CCPA Compliance for Businesses in 2026: The Complete Practical Guide
The California Consumer Privacy Act — and its successor, the California Privacy Rights Act — represents the most significant US data privacy legislation since the internet age began.
In 2026, CCPA/CPRA enforcement is accelerating. The California Privacy Protection Agency (CPPA) is issuing fines, investigating businesses across industries, and setting precedents that other states are following.
If your business touches California consumers in any meaningful way, this law almost certainly applies to you.
This guide provides a complete, practical overview of what CCPA compliance requires in 2026 — and how to build a system that holds up under scrutiny.
What Is CCPA?
The California Consumer Privacy Act (CCPA) was enacted in 2018 and came into effect on January 1, 2020. It gives California residents specific rights over their personal information and requires businesses to be transparent about their data practices.
In 2020, California voters passed Proposition 24 — the California Privacy Rights Act (CPRA) — which significantly expanded CCPA. CPRA's full provisions took effect on January 1, 2023, and its enforcement ramped up through 2024 and 2025.
CPRA introduced:
- A new category of "sensitive personal information" with additional protections
- A right to correct inaccurate personal information
- The California Privacy Protection Agency (CPPA) as a dedicated enforcement body
- Data minimisation requirements
- Purpose limitation restrictions
- Expanded opt-out rights (not just sale of data, but sharing for cross-context behavioural advertising)
Who Must Comply With CCPA?
CCPA applies to for-profit businesses that do business in California AND meet at least one of the following thresholds:
- Annual gross revenues exceeding $25 million
- Annually buys, sells, receives, or shares for commercial purposes, personal information of 100,000 or more California consumers or households
- Derives 50% or more of annual revenues from selling consumers' personal information
Importantly, "doing business in California" does not require a physical presence. If you have California customers, visitors, or users, you are likely doing business in California.
What Personal Information Does CCPA Cover?
CCPA defines personal information broadly. It includes:
- Identifiers: name, alias, postal address, IP address, email, account name, SSN, driver's licence, passport number
- Commercial information: products purchased, purchasing history
- Internet activity: browsing history, search history, interaction with website or application
- Geolocation data
- Employment and education information
- Inferences drawn from the above to create consumer profiles
Sensitive Personal Information (CPRA)
CPRA created a new, more protected category of sensitive personal information, which includes:
- Social Security numbers and financial account details
- Precise geolocation
- Racial or ethnic origin
- Religious beliefs
- Genetic and biometric data
- Health information
- Sexual orientation and gender identity
- Private communications (emails, texts)
Consumer Rights Under CCPA/CPRA
California residents have the following rights under CCPA/CPRA:
Right to Know
Consumers can request disclosure of the categories and specific pieces of personal information you have collected about them, the sources, purposes, and third parties with whom you share it.
Right to Delete
Consumers can request deletion of their personal information, with some exceptions (legal obligations, security, internal uses).
Right to Correct
Introduced by CPRA — consumers can request correction of inaccurate personal information.
Right to Opt Out of Sale or Sharing
Consumers can opt out of the sale or sharing of their personal information for cross-context behavioural advertising. This must be facilitated by a visible "Do Not Sell or Share My Personal Information" link.
Right to Limit Use of Sensitive Personal Information
Consumers can direct businesses to limit the use and disclosure of sensitive personal information to what is necessary to provide the requested service.
Right to Non-Discrimination
Businesses cannot discriminate against consumers who exercise their CCPA rights — by denying goods or services, charging higher prices, or providing lower quality of service.
Right to Data Portability
Consumers can request their data in a portable, usable format.
Required CCPA Disclosures
Privacy Policy
Your privacy policy must include CCPA-specific disclosures, including:
- Categories of personal information collected
- Purposes for collection
- Categories of third parties with whom you share data
- Consumer rights and how to exercise them
- Response timelines (45 days)
- Whether you sell or share personal information
Notice at Collection
You must provide a notice at the point of data collection — before or at the time you collect personal information. This is separate from your full privacy policy and must be concise and specific to the data being collected at that interaction.
Do Not Sell or Share Link
If you sell or share personal information (including sharing for targeted advertising), you must provide a clearly visible opt-out link on your homepage, typically labelled "Do Not Sell or Share My Personal Information."
Limit Use of Sensitive Personal Information Link
If you use sensitive personal information for purposes beyond providing the core service, you must provide a separate opt-out link for consumers to limit this use.
CCPA for SaaS and Technology Businesses
SaaS companies face particular complexity under CCPA because they often:
- Process California consumers' data on behalf of their business customers (acting as service providers)
- Have California employees and job applicants (employee data has specific CCPA protections)
- Use analytics and advertising tools that share data with third parties
As a service provider, you process data under contract with your customers, and the CCPA obligations primarily fall on the business that collected the data. However, you must have service provider agreements in place that restrict your use of customer data.
CCPA Enforcement — What You Need to Know
The California Attorney General enforced CCPA until July 2023, when the California Privacy Protection Agency took over. The CPPA has:
- Broader enforcement authority
- Rulemaking power to update CCPA regulations
- The ability to levy fines of up to $2,500 per unintentional violation and $7,500 per intentional violation
- No cure period for violations as of 2023 — businesses are no longer given 30 days to fix violations before fines are issued
CCPA Compliance Checklist for 2026
- Determine whether CCPA applies to your business
- Map all personal information you collect about California consumers
- Update your privacy policy with CCPA-required disclosures
- Implement a Notice at Collection for all data collection touchpoints
- Set up a "Do Not Sell or Share" opt-out mechanism (if applicable)
- Build a consumer rights request process (45-day response window)
- Review and update contracts with service providers and third parties
- Implement data minimisation — stop collecting data you do not need
- Define data retention schedules and apply them
- Train employees who handle personal information on CCPA requirements
- Conduct a data mapping exercise to document all data flows
- Review advertising and analytics tool configurations for CCPA compliance
How PolicyOwn Helps with CCPA Compliance
PolicyOwn's compliance engine generates CCPA-aware privacy policies that include all required disclosures in a clear, compliant format. Whether you are building your first privacy policy or updating an existing one to reflect CPRA changes, PolicyOwn creates documentation that:
- Includes all CCPA/CPRA mandatory disclosures
- Uses correct and current regulatory language
- Is tailored to your specific data practices and business model
- Can be updated easily when regulations or your practices change
Visit https://policyown.com/ to generate your CCPA-compliant documentation today.
Frequently Asked Questions
Does CCPA apply to B2B companies?
Yes. While CCPA was initially focused on consumer data, CPRA extended protections to data about employees, contractors, job applicants, and business contacts in California. B2B companies with California employees or business contacts must comply.
What if my business is outside California?
CCPA applies based on where your consumers are located — not where your business is. If you have California consumers, CCPA applies regardless of your company's location.
Is Google Analytics considered a "sale" of data under CCPA?
Sharing data with Google for analytics purposes that involve cross-context behavioural advertising may constitute "sharing" under CPRA. This requires careful review of your Google Analytics configuration and potentially implementing a "Do Not Sell or Share" opt-out.
Final Thoughts
CCPA/CPRA compliance is no longer optional for any business of meaningful scale that reaches California consumers.
The enforcement environment has hardened. The CPPA is active and motivated. And the penalties for non-compliance are material.
The businesses that act now — building proper data practices, transparent disclosures, and documented compliance systems — will be far better positioned than those who wait for an enforcement action to force change.
Build your CCPA-compliant documentation today at PolicyOwn — tailored, audit-ready, and ready in minutes.
