How to Comply with the CCPA

Key takeaways:

• Determine if CCPA applies to your business by checking if you handle California consumer data and meet at least one threshold: annual revenue exceeding $25 million, processing data from 100,000 or more California residents or households annually, or deriving 50 percent or more of revenue from selling consumer data
• Implement systems to honor four consumer rights by establishing at least two methods for data requests, displaying a clearly labeled “Do Not Sell My Information” link, maintaining updated privacy policies with required CCPA disclosures, and ensuring deletion requests are fulfilled across all your data processors
• Recognize that non-compliance penalties escalate rapidly, with intentional violations carrying up to $7,500 per violation and unintentional ones up to $2,500 per violation, where each affected consumer counts as a separate violation potentially resulting in millions in penalties for data breaches
• Stay current with regulatory changes and maintain vendor compliance, as the California Privacy Rights Act expanded CCPA requirements and employee or business-to-business exemptions expired December 31, 2022, making ongoing compliance monitoring essential

How confident are you about your current data privacy compliance? Most businesses think they’re covered with a basic privacy policy, but initial compliance costs were estimated to spend up to $55 billion collectively, indicating the high price for those caught unprepared by a California Consumer Privacy Act (CCPA) violation. On top of potential fines, poor contract management practices can cause organizations to 11% of total contract value due to contract value leakage, according to World Commerce & Contracting’s 2026 report Closing the Procurement Value Gap: How Smarter Contracting Can Prevent 11% Value Leakage.

What is the CCPA?

The CCPA is a comprehensive data privacy law that gives California residents control over their personal information. CCPA went into effect on January 1, 2020, and applies to businesses that collect, share, or sell California consumer data.

While CCPA shares some similarities with other privacy laws like the European Union’s General Data Protection Regulation (GDPR) and California’s newer Privacy Rights Act (CPRA), each has distinct requirements and compliance obligations. Understanding these differences is crucial because you can’t just copy-paste your GDPR compliance strategy and call it a day.

For businesses handling California consumer data, understanding CCPA compliance is essential. The stakes are high: non-compliance can result in penalties up to $7,500 for any intentional violation and $2,500 per violation for unintentional ones.

Who must comply with CCPA?

CCPA applies to for-profit businesses that collect, share, or sell California consumers’ personal information and meet at least one of these thresholds:

Revenue threshold: Annual revenues exceed $25 million

Data volume threshold: Buys, sells, or shares the personal information of 100,000 or more California residents or households annually

Revenue source threshold: Derives 50%+ of annual revenue from selling consumer personal information

Geographic scope: Your business location doesn’t matter. If you do business with California residents and meet these criteria, CCPA applies to you.

Corporate relationships: Subsidiary and parent companies are also subject to CCPA if they’re controlled by or control a business meeting these thresholds.

What are the requirements for CCPA?

CCPA requires businesses to provide consumers with specific rights regarding their personal information. Here’s what you need to implement to honor these consumer rights:

The right to disclosure

Businesses must disclose when they collect and sell information about a user, to whom they sell it, the specific pieces of information they collect and sell, and the purposes for collection and sale. When consumers request this information, you have 45 days to provide specific details about what data you’ve collected in the past 12 months, and you can extend that deadline by another 45 days if you notify the consumer. You also need to provide consumers with at least two ways to request their information—like a website link, email address, or phone number.

The right to delete their data

Consumers have the right to request that their data be deleted, and you must comply. This also means requiring your counterparty data processors to delete the information and ensure they’re complying with deletion requests.

The right to opt-out

You must notify consumers that they can opt-out of having their data collected and sold—and then actually follow through when they do. Beyond a general opt-out mechanism, you need a link specifically titled “Do Not Sell My Information.”

The right to non-discrimination

Consumers who request data deletion or opt out of data collection can’t be penalized with different service levels or pricing. They get the same service at the same cost.

Business must also have a privacy policy

Like the GDPR, CCPA requires businesses to have a privacy policy in which they must include:

1. The consumers rights
2. Ways consumers can submit requests
3. Categories of personal information collected within the last 12 months

How to comply with the CCPA

CCPA compliance means implementing systems and processes that honor consumer privacy rights while maintaining proper documentation and vendor management.

Essential compliance steps:

• Privacy policy updates: Maintain current privacy policies with all required CCPA disclosures and track policy versions with proof of user consent.
• Consumer request systems: Establish at least two methods for consumers to request their data, such as online forms, email addresses, or phone numbers.
• Opt-out mechanisms: Display a clearly labeled “Do Not Sell My Information” link on your website and honor opt-out requests.
• Vendor management: Update data processing agreements with counterparties and track their acceptance of CCPA-compliant terms. This oversight is resource-intensive, as Data Processing Agreements (DPAs) typically require 70% legal involvement and take an average of 20 days to execute, according to The 2025 Contracting Benchmark Report.
• Documentation systems: Maintain records of all privacy policy changes, consumer requests, and vendor compliance to demonstrate good-faith compliance efforts.

Updates to the CCPA since inception

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and since then, there have been several updates and amendments made to the law. Some of the recent updates to CCPA are:

• The California Privacy Rights Act (CPRA): This is a ballot initiative that was passed in November 2020 and amends the CCPA. The CPRA expands the scope of the CCPA, creates new consumer rights, establishes a new agency to enforce the law, and provides additional protections for sensitive personal information.
• Employee and Business-to-Business Exemptions: Previously, limited exemptions existed for personal information collected in employment or business-to-business contexts. However, it’s critical to note these exemptions expired on December 31, 2022, and this data is now subject to full CCPA/CPRA regulation.
• Deidentification and Aggregated Data: In October 2020, new regulations were adopted that provide guidance on how to comply with CCPA requirements related to deidentified or aggregated data. The regulations clarify the requirements for data to be considered deidentified or aggregated, and provide guidance on how to respond to consumer requests related to this type of data.
• Consumer Request Verification: In March 2021, new regulations were adopted that provide additional guidance on how to verify consumer requests for personal information. The regulations clarify the types of information that can be used to verify a consumer’s identity, and provide examples of methods that can be used to verify requests.

These updates have expanded the law’s scope and clarified compliance requirements, so if you’re subject to CCPA, staying current with these changes isn’t optional—it’s essential for avoiding violations.

What are the penalties for non-compliance with the CCPA?

The attorney general

CCPA violations carry significant financial penalties that can quickly escalate based on the number of affected consumers.

Attorney General enforcement penalties:

• Intentional violations: Up to $7,500 per violation (deliberately ignoring CCPA requirements)
• Unintentional violations: Up to $2,500 per violation (such as failing to properly secure data that gets breached)

Penalty calculation: Each affected consumer counts as a separate violation. A data breach affecting 10,000 consumers could result in penalties ranging from $25 million to $75 million, depending on whether violations are deemed intentional or unintentional.

Consumers’ private right of action

Beyond attorney general enforcement, consumers can bring private lawsuits for data breaches resulting from non-compliance. Consumers can sue for statutory damages if your company failed to implement reasonable security measures and that failure led to unauthorized disclosure of their personal information. Here’s how the process works: consumers must provide written notice of which CCPA sections were violated and allow 30 days for the business to fix the issues and confirm that no further violations will occur. If you fail to remedy the violations within that timeframe, you’re subject to statutory damages between $100-$750 per affected consumer.

For context on how quickly these penalties add up, consider a company like Anthem, which experienced a breach affecting roughly 13.5 million Californians. Under CCPA’s private right of action provisions, they would face potential statutory damages between $1.35 billion and over $10 billion—and that’s in addition to all the other costs associated with a data breach.

Examples of violations

Since CCPA went into effect, we’ve seen several high-profile enforcement actions that show how violations typically occur. Here are a few notable examples:

• In 2020, the California attorney general filed a lawsuit against Facebook for allegedly violating the CCPA by failing to provide consumers with clear and concise information about how their personal information is collected and used. The lawsuit is still pending.
• In 2021, a class-action lawsuit was filed against Google for allegedly violating the CCPA by collecting personal information from consumers without their consent. The lawsuit is still pending at this time.
• In 2021, a class-action lawsuit was filed against Uber for allegedly violating the CCPA by failing to provide consumers with access to their personal information. The lawsuit was settled in 2022, with Uber agreeing to pay $1.1 million to the class members and to make changes to its privacy practices.

What you can learn from these cases: most violations stem from either inadequate disclosures about data collection practices or failures in the consumer request process. The key is having clear policies and reliable systems to handle consumer rights requests.

How Ironclad helps with CCPA compliance

Managing CCPA compliance becomes significantly easier when you have the right contract management infrastructure in place. Ironclad can help businesses track consent to updated privacy policies, terms and conditions, and CCPA-mandated disclosures. Additionally, Ironclad can help businesses track opt-ins and opt-outs of data disclosures, quickly push updated privacy policies, terms of service agreements, and counterparty agreements for consumers or vendors to acknowledge or accept with a simple click of a button. Request a demo today to see how Ironclad can support your CCPA compliance efforts.

Frequently asked questions about CCPA

What is the difference between GDPR and CCPA?

Think of it this way: GDPR and CCPA are related, but they’re not twins. The main thing to know is that GDPR, the European Union’s rule, is generally broader. It applies to any data from people in the EU, and it’s built on an “opt-in” model, meaning you need someone’s explicit permission before you can collect their data. CCPA, on the other hand, is California-specific and works on an “opt-out” model. It gives Californians the right to tell you, “Hey, don’t sell my data.” CCPA also has specific thresholds for businesses—based on revenue or the amount of data processed—so it doesn’t apply to every single company doing business in California.

What is the difference between CCPA and CPRA?

This one’s a common point of confusion. The easiest way to think about it is that the California Privacy Rights Act (CPRA) is an update to the CCPA—think of it as CCPA 2.0. It didn’t replace the CCPA, but it did build on it. CPRA added some new consumer rights, like the right to correct inaccurate personal information and the right to limit the use of “sensitive” personal information. It also established the California Privacy Protection Agency (CPPA) to handle enforcement, giving the rules more teeth. So, if you were compliant with CCPA, you had to take extra steps to become compliant with CPRA.

How can a CLM help with CCPA compliance?

Here’s where things get practical. A contract lifecycle management (CLM) platform is a huge help for CCPA compliance because it gives you a single source of truth for all your agreements that involve data. Your Data Processing Agreements (DPAs) with vendors, for example. When a customer asks what you’re doing with their data, you can’t just guess. A CLM lets you instantly pull up every contract with data-handling clauses to see exactly what you’ve agreed to and what your vendors are obligated to do. It helps you manage and track consent to your privacy policies and makes it much easier to respond to data subject requests because all the information is in one searchable place, not scattered across inboxes and shared drives.

---

Ironclad is not a law firm, and this post does not constitute or contain legal advice. To evaluate the accuracy, sufficiency, or reliability of the ideas and guidance reflected here, or the applicability of these materials to your business, you should consult with a licensed attorney. Use of and access to any of the resources contained within Ironclad’s site do not create an attorney-client relationship between the user and Ironclad.