The Five Core Consumer Rights Under CCPA/CPRA
| Right | What It Requires | Response Deadline |
|---|---|---|
| Right to know | Consumers can request that you disclose what personal information you have collected, the sources, the business purposes, the categories of third parties you share it with, and the specific pieces of data collected | 45 days (extendable by 45 more) |
| Right to delete | Consumers can request deletion of their personal information; you must also direct service providers and contractors to delete it | 45 days (extendable by 45 more) |
| Right to opt out of sale/sharing | Consumers can direct you to stop selling or sharing their personal information with third parties; you must provide a "Do Not Sell or Share My Personal Information" link | Must be honored promptly; no specific day count |
| Right to correct | Consumers can request correction of inaccurate personal information (added by CPRA) | 45 days (extendable by 45 more) |
| Right to limit use of sensitive personal information | Consumers can direct you to use sensitive personal information only for purposes necessary to provide the service (added by CPRA) | Must be honored promptly |
All consumers also have a right to non-discrimination — you cannot deny services, charge different prices, or provide a different quality of service because a consumer exercised their CCPA rights.
Businesses must provide at least two methods for consumers to submit requests. You must verify identity, respond within 45 days, and provide information free of charge for the first two requests per 12-month period.
Business Obligations Under CCPA/CPRA
Privacy Notice
You must provide a privacy notice at or before the point of data collection that discloses:
- The categories of personal information collected
- The purposes for collection and use
- Whether information is sold or shared, and the categories of third parties involved
- How long each category of data is retained (CPRA addition)
- The consumer rights available and how to exercise them
Do Not Sell or Share Link
If you sell or share personal information (including for cross-context behavioral advertising), your website must display a clear "Do Not Sell or Share My Personal Information" link. You must also honor the Global Privacy Control (GPC) browser signal as a valid opt-out request.
Data Minimization and Purpose Limitation (CPRA Addition)
The CPRA added requirements that businesses must:
- Collect personal information only to the extent reasonably necessary and proportionate to the disclosed purpose
- Not use personal information for purposes materially different from what was disclosed at collection without providing new notice
Contracts With Service Providers
Written contracts with service providers must specify the business purpose of the processing, prohibit the service provider from selling or sharing the data, require CCPA compliance, and grant the business rights to monitor compliance.
Employee and B2B Data
As of January 1, 2023, the CPRA removed prior exemptions for employee and B2B data. Personal information of California-based employees, job applicants, and business contacts is now fully within CCPA scope.
CCPA Enforcement and Penalties
The CCPA is enforced by the California Privacy Protection Agency (CPPA) — a dedicated enforcement body created by the CPRA with rulemaking and administrative fine authority — and the California Attorney General, who retains the power to bring civil actions.
Penalty Structure
| Violation Type | Maximum Fine |
|---|---|
| Unintentional violation | $2,500 per violation |
| Intentional violation | $7,500 per violation |
| Violations involving minors (under 16) | $7,500 per violation |
"Per violation" means per consumer, per incident — which can compound rapidly at scale. A single data practice affecting 10,000 California consumers could theoretically result in $25 million to $75 million in penalties.
Private Right of Action (Data Breaches)
Consumers have a private right of action — meaning they can sue directly, without waiting for the AG or CPPA — when a data breach occurs due to a business's failure to implement reasonable security measures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. For breaches affecting large user populations, this creates substantial class action exposure.
This private right of action is one of the most significant differences between CCPA and other US state privacy laws.
CCPA vs. GDPR: Key Differences
| CCPA/CPRA | GDPR | |
|---|---|---|
| Geographic scope | California residents | EU/EEA residents |
| Who it applies to | For-profit businesses meeting revenue or data volume thresholds | Any organization processing EU personal data |
| Consent model | Opt-out (collect unless consumer opts out of sale/sharing) | Opt-in (must identify a lawful basis before processing) |
| Private right of action | Yes — for data breaches | Limited — varies by member state |
| Fines | Up to $7,500 per intentional violation | Up to 4% of global annual revenue or EUR 20 million |
| DPO required? | No | Required in certain circumstances |
| Data transfer rules | Not a primary focus | Strict international transfer requirements |
For companies operating in both jurisdictions: GDPR compliance does not automatically satisfy CCPA, and vice versa. The opt-in vs. opt-out distinction creates materially different operational requirements. However, the underlying infrastructure — data mapping, access controls, deletion capabilities, privacy notices — overlaps substantially.
How QuickTrust Helps With CCPA Compliance
CCPA compliance is not just a legal checklist — it requires technical implementation across your data infrastructure: data mapping, deletion pipelines, opt-out signal processing, access controls, and breach detection. QuickTrust's security engineers implement these technical controls alongside the compliance documentation your legal team needs:
What QuickTrust delivers for CCPA:
- Data inventory and mapping — Identify all personal information flows across your systems, third-party integrations, and cloud infrastructure; classify data categories including sensitive personal information
- Consumer request workflow — Build the technical processes to receive, verify, and fulfill right-to-know, deletion, correction, and opt-out requests within 45-day deadlines
- Opt-out mechanism implementation — Deploy "Do Not Sell or Share" functionality and integrate Global Privacy Control (GPC) signal handling
- Privacy notice development — Draft CCPA-compliant privacy notices covering all required disclosures, including retention periods and sensitive personal information categories
- Service provider contract review — Audit vendor agreements for CCPA-required contract provisions; identify gaps in service provider agreements
- Technical safeguards — Engineers configure encryption, access controls, audit logging, and security monitoring to reduce breach risk and private right of action exposure
- Multi-framework alignment — Map CCPA controls to SOC 2 Trust Service Criteria, ISO 27001 Annex A, and HIPAA Security Rule requirements to eliminate redundant work
Result: Technical and operational CCPA compliance. Unified with your SOC 2, ISO 27001, or HIPAA program. 90% reduction in engineering time. 100% audit pass rate on related certifications.
CCPA FAQ
Does CCPA apply to companies outside California?
Yes. The CCPA applies to any for-profit business that collects the personal information of California residents and meets the applicable thresholds — regardless of where the business is headquartered.
What is the difference between CCPA and CPRA?
The CPRA (California Privacy Rights Act), effective January 1, 2023, is an amendment to the CCPA — not a separate law. It added new consumer rights (right to correct, right to limit sensitive personal information use), created the CPPA, introduced data minimization requirements, and removed the employee and B2B data exemptions. When people refer to "CCPA" today, they generally mean the CCPA as amended by the CPRA.
Does CCPA apply if we do not sell personal information?
Yes. If you meet the applicability thresholds, you must still provide privacy notices, honor right-to-know and deletion requests, and implement reasonable security measures. The CPRA also expanded "sharing" to include making data available for cross-context behavioral advertising — which many companies do through advertising SDKs and analytics integrations without realizing it qualifies.
How does CCPA interact with HIPAA?
Data covered by HIPAA is exempt from the CCPA. However, health-related data outside HIPAA's scope — such as data from consumer wellness apps or fitness trackers — is covered by the CCPA. Companies in health technology should carefully map which data falls under each law.
What security measures does CCPA require?
The CCPA does not prescribe specific security controls. However, the private right of action applies when a business fails to implement "reasonable security procedures and practices." Courts look to industry standards — CIS Controls, NIST CSF, SOC 2 criteria — to evaluate reasonableness. Companies with SOC 2 Type II or ISO 27001 certification are in a stronger position to defend against CCPA breach claims.
Can we handle CCPA alongside our SOC 2 or ISO 27001 program?
Yes. SOC 2's Privacy Trust Service Criterion, ISO 27001's Annex A privacy controls, and CCPA's requirements share substantial overlap in data inventory, access controls, encryption, incident response, and vendor management. Building a unified program avoids duplicate effort. QuickTrust's multi-framework approach is specifically designed for this.
Get CCPA-Ready Alongside Your SOC 2 or HIPAA Program
Your California customers expect CCPA compliance at the same time your enterprise buyers require SOC 2 and your healthcare customers demand HIPAA. QuickTrust builds a unified compliance program that covers all of them — with engineers who implement the technical controls, not just write the policies.
Get CCPA-ready alongside your SOC 2 or HIPAA program — talk to our team at trust.quickintell.com
Engineering-included. Multi-framework. 100% audit pass rate.