What is the maximum penalty for CCPA/CPRA violations?

The California AG and CPPA can impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation (Cal. Civ. Code §1798.155). With no per-action cap, a single incident affecting thousands of consumers can result in millions in fines. CCPA also provides consumers a private right of action for data breaches with statutory damages of $100–$750 per consumer per incident.

Who does CCPA apply to?

CCPA applies to for-profit businesses doing business in California that meet at least ONE of: (1) annual gross revenue over $25 million, (2) buy/sell/share personal information of 100,000+ California consumers or households per year, or (3) derive 50% or more of annual revenue from selling California consumers' personal information. Non-profits and government entities are exempt.

What is the difference between CCPA and CPRA?

The California Privacy Rights Act (CPRA) significantly amended CCPA, effective January 1, 2023. CPRA added new consumer rights (right to correct, right to limit use of sensitive PI), created a new category of sensitive PI, established the California Privacy Protection Agency (CPPA), strengthened data minimisation requirements, and added retention period disclosure obligations.

What counts as 'selling' personal information under CCPA?

'Selling' under CCPA is broader than the everyday meaning. It includes selling, renting, releasing, disclosing, or making available personal information to a third party for monetary or other valuable consideration. This can include sharing data with advertising networks, even if no money changes hands directly — 'other valuable consideration' covers non-monetary exchanges.

Do I need a 'Do Not Sell or Share My Personal Information' link?

Only if you sell or share personal information as defined under CCPA. If you use advertising trackers or share data with analytics platforms that monetise that data, you likely qualify. The link must appear on your homepage and link to a functional opt-out mechanism. Many businesses add it as a precaution even if applicability is uncertain.

What are the penalties for CCPA violations?

The California AG and CPPA can impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. There is no cap per enforcement action, meaning a single data incident affecting thousands of consumers could result in millions in fines. CCPA also provides a private right of action for data breaches: $100–$750 per consumer per incident.

Free CCPA Compliance Checklist

What is CCPA/CPRA and who does it apply to?

The California Consumer Privacy Act (CCPA), effective January 1, 2020, and significantly amended by the California Privacy Rights Act (CPRA), effective January 1, 2023, is the United States' most comprehensive state privacy law. It is enforced by the California Attorney General and, for CPRA violations, the California Privacy Protection Agency (CPPA).

CCPA/CPRA applies to for-profit businesses that collect personal information of California consumers and meet any one of these thresholds: annual gross revenues over $25 million; buy, sell, or share for commercial purposes the personal information of 100,000 or more consumers or households (lowered from 50,000 by CPRA); or derive 50% or more of annual revenues from selling or sharing consumers' personal information (Cal. Civ. Code §1798.140(d)). Non-profit organisations and businesses that do not meet these thresholds are generally not covered, though they may voluntarily adopt the standards.

Key CPRA changes from 2023

CPRA significantly expanded CCPA. New rights include: the right to correct inaccurate personal information (Cal. Civ. Code §1798.106), and the right to limit the use and disclosure of sensitive personal information (§1798.121). CPRA also created a new category of sensitive personal information — including Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, and health data — which receives heightened protections. The opt-out requirement now explicitly covers "sharing" (cross-context behavioural advertising) in addition to "selling," closing a loophole that many businesses had exploited.

Penalties under Cal. Civ. Code §1798.155 are up to $2,500 per unintentional violation and $7,500 per intentional violation. For data breaches involving consumers' sensitive information, a private right of action under §1798.150 allows statutory damages of $100–$750 per consumer per incident. With millions of California residents potentially affected, class action exposure can be substantial.

How to use this CCPA/CPRA compliance checklist

Start with your data inventory — you cannot honour consumer rights or write an accurate privacy notice without knowing what personal information you collect, why, and with whom you share it. The most critical immediate steps are: update your privacy policy (§1798.100), establish a process to handle consumer rights requests within 45 days (§1798.105), and determine whether you "sell" or "share" personal information, which triggers the "Do Not Sell or Share My Personal Information" link requirement (§1798.120).

If your business also serves EU residents, review our GDPR checklist — CCPA and GDPR share many concepts (lawful basis, data subject rights, breach notification) but have important differences. If you handle health data, the HIPAA checklist likely applies as well. Download the PDF to document your compliance status for legal counsel or internal review.

CCPA Compliance Checklist (2026)

Know What Data You Collect

Privacy Policy

Consumer Rights (45-day response required)

Sensitive Personal Information

Minors' Data

Service Providers

Data Retention

Security

What is CCPA/CPRA and who does it apply to?

Key CPRA changes from 2023

How to use this CCPA/CPRA compliance checklist

Frequently Asked Questions

Related compliance checklists