Table of Contents
- What is the CCPA?
- Who must comply with CCPA?
- What are the requirements for CCPA?
- How to comply with the CCPA
- Updates to the CCPA since inception
- What are the penalties for non-compliance with the CCPA?
- Examples of violations
- How Ironclad helps with CCPA compliance
- Frequently asked questions about CCPA
Want more content like this? Sign up for our monthly newsletter.
Key takeaways:
- Determine if CCPA applies to your business by checking if you handle California consumer data and meet at least one threshold: annual revenue exceeding $25 million, processing data from 100,000 or more California residents or households annually, or deriving 50 percent or more of revenue from selling consumer data
- Implement systems to honor four consumer rights by establishing at least two methods for data requests, displaying a clearly labeled “Do Not Sell My Information” link, maintaining updated privacy policies with required CCPA disclosures, and ensuring deletion requests are fulfilled across all your data processors
- Recognize that non-compliance penalties escalate rapidly, with intentional violations carrying up to $7,500 per violation and unintentional ones up to $2,500 per violation, where each affected consumer counts as a separate violation potentially resulting in millions in penalties for data breaches
- Stay current with regulatory changes and maintain vendor compliance, as the California Privacy Rights Act expanded CCPA requirements and employee or business-to-business exemptions expired December 31, 2022, making ongoing compliance monitoring essential
How confident are you about your current data privacy compliance? Most businesses think they’re covered with a basic privacy policy, but initial compliance costs were estimated to spend up to $55 billion collectively, indicating the high price for those caught unprepared by a California Consumer Privacy Act (CCPA) violation. On top of potential fines, poor contract management practices can cause organizations to 11% of total contract value due to contract value leakage, according to World Commerce & Contracting’s 2026 report Closing the Procurement Value Gap: How Smarter Contracting Can Prevent 11% Value Leakage.
What is the CCPA?
The CCPA is a comprehensive data privacy law that gives California residents control over their personal information. CCPA went into effect on January 1, 2020, and applies to businesses that collect, share, or sell California consumer data.
While CCPA shares some similarities with other privacy laws like the European Union’s General Data Protection Regulation (GDPR) and California’s newer Privacy Rights Act (CPRA), each has distinct requirements and compliance obligations. Understanding these differences is crucial because you can’t just copy-paste your GDPR compliance strategy and call it a day.
For businesses handling California consumer data, understanding CCPA compliance is essential. The stakes are high: non-compliance can result in penalties up to $7,500 for any intentional violation and $2,500 per violation for unintentional ones.
Who must comply with CCPA?
CCPA applies to for-profit businesses that collect, share, or sell California consumers’ personal information and meet at least one of these thresholds:
Revenue threshold: Annual revenues exceed $25 million
Data volume threshold: Buys, sells, or shares the personal information of 100,000 or more California residents or households annually
Revenue source threshold: Derives 50%+ of annual revenue from selling consumer personal information
Geographic scope: Your business location doesn’t matter. If you do business with California residents and meet these criteria, CCPA applies to you.
Corporate relationships: Subsidiary and parent companies are also subject to CCPA if they’re controlled by or control a business meeting these thresholds.
What are the requirements for CCPA?
Think of it this way: GDPR and CCPA are related, but they’re not twins. The main thing to know is that GDPR, the European Union’s rule, is generally broader. It applies to any data from people in the EU, and it’s built on an “opt-in” model, meaning you need someone’s explicit permission before you can collect their data. CCPA, on the other hand, is California-specific and works on an “opt-out” model. It gives Californians the right to tell you, “Hey, don’t sell my data.” CCPA also has specific thresholds for businesses—based on revenue or the amount of data processed—so it doesn’t apply to every single company doing business in California.
This one’s a common point of confusion. The easiest way to think about it is that the California Privacy Rights Act (CPRA) is an update to the CCPA—think of it as CCPA 2.0. It didn’t replace the CCPA, but it did build on it. CPRA added some new consumer rights, like the right to correct inaccurate personal information and the right to limit the use of “sensitive” personal information. It also established the California Privacy Protection Agency (CPPA) to handle enforcement, giving the rules more teeth. So, if you were compliant with CCPA, you had to take extra steps to become compliant with CPRA.
Here’s where things get practical. A contract lifecycle management (CLM) platform is a huge help for CCPA compliance because it gives you a single source of truth for all your agreements that involve data. Your Data Processing Agreements (DPAs) with vendors, for example. When a customer asks what you’re doing with their data, you can’t just guess. A CLM lets you instantly pull up every contract with data-handling clauses to see exactly what you’ve agreed to and what your vendors are obligated to do. It helps you manage and track consent to your privacy policies and makes it much easier to respond to data subject requests because all the information is in one searchable place, not scattered across inboxes and shared drives.
Ironclad is not a law firm, and this post does not constitute or contain legal advice. To evaluate the accuracy, sufficiency, or reliability of the ideas and guidance reflected here, or the applicability of these materials to your business, you should consult with a licensed attorney. Use of and access to any of the resources contained within Ironclad’s site do not create an attorney-client relationship between the user and Ironclad.
