CCPA (California Consumer Privacy Act)
What is CCPA?
The California Consumer Privacy Act (CCPA) is California's comprehensive privacy law granting residents control over personal information collection, use, and sale by businesses. Enacted in January 2020 and strengthened by the California Privacy Rights Act (CPRA) in 2023, CCPA establishes consumer rights, business obligations, and enforcement mechanisms that significantly impact B2B marketing, sales operations, and customer data management practices for organizations doing business with California residents.
CCPA applies to for-profit businesses meeting at least one threshold: annual gross revenues exceeding $25 million, buying/selling personal information of 100,000+ California residents/households annually, or deriving 50%+ revenue from selling consumer personal information. Unlike GDPR's extraterritorial reach to all EU data subjects, CCPA focuses specifically on California residents but affects any business serving California markets regardless of headquarters location.
The regulation balances consumer privacy rights with business interests through transparency requirements, opt-out mechanisms, and anti-discrimination provisions. Organizations achieving privacy compliance benefit from regulatory alignment, customer trust, and scalable data practices applicable across expanding state-level privacy frameworks emerging throughout the United States.
Key Takeaways
California-Focused Privacy Law: Grants residents rights over personal information with specific business applicability thresholds ($25M+ revenue, 100K+ residents, or 50%+ data sales revenue)
Five Consumer Rights: Know what's collected, delete personal information, opt-out of sales, data portability, non-discrimination protection
Opt-Out Model: Unlike GDPR's opt-in requirement, CCPA requires prominent "Do Not Sell My Personal Information" opt-out mechanisms
B2B Employee Data Exemption: Certain B2B and employee data exemptions reduce compliance burden for pure B2B organizations
National Privacy Trend: California's framework influences expanding state-level regulations across the US, making compliance scalable
Core CCPA Consumer Rights
CCPA grants California residents five fundamental rights regarding their personal information:
Right to Know
Consumers can request disclosure of personal information collected, including:
Categories and Sources: What types of personal information businesses collected and from which sources (directly from consumers, 3rd party data providers, public records, social media)
Business Purposes: Specific purposes for collection and use (marketing, analytics, fraud prevention, product improvement)
Third-Party Sharing: Categories of recipients with whom personal information was shared or sold, including advertising networks, marketing automation platforms, and analytics providers
Specific Pieces: Actual personal information collected about the requesting consumer (contact details, transaction history, behavioral data)
Businesses must respond within 45 days (extendable once for 45 additional days if reasonably necessary), providing information covering the 12-month period preceding the request. Initial requests must be fulfilled free of charge; excessive, repetitive, or manifestly unfounded requests may incur reasonable fees.
Right to Delete
Consumers can request deletion of personal information collected, subject to exceptions:
Mandatory Deletion Scenarios:
- Information no longer necessary for disclosed purpose
- Consumer withdraws consent (when consent is legal basis)
- Consumer objects and no overriding legitimate grounds exist
- Information collected/processed unlawfully
Deletion Exceptions (businesses may retain):
- Complete transaction or provide requested service
- Detect security incidents, protect against fraud
- Debug to identify and repair functionality errors
- Exercise free speech, ensure another consumer's right to free speech
- Comply with legal obligations
- Internal uses reasonably aligned with consumer expectations
- Research in public interest (with consumer consent)
Businesses must direct service providers and contractors to delete consumer data from their records as well, ensuring deletion propagates through data supply chain.
Right to Opt-Out of Sale
CCPA's broadest-reaching provision requires businesses to honor opt-out requests preventing personal information "sale" to third parties. CCPA defines "sale" expansively as:
Sale Definition: Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to another business or third party for monetary or other valuable consideration.
This broad definition captures many common B2B practices:
- Sharing email lists with advertising platforms for retargeting
- Providing hashed identifiers to data brokers for enrichment
- Allowing analytics providers access to behavioral data
- Syncing Customer Data Platform audiences to advertising networks
Opt-Out Requirements:
- Prominent "Do Not Sell My Personal Information" link on homepage
- Clear disclosure of data sale practices in privacy policy
- Opt-out mechanism requiring no account creation
- Respect for opt-outs across all business units and systems
- Annual notification reminding consumers of opt-out rights
Businesses cannot require consumers to create accounts solely to opt out. Once opted out, businesses must wait 12 months before requesting opt-in (cannot repeatedly ask consumers to change their minds).
Right to Non-Discrimination
CCPA prohibits discriminating against consumers exercising privacy rights through:
Prohibited Discrimination:
- Denying goods or services
- Charging different prices or rates
- Providing different service levels or quality
- Suggesting consumers will receive different pricing or quality
Permitted Financial Incentives: Businesses may offer financial incentives (discounts, loyalty programs) for data collection or not opting out, provided:
- Incentive is reasonably related to value of consumer data
- Business provides notice explaining material terms
- Consumers can opt-in (not automatic enrollment)
- Consumers can revoke consent at any time
B2B organizations must carefully structure loyalty programs, volume discounts, and tiered pricing to avoid CCPA discrimination violations while maintaining legitimate commercial differentiation.
Right to Limit Use of Sensitive Personal Information
Added by CPRA (effective 2023), consumers can limit businesses' use of sensitive personal information to purposes necessary for providing requested services. Sensitive categories include:
Social Security, driver's license, passport numbers
Financial account credentials
Precise geolocation data
Racial/ethnic origin, religious beliefs, union membership
Genetic data, biometric information (for identification)
Health information, sex life or sexual orientation
Email, text messages, mail (unless business is intended recipient)
For B2B contexts, financial credentials, precise geolocation (mobile app tracking), and email content (for sales/marketing platforms processing customer communications) most commonly trigger sensitive data obligations.
CCPA vs. GDPR Comparison
While both regulations establish privacy frameworks, important distinctions exist:
Dimension | CCPA | GDPR |
|---|---|---|
Geographic Scope | California residents only | All EU residents regardless of processing location |
Applicability | For-profit businesses meeting thresholds | Any organization processing EU personal data |
Consent Model | Opt-out for most purposes, opt-in for minors <16 | Opt-in consent required for most processing |
Data Sale Definition | Broad definition capturing many sharing practices | No "sale" concept; focuses on "processing" |
Rights Mechanism | Consumer-initiated requests with response timelines | Proactive compliance plus data subject requests |
Penalties | $2,500 per violation ($7,500 intentional), private right of action for breaches | Up to €20M or 4% global revenue |
Business Purpose | Permits broad processing for disclosed business purposes | Requires specific legal basis for each purpose |
Service Providers | Contractual relationships permitted without consent | Data Processing Agreements required |
Organizations with both California and European customers typically implement GDPR standards globally, as GDPR requirements generally exceed CCPA obligations (opt-in consent stricter than opt-out; explicit legal basis more rigorous than disclosed business purpose).
B2B GTM Compliance Strategy
Data Inventory and Mapping
Document all personal information collection, use, and sharing:
Collection Points:
- Website forms capturing contact information
- Marketing automation tracking behavioral signals
- CRM systems storing interaction history
- Product analytics recording usage patterns
- Sales engagement platforms logging communications
- Event registration systems capturing attendee data
Data Categories Collected:
- Identifiers: Names, emails, phone numbers, IP addresses, device IDs
- Commercial information: Purchase history, contract values, product interests
- Internet activity: Behavioral signals, page views, email engagement
- Professional information: Job titles, company affiliations, firmographic data
- Inferences: Lead scoring, propensity models, segment classifications
Third-Party Recipients:
- Advertising platforms (LinkedIn, Google, Facebook)
- 3rd party data enrichment providers
- Analytics services
- Email service providers
- Cloud infrastructure providers
- Data warehouse and business intelligence tools
Privacy Policy Updates
CCPA requires specific disclosures in privacy policies updated at least annually:
Required Disclosures:
- Categories of personal information collected (last 12 months)
- Sources from which information collected
- Business/commercial purposes for collection
- Categories of third parties with whom information shared
- Categories of personal information sold or shared (if applicable)
- Consumer rights under CCPA and how to exercise
- Contact information for privacy inquiries
"Do Not Sell" Link: Homepage must prominently display link enabling consumers to opt out of personal information sales. B2B websites often place this link in footer navigation alongside privacy policy and terms of service.
Consumer Request Portal
Build infrastructure handling CCPA consumer requests:
Request Intake:
- Web form for submitting requests (right to know, delete, opt-out)
- Toll-free phone number (for businesses serving California consumers)
- Email address monitored for privacy requests
- Clear instructions for submitting requests
Identity Verification:
- Match requester-provided information to existing records
- Two-factor authentication for account holders
- Reasonable verification steps without requiring excessive information
- Balance fraud prevention with accessibility
Response Workflow:
- Automated acknowledgment within 10 business days
- Data aggregation from CRM, marketing automation, product databases, data warehouses
- Legal review for exception applicability (transaction completion, fraud prevention)
- Formatted response delivered within 45 days (90 days if extended)
- Service provider notification for deletion requests
Data Sale Assessment
Evaluate data sharing practices against CCPA "sale" definition:
Common B2B "Sale" Scenarios:
Practice | CCPA Classification | Compliance Requirement |
|---|---|---|
Retargeting pixels | Likely "sale" (sharing for ad targeting) | Opt-out mechanism required |
Hashed email matching | Likely "sale" (ad platform audience building) | Opt-out mechanism required |
Analytics with advertising features | Potentially "sale" if used for ad personalization | Review data sharing settings |
Data enrichment | Not sale if service provider contract exists | Ensure proper contractual terms |
CRM to marketing automation sync | Not sale (internal business systems) | No opt-out needed |
Lead list purchases | Sale by vendor; buyer must honor opt-outs | Verify vendor CCPA compliance |
Implement opt-out enforcement: when consumers opt out, suppress from advertising audiences, disable retargeting pixels for that user, and update consent management platform to block data sharing.
Service Provider Contracts
CCPA distinguishes "service providers" (process on behalf of business) from "third parties" (process for own purposes). Service provider relationships offer compliance advantages but require specific contractual terms:
Required Contract Provisions:
- Prohibit service provider from retaining, using, or disclosing personal information except for specific business purpose
- Prohibit service provider from selling personal information
- Certify service provider understands and will comply with restrictions
- Grant business right to take reasonable steps ensuring compliance
- Require notification of inability to meet obligations
B2B organizations should execute CCPA-compliant service provider agreements with:
- Marketing automation platforms
- Customer Data Platforms
- Email service providers
- Analytics platforms
- Data warehouses and cloud infrastructure
- Sales engagement tools
Employee and B2B Data Exemptions
CCPA initially exempted business contact information and employee data, but CPRA narrowed these exemptions:
Current B2B Exemption (through 2023): Limited exemption for business-to-business communications where personal information reflects person acting on behalf of business. Applies to business contact details (firmographic data with contact names) but not broader behavioral tracking.
Practical Implication: B2B companies cannot ignore CCPA entirely. While business contact databases receive some exemption, behavioral tracking (behavioral signals, intent data, website analytics) of business contacts still falls under CCPA when identifiable to individuals.
Conservative compliance approach: honor CCPA rights for all California consumer data, including B2B contacts, recognizing exemptions may further narrow or disappear as regulations evolve.
Enforcement and Penalties
California Privacy Protection Agency (CPPA)
CPRA established dedicated enforcement agency (CPPA) with rulemaking and investigative authority. Prior enforcement by California Attorney General transitions to CPPA for comprehensive oversight.
Enforcement Priorities:
- Failure to honor opt-out requests
- Non-responsive or incomplete data subject requests
- Inadequate privacy policy disclosures
- Data sales without compliant opt-out mechanisms
- Service provider contract violations
Penalty Structure
Administrative Penalties: $2,500 per violation (unintentional) or $7,500 per intentional violation. Violations assessed per affected consumer—widespread non-compliance creates substantial exposure.
Private Right of Action: Unlike most privacy laws, CCPA grants consumers private litigation rights for data breaches involving unencrypted/unredacted personal information. Statutory damages $100-$750 per consumer per incident or actual damages (whichever greater), creating class action risk.
Cure Period: Businesses receive 30-day cure period after notice of violation before penalties attach (administrative enforcement only; private right of action has no cure provision for breaches).
Use Cases
B2B SaaS California Compliance
A marketing analytics platform serves 5,000 customers nationwide including 800 California-based businesses. CCPA compliance implementation:
Threshold Assessment: Annual revenue $40M (exceeds $25M threshold), CCPA applies despite B2B focus
Privacy Policy Updates: Added CCPA-specific disclosures, explained behavioral signals collection, documented 3rd party data sharing with advertising platforms
Opt-Out Mechanism: Implemented "Do Not Sell" link, built suppression workflow preventing opted-out users from syncing to LinkedIn/Google advertising audiences, disabled retargeting pixels for opted-out visitors
Request Portal: Built web form handling right-to-know, delete, and opt-out requests; aggregated data from Salesforce, Segment, Snowflake, and Intercom for responses
Service Provider Contracts: Executed CCPA addenda with 12 vendors, ensured proper contractual restrictions
Results: Processed 23 CCPA requests in Year 1 (18 opt-outs, 5 data access requests), maintained compliance without regulatory inquiries, established replicable framework for additional state laws.
Data Sharing Assessment and Remediation
A B2B data platform historically sold prospect lists to other businesses. CCPA sale definition analysis revealed compliance gaps:
Pre-CCPA Practices:
- Sold contact lists ($500-$5,000 per list)
- Shared hashed emails with advertising platforms
- Enabled retargeting pixels on website
- No opt-out mechanism for California residents
CCPA Assessment:
- List sales clearly constitute "sale" under CCPA
- Advertising audience sync qualifies as "sale"
- Retargeting pixel sharing falls under "sale" definition
Remediation:
- Added prominent "Do Not Sell" link to homepage
- Built California resident identification workflow (geo-IP detection, user declaration)
- Suppressed opted-out California residents from list sales
- Disabled advertising audience sync for opted-out users
- Updated contracts clarifying buyer responsibility for CCPA compliance
- Implemented 12-month tracking of opt-outs (prevent re-solicitation)
Business Impact: 8% of California prospects opted out, marginal revenue impact ($34K annually) offset by regulatory compliance and trust differentiation in privacy-conscious market segments.
Related Terms
Privacy Compliance: Broader framework encompassing CCPA and additional regulations
GDPR: European privacy law with different requirements from CCPA
Consent Management: Systems implementing CCPA opt-out requirements
Behavioral Signals: User actions that CCPA may classify as personal information
3rd Party Data: External data subject to CCPA sale restrictions
Frequently Asked Questions
Does CCPA apply to B2B companies or only B2C?
CCPA applies to any for-profit business meeting applicability thresholds ($25M+ revenue, 100K+ consumers/households, or 50%+ revenue from sales) that collects California resident personal information—regardless of B2B vs. B2C business model. While B2B contact information received limited exemptions initially, CPRA narrowed these exemptions, and behavioral tracking of business contacts still falls under CCPA. Conservative approach: implement CCPA compliance for all California data, recognizing B2B exemptions continue narrowing and may disappear entirely in future amendments.
What's the difference between CCPA "sale" and normal data sharing?
CCPA defines "sale" broadly as disclosing personal information to third parties for "monetary or other valuable consideration"—capturing practices beyond literal sales. Sharing hashed emails with advertising platforms for audience targeting qualifies as "sale" (valuable consideration = ad targeting capability). Syncing customer lists to LinkedIn for retargeting = "sale". Service provider relationships (vendors processing data on your behalf per contract) don't constitute sales if proper agreements exist. Key distinction: does third party process data for your purposes (service provider) or their own purposes (sale)?
How do we verify someone is actually a California resident before responding to CCPA requests?
CCPA requires "reasonable" verification methods without creating excessive barriers. Common approaches: match request details to existing records (email address, account credentials, order numbers), implement two-factor authentication for account holders, collect minimal additional information necessary for verification (last four SSN digits, transaction details), and use geo-IP detection for probability assessment. Balance fraud prevention (ensuring requesters actually control the identity they claim) against accessibility (not requiring excessive proof). Document verification procedures and apply consistently across all requests.
Can we charge for CCPA request responses or deny requests we consider excessive?
First two consumer requests in 12-month period must be fulfilled free of charge. Beyond that, businesses may charge "reasonable fee" covering administrative costs for manifestly unfounded or excessive requests. "Excessive" typically means repetitive requests seeking identical information without substantial change in circumstances, or requests requiring disproportionate effort (extremely broad information requests from non-customers). Denying requests requires careful justification and documentation—inability to verify identity, no responsive records exist, or exception applies (fraud prevention, legal compliance). Most businesses honor all reasonable requests to avoid regulatory scrutiny over denial justifications.
How does CCPA interact with other state privacy laws emerging across the US?
Virginia CDPA, Colorado CPA, Connecticut CTDPA, and additional state laws create patchwork US privacy landscape with varying requirements. CCPA remains strictest in several dimensions (broad "sale" definition, private right of action for breaches, lower thresholds for small businesses in some aspects). Practical approach: implement CCPA standards as baseline, then layer additional requirements from other states (Virginia's universal opt-out mechanism, Colorado's profiling disclosures). Many organizations pursue harmonized compliance meeting most stringent requirements across jurisdictions rather than building state-specific programs—similar to GDPR's effect of establishing global privacy standards exceeding most individual jurisdictions.
Last Updated: January 16, 2026
