CCPA & CPRA basics for businesses serving California
What California's privacy laws mean for your website, who they apply to, and the practical steps we take to help you align with them.
California has two overlapping privacy laws that affect how businesses handle personal data. The California Consumer Privacy Act (CCPA) gave California residents new rights over their data in 2020. The California Privacy Rights Act (CPRA) expanded those rights and took full effect in 2023.
If you do business with California residents — or if California residents visit and use your website — these laws may apply to you.
This is not legal advice
Chykalophia is a design and web agency, not a law firm. This article describes CCPA and CPRA concepts and best practices we follow in our work. It is not legal advice. Laws change, and your specific situation may have requirements beyond what we cover here. Please consult a qualified attorney for binding compliance decisions.
Quick summary
The CCPA and CPRA give California residents rights over their personal data, including the right to know what data is collected, the right to opt out of its sale, and the right to delete it. These laws apply to for-profit businesses above certain size thresholds. Key steps include: publishing a clear privacy policy, adding a "Do Not Sell or Share My Personal Information" link, and honoring opt-out and deletion requests. We help implement the technical pieces when we build your site.
The two laws, briefly explained
CCPA (California Consumer Privacy Act) — Signed into law in 2018, effective 2020. Gave California residents the right to know about, access, and delete the personal information businesses collect about them. Also created the right to opt out of the "sale" of personal data.
CPRA (California Privacy Rights Act) — A 2020 ballot measure that significantly expanded the CCPA. It added new rights (like the right to correct inaccurate data), created the California Privacy Protection Agency (CPPA) to enforce the law, and introduced tighter rules around "sensitive personal information."
In practice, you can think of CPRA as the updated, stronger version of CCPA. Compliance with CPRA means you cover both.
Does this apply to my business?
The CCPA/CPRA applies to for-profit businesses that meet at least one of these thresholds:
| Threshold | Details |
|---|---|
| Revenue | Annual gross revenue over $25 million |
| Data volume | Buy, sell, or receive the personal information of 100,000+ California consumers or households per year |
| Revenue from data | Derive 50% or more of annual revenue from selling or sharing personal information |
Thresholds can be misleading
Even if your business does not meet these thresholds today, California's law is worth understanding. Thresholds can change. And building privacy-respecting practices early is always easier than retrofitting them later.
If you are a healthcare provider subject to HIPAA, a financial institution subject to GLBA, or a non-profit, different rules or exemptions may apply. Talk to a lawyer about your specific situation.
What California residents have the right to do
Under CCPA/CPRA, California residents can:
- Know what personal information you collect, use, share, or sell
- Access a copy of the personal information you hold about them
- Delete their personal information (with some exceptions)
- Correct inaccurate personal information
- Opt out of the sale or sharing of their personal information
- Limit the use of their sensitive personal information
- Not be discriminated against for exercising any of these rights
You must respond to verified requests within 45 days (with a possible 45-day extension if you notify the person).
What "selling" data means under CCPA
Under CCPA, "selling" data has a broader meaning than the everyday use of the word.
It includes sharing personal information with third parties in exchange for money or other valuable consideration. This can include:
- Providing data to advertising networks in exchange for targeted ad access
- Sharing behavioral data with data brokers
- Certain data exchanges with business partners
It does not include sharing data with service providers who process it on your behalf (like your email platform or CRM), as long as they are contractually bound to use the data only for the services they provide.
Practical requirements for your website
Privacy policy updates
Your privacy policy must disclose:
- The categories of personal information you collect
- The purposes for collecting it
- The categories of third parties you share it with
- Whether you sell or share personal data, and to whom
- The rights California residents have and how to exercise them
- A dedicated privacy rights request contact (email or web form)
"Do Not Sell or Share My Personal Information" link
If your business sells or shares personal information as defined under CCPA, your website must include a clearly visible link — typically in the footer — that says "Do Not Sell or Share My Personal Information." Clicking it must allow users to opt out.
Cookie consent and tracking
Many advertising and analytics tools effectively "share" data under CCPA's definition. A properly configured cookie consent tool — one that lets visitors opt out of tracking — is the standard technical approach.
See our guide on cookie consent law for how this works.
Data request process
You need a way for California residents to submit requests (to access, delete, or correct their data) and a process to handle them within the required timeframes.
What we do to help
When we build or maintain your website, we:
- Implement a cookie consent tool that supports opt-out preferences
- Add the required footer links if they apply to your business
- Ensure your site uses SSL to protect data in transit
- Help you keep tracking tool documentation current for your privacy policy
The legal side is yours
Determining whether CCPA/CPRA applies to your business, drafting compliant privacy policy language, and establishing your internal data request process are legal tasks. We handle the technical implementation — the law firm handles the legal obligations.
Common pitfalls
- Thinking it only applies to California businesses. The law is about California residents, not where your business is. If someone in California visits your site, the law can apply.
- Not updating your privacy policy. Adding a new analytics tool or ad platform without updating your privacy policy can create a compliance gap.
- Ignoring the "sharing" definition. Many businesses assume they don't "sell" data because they don't receive direct payment. But sharing data with advertising networks for targeted ad access can count as "sharing" under CPRA.
- No process for requests. You must be able to respond to data rights requests. A generic contact form is a starting point; a dedicated privacy request form is better.
- Treating CCPA as separate from GDPR. If you need to comply with both, a properly configured consent tool can often handle both at once.
Common questions
Related guides
- GDPR basics for businesses
- Cookie consent law: when & how
- Analytics & tracking: cookies and privacy
- Cookie consent & banners explained
- Data privacy basics for your business
Need a hand?
Learn more
GDPR basics for businesses
What the EU's General Data Protection Regulation means for your website, even if your business is based outside Europe.
ADA & WCAG: web accessibility compliance in the US
What the Americans with Disabilities Act and the Web Content Accessibility Guidelines mean for your website, and how we build with accessibility in mind.