What is CCPA? A Complete Guide for Startups
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is one of the most comprehensive privacy laws in the United States. For organizations handling personal information of California residents, understanding CCPA is essential for avoiding significant penalties and building customer trust.
Key Takeaways
| Point | Summary |
|---|---|
| What it is | California's landmark privacy law granting consumers rights over their personal information |
| Effective date | Original CCPA: January 1, 2020; CPRA amendments: January 1, 2023 |
| Who it applies to | For-profit businesses meeting revenue, data volume, or data sales thresholds |
| Revenue threshold | $26.625 million or more in annual gross revenue (as of January 2025) |
| Maximum penalty | $7,988 per intentional violation; $107-$799 per consumer for data breaches |
Quick Answer: CCPA is California's consumer privacy law that gives residents the right to know, delete, correct, and opt out of the sale or sharing of their personal information. It applies to for-profit businesses with $26.625M+ revenue, 100,000+ consumers' data, or 50%+ revenue from data sales.
CCPA Overview
The CCPA was signed into law in 2018 and became effective on January 1, 2020. California voters approved the CPRA in November 2020, which significantly amended the CCPA with additional protections that took effect on January 1, 2023.
| Aspect | Details |
|---|---|
| Original Effective Date | January 1, 2020 |
| CPRA Amendments Effective | January 1, 2023 |
| Jurisdiction | California residents |
| Enforcement Bodies | California Attorney General, California Privacy Protection Agency (CPPA) |
| Maximum Penalty per Violation | $7,988 (intentional) / $2,663 (unintentional) |
The CPRA did not create a separate law. Instead, it amended the existing CCPA, which is why the combined law is typically referred to as "CCPA" or "CCPA, as amended."
Why CCPA Matters for Growing Companies
CCPA applies to businesses regardless of their physical location. If you have California customers or users, you may need to comply. For growing businesses, CCPA compliance tends to become relevant at several key inflection points.
Common reasons organizations prioritize CCPA compliance:
- California market access. California represents the world's fifth-largest economy, and CCPA compliance is essential for serving this market.
- Enterprise sales. B2B customers increasingly require CCPA compliance from their vendors, alongside frameworks like SOC 2 or ISO 27001.
- Data breach liability. The private right of action for data breaches creates significant financial exposure for non-compliant businesses.
- Regulatory scrutiny. The California Attorney General and CPPA actively enforce CCPA, with settlements reaching millions of dollars.
- Privacy-first positioning. Consumers increasingly favor organizations that demonstrate responsible data handling practices.
Who Must Comply with CCPA?
The CCPA applies to for-profit businesses that collect California consumers' personal information, do business in California, and meet any of the following thresholds. For a detailed breakdown, see our CCPA applicability guide.
| Threshold | Details |
|---|---|
| Revenue | $26.625 million or more in annual gross revenue (adjusted January 2025) |
| Data Volume | Buy, sell, or share personal information of 100,000+ California consumers or households |
| Data Revenue | Derive 50% or more of annual revenue from selling or sharing California consumers' personal information |
Important clarifications:
- The revenue threshold is based on worldwide gross revenue, not just California revenue.
- Non-profit organizations and government agencies are generally exempt.
- The law applies regardless of your business location if you have California customers.
What is Personal Information Under CCPA?
The CCPA defines personal information broadly as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household.
| Category | Examples |
|---|---|
| Identifiers | Name, email, phone number, Social Security number, IP address |
| Commercial Information | Purchase history, products considered, consuming histories |
| Internet Activity | Browsing history, search history, interaction data |
| Geolocation Data | Physical location, GPS coordinates |
| Employment Information | Current or past job history, performance evaluations |
| Education Information | Student records (non-FERPA covered) |
| Inferences | Consumer profiles, preferences, characteristics |
Sensitive Personal Information
The CPRA introduced a special category called sensitive personal information with heightened protections:
| SPI Category | Examples |
|---|---|
| Government IDs | Social Security number, driver's license, passport number |
| Financial Access | Account numbers with passwords or security codes |
| Precise Geolocation | GPS-level location data |
| Protected Characteristics | Race, ethnicity, religion, union membership |
| Private Communications | Contents of mail, email, or text messages |
| Biometric Data | Fingerprints, facial recognition, voice prints |
| Health Information | Medical history, conditions, treatments |
| Sexual Orientation/Life | Sexual orientation, sex life information |
| Genetic Data | DNA, genetic test results |
| Immigration Status | Citizenship and immigration status (added 2024) |
Key CCPA Terminology
| Term | Definition |
|---|---|
| Consumer | A California resident (not limited to customers) |
| Business | For-profit entity meeting CCPA thresholds |
| Service Provider | Entity processing data on behalf of a business under contract |
| Contractor | Third party with access to personal information under written contract |
| Third Party | Entity that is not a business, service provider, or contractor |
| Sale | Transferring personal information for monetary consideration |
| Sharing | Transferring personal information for cross-context behavioral advertising |
| Processing | Any operation performed on personal information |
CCPA vs. Other Privacy Laws
| Aspect | CCPA | GDPR | VCDPA (Virginia) |
|---|---|---|---|
| Jurisdiction | California | EU/EEA | Virginia |
| Scope | For-profit businesses meeting thresholds | Any organization processing EU data | Businesses meeting thresholds |
| Consent Model | Opt-out for sales/sharing | Opt-in required | Opt-out model |
| Right to Delete | Yes | Yes | Yes |
| Right to Correct | Yes (CPRA) | Yes | Yes |
| Private Right of Action | Yes (data breaches) | Limited | No |
| Maximum Fine | $7,988 per violation | €20M or 4% global revenue | $7,500 per violation |
Common Misconceptions
"We're too small for CCPA"
CCPA has specific revenue and data thresholds, but many growing companies meet the 100,000+ consumer threshold faster than expected, especially those with online products.
"We're not in California, so CCPA doesn't apply"
CCPA applies to any business meeting the thresholds that collects California residents' data, regardless of where the business is located.
"We just need a privacy policy"
CCPA requires operational capabilities including consumer request handling, opt-out mechanisms, data inventory, and vendor contracts, not just documentation.
"CCPA only matters if we sell data"
The CPRA expanded the law to cover "sharing" for advertising purposes. Many businesses that don't "sell" data still share it for cross-context behavioral advertising.
"CCPA compliance is a one-time project"
Compliance requires ongoing maintenance, including responding to consumer requests within deadlines, updating disclosures, and training staff.
The Business Case for CCPA Compliance
| Benefit | Impact |
|---|---|
| Risk Mitigation | Avoid penalties up to $7,988 per violation and data breach lawsuits of $107-$799 per consumer |
| Market Access | Serve California's 39+ million residents and the fifth-largest economy globally |
| Customer Trust | Demonstrate commitment to privacy, increasingly important to consumers |
| Competitive Positioning | Meet vendor requirements for enterprise customers |
| Operational Clarity | Data inventory and mapping improves overall data governance |
| Breach Preparedness | Security requirements reduce breach likelihood and impact |
How Bastion Helps
CCPA compliance involves navigating complex requirements across legal, technical, and operational domains. Working with experienced partners can help organizations achieve compliance more efficiently.
| Challenge | How We Help |
|---|---|
| Understanding applicability | Assessment of thresholds and scope specific to your business |
| Privacy policy updates | Compliant notice templates and review processes |
| Consumer request handling | Workflows and systems for request verification and fulfillment |
| Vendor management | Service provider contract templates and tracking |
| Ongoing compliance | Monitoring, training, and evidence collection |
| Security requirements | Guidance on reasonable security measures and breach response |
Ready to explore your CCPA compliance options? Talk to our team →
Sources
- California Consumer Privacy Act (CCPA) - California Attorney General official CCPA page
- California Privacy Protection Agency - Official CPPA website and regulations
- CCPA Text - California Civil Code 1798.100-1798.199.100
- CPRA Full Text - California Privacy Rights Act of 2020
- CPPA FAQs - Frequently Asked Questions from the enforcement agency