The Foundation of California Privacy Law
The California Consumer Privacy Act (CCPA) protects the privacy rights of California residents by giving them control over how businesses collect and use their personal data. While it first took effect in 2020, it has since been significantly expanded by the California Privacy Rights Act (CPRA), which introduced stricter requirements and established a dedicated enforcement agency. As of January 1, 2026, new amendments have further tightened the rules, particularly regarding cybersecurity audits and automated decision-making.
Unlike some regulations that focus solely on the location of the business, the CCPA follows the consumer. If your website collects data from people living in California, you may be subject to these rules regardless of where your company is based. Understanding the CCPA is no longer optional for any business with a national or international digital presence.
Which Businesses Must Comply?
Not every small website or personal blog falls under the scope of the CCPA. The law targets for-profit entities that do business in California and meet specific financial or data-volume thresholds. Following the 2025 inflation adjustments and 2026 amendments, a business is covered if it meets any one of these three criteria:
- Annual Revenue: Your business had gross annual revenue exceeding $26,625,000 in the preceding calendar year.
- Data Volume: You annually buy, sell, or share the personal information of 100,000 or more California residents or households.
- Revenue from Sales: You derive 50% or more of your annual revenue from selling or sharing California residents' personal information.
It is a common misconception that only "data brokers" are affected. If you run a high-traffic e-commerce site or a media platform that uses marketing cookies to track 100,000 visitors from California per year, you meet the data volume threshold even if your revenue is below the $26 million mark.
What Counts as Personal Information?
The CCPA uses a broad definition for personal information. It includes any data that identifies, relates to, or could reasonably be linked to a particular consumer or household. This goes far beyond names and email addresses.
| Category | Examples of Data Collected |
|---|---|
| Identifiers | Real name, alias, postal address, unique personal identifier, IP address, email, account name. |
| Commercial Information | Records of personal property, products or services purchased, obtained, or considered. |
| Internet Activity | Browsing history, search history, and information regarding a consumer's interaction with a website or advertisement. |
| Geolocation Data | Precise physical location tracking, often via mobile apps or browser APIs. |
| Sensitive PI | Social security numbers, driver's licence, precise geolocation, racial or ethnic origin, or genetic data. |
Since January 1, 2026, the definition of sensitive personal information has expanded to include data from consumers known to be under 16 years of age. This change reflects a broader shift toward protecting younger users from aggressive data profiling. When you define your cookie categories, you must account for these varied data types.
CCPA vs CPRA: The Main Differences
Many people use these terms interchangeably, but the CPRA was technically a ballot initiative that amended and expanded the original CCPA. The CPRA added the "sharing" of personal information to the regulatory scope, which specifically targets cross-context behavioural advertising. It also created the California Privacy Protection Agency (CPPA), the first state agency in the US dedicated solely to privacy enforcement.
The CPRA also introduced the Right to Correct inaccurate personal information and the Right to Limit the Use of Sensitive Personal Information. These rights require website owners to provide clear mechanisms, such as a "Limit the Use of My Sensitive Personal Information" link, if they process sensitive data for purposes beyond what is strictly necessary to provide requested services.
The 2026 Cybersecurity Audit Rule
New regulations approved by the CPPA Board in late 2025 have introduced mandatory cybersecurity audits for certain businesses. Starting in 2026, if your business's data processing activities present a significant risk to consumer security, you must perform an annual independent audit. This applies to businesses with revenue over approximately $26.6 million that also process the data of more than 250,000 consumers or 50,000 sensitive records.
These audits are not just internal checklists. They must be submitted to the CPPA to demonstrate that the business maintains reasonable security practices. Failure to comply can lead to significant penalties, as seen in recent enforcement trends where the agency has moved away from warning periods and toward direct fines.
Enforcement and Fines
The CPPA has intensified its activity. In 2025, the agency issued a $345,178 fine against a national retailer for multiple violations, including the use of dark patterns that made it difficult for consumers to opt out of data sharing. Enforcement advisories have also focused on data minimisation, reminding businesses they should only collect the data they actually need for a specific purpose.
Civil penalties can reach $2,500 per violation or $7,500 for each intentional violation or violation involving minors. Because these fines apply per consumer, a single data breach or non-compliant cookie banner on a high-traffic site can quickly lead to multi-million dollar liabilities.
How Website Owners Can Comply
Compliance begins with transparency and user choice. You must provide a clear Privacy Policy that lists the categories of information you collect and the purposes for which you use them. Furthermore, if you use third-party marketing or functional tracking, you must provide a "Do Not Sell or Share My Personal Information" link.
Global Privacy Control (GPC) is another critical requirement. California law requires businesses to honour opt-out preference signals sent by browser settings. If a user has GPC enabled, your website must automatically treat that as a request to opt out of the sale or sharing of their data. Using a cookie scan can help you identify which third-party scripts are active on your site and ensuring they respect these signals.
While the CCPA shares some similarities with Europe's GDPR or Brazil's LGPD, it is a unique legal framework. The CCPA is primarily an "opt-out" system for most adults, whereas the GDPR is a "prior consent" system. However, for minors in California, the CCPA functions as an opt-in system, requiring affirmative consent before any data sale or sharing occurs.
Frequently Asked Questions
Does the CCPA apply to businesses outside California?
Yes. If your business is for-profit, does business in California, and meets the revenue or data volume thresholds, you must comply regardless of where your headquarters are located.
What is the difference between "selling" and "sharing" data?
Selling involves the exchange of personal information for money or other valuable consideration. Sharing refers specifically to disclosing data to a third party for cross-context behavioural advertising, even if no money changes hands.
Do I need a cookie banner for CCPA?
While the CCPA does not strictly require a GDPR-style banner for all visitors, you must provide a "Notice at Collection" and a clear way for users to opt out of data sales and sharing, which is most effectively handled via a consent tool.
What are dark patterns in the context of CCPA?
Dark patterns are user interface designs that trick or manipulate users into making choices they didn't intend to make, such as making the "Opt-Out" button nearly invisible compared to the "Accept All" button.
Can I be fined if I don't have a California office?
Yes. The California Attorney General and the CPPA have the authority to pursue enforcement actions against any covered business that processes the data of California residents.
Take Control of Your Privacy Compliance
If you are unsure whether your website meets the latest California requirements, start with a comprehensive check of your data practices. Kukie.io provides tools to identify tracking technologies and manage consumer opt-outs efficiently, helping you maintain transparency with your visitors.
