Cal. Civ. Code §§ 1798.100–1798.199.100 Operative 1 January 2020 CPRA amendments · 1 January 2023 SB 1223 + AB 1008 + AB 1824 · 1 January 2025
CCPA The California Consumer Privacy Act

America's most
consequential privacy law.

A consumer-rights framework that reshapes how companies collect, use, sell, and share personal information about Californians, and by extension shapes US privacy practice nationwide.

7rights
Granted to every consumer
$26.6M/yr
Revenue threshold for coverage
$799/incident
Statutory damages, breach action
45days
To respond to a verified request
§ 01 · The Bill of Rights

Seven rights, one law.

The CCPA does not regulate data; it creates rights over data. Each right binds covered businesses to act on a verified consumer request, on stated timelines, with no charge and no retaliation. Tap any right to inspect.

01
Right to Know
§§ 1798.110 · 1798.115
02
Right to Access
§ 1798.110(a)(5) · specific pieces
03
Right to Delete
§ 1798.105
04
Right to Correct
§ 1798.106 · added by CPRA
05
Right to Opt Out of Sale or Sharing
§ 1798.120 · the "Do Not Sell or Share" link
06
Right to Limit Use of Sensitive PI
§ 1798.121 · added by CPRA
07
Right to Non-Discrimination
§ 1798.125
§ 02 · § 1798.140(d)

Are you a "business"?

Coverage is the threshold question. The CCPA only binds for-profit entities that do business in California, determine the purposes and means of processing California residents' personal information, and clear at least one of three doors. Hit any one and you are in.

A for-profit entity that does business in California and determines the purposes and means of processing consumers' personal information is a "business" if it satisfies any one of these three thresholds. The first is CPI-adjusted every odd-numbered year per § 1798.199.95(d). Current values are effective from 1 January 2025.

Door 01 · Revenue
$26.6M+
Annual gross revenue in the preceding calendar year.
Measured globally, not just California revenue. Tested each January against the prior year.
2025 adjusted · originally $25M
Door 02 · Volume
100,000+
Consumers or households whose personal information is bought, sold, or shared annually.
"Consumers" = California residents. Includes website visitors recognised by an IP or device identifier.
Easier to hit than most expect
Door 03 · Business Model
50%+
Of annual revenue derived from selling or sharing consumers' personal information.
Captures pure data brokers and ad-tech firms regardless of revenue or volume.
Catches data brokers, sub-threshold
Plus three derivative pathways
§ 1798.140(d)(2) · Affiliates
An entity that controls or is controlled by a covered business, shares common branding, and shares consumers' personal information with that business is itself a covered business.
§ 1798.140(d)(3) · Joint ventures
A joint venture or partnership where each partner holds at least 40%. Both the JV and each constituent business count separately.
§ 1798.140(d)(4) · Voluntary opt-in
A non-covered entity may certify voluntarily to the CPPA that it complies, gaining service-provider eligibility and a public listing.
§ 1798.145(g)–(o) · Carve-outs
Vehicle warranty data, household data, and commercial credit reporting data are partially exempt from specific rights, even when the entity is otherwise covered.
§ 03 · § 1798.140(v) + (ae)

The personal-information map.

"Personal information" is broader than most non-California regimes. It captures anything that identifies, relates to, or could reasonably be linked to a particular consumer or household, in eleven categories, plus a twelfth, sensitive personal information, with its own dedicated right. Tap each to see what it covers.

Click any category to inspect
A
Identifiers
B
§ 1798.80(e) PI
C
Protected Class Characteristics
D
Commercial Information
E
Biometric Information
F
Internet & Network Activity
G
Geolocation Data
H
Sensory Information
I
Professional & Employment
J
Education Information
K
Inferences & Profiles
L
Sensitive Personal Information
§ 04 · § 1798.140(ae)

Sensitive personal information.

A heightened category that triggers the right to limit use and disclosure under § 1798.121. Businesses processing sensitive PI for purposes beyond what an average consumer would expect must offer a "Limit the Use of My Sensitive Personal Information" link. SB 1223 added neural data in 2025.

§ 1798.140(ae)(1)(A)

Government identifiers

Social Security number, driver's license, state ID, or passport number.

Anti-fraud + identity-theft core
§ 1798.140(ae)(1)(B)

Financial credentials

Account log-in or financial-account, debit, or credit card number combined with any required security or access code, password, or credentials.

Account-takeover protection
§ 1798.140(ae)(1)(C)

Precise geolocation

Data derived from a device that locates a consumer within a circle of radius 1,850 feet or less.

§ 1798.140(w) · the 1,850-foot rule
§ 1798.140(ae)(1)(D)

Protected characteristics

Racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.

Anti-discrimination overlay
§ 1798.140(ae)(1)(E)

Communication contents

The contents of mail, email, or text messages, except where the business is the intended recipient of the communication.

Wiretap-act parallel
§ 1798.140(ae)(1)(F)

Genetic data

A consumer's genetic data, however obtained, including raw genetic testing results.

DNA & ancestry-test overlay
§ 1798.140(ae)(1)(G)

Neural data

Information generated by measuring activity of a consumer's central or peripheral nervous system, not inferred from non-neural data. Added by SB 1223.

First-in-nation BCI protection · 2025
§ 1798.140(ae)(2)(A)

Biometric ID processing

Processing of biometric information for the purpose of uniquely identifying a consumer: facial recognition, voiceprints, fingerprints, gait or keystroke matching.

Identification-grade biometrics only
§ 1798.140(ae)(2)(B)

Health information

Personal information collected and analysed concerning a consumer's health (when not already covered by HIPAA or CMIA).

Catches consumer health apps + wearables
§ 1798.140(ae)(2)(C)

Sex life & sexual orientation

Personal information collected and analysed concerning a consumer's sex life or sexual orientation.

Dignity + anti-outing protection
◇ The "inference" exemption · § 1798.140(ae)(1)(G)(ii) + 1798.121(d)
Sensitive PI collected without the purpose of inferring characteristics about a consumer is treated as ordinary personal information for purposes of the limit-use right. This is the carve-out for incidental processing, but the CPPA's regulations and the anti-avoidance rule in § 1798.190 prevent using it to evade the right to limit.
§ 05 · The Value Chain

Who plays what role.

The CCPA defines four roles. Liability and obligations turn on which one you occupy. The contracts between them are not optional: § 1798.100(d) requires specific terms in every business-to-service-provider, business-to-contractor, and business-to-third-party arrangement.

Business

For-profit entity that determines the purposes and means of processing California consumers' personal information and meets a § 1798.140(d) threshold.
  • Pre-collection notice (§ 1798.100(a))
  • Honour all seven consumer rights
  • Reasonable security (§ 1798.100(e))
  • Two intake methods · email if online-only
  • Privacy policy refresh every 12 months
  • Train all rights-handling staff
  • Contractual flow-down to vendors

Service Provider

Processes personal information on behalf of a business under a written contract that prohibits sale, sharing, and any out-of-scope use.
  • Process only for specified business purposes
  • No sale, no sharing, no combining datasets*
  • Assist business with rights requests
  • Flow restrictions to sub-processors
  • Cooperate with ≥12-month audits
  • Notify business if it can no longer comply

Contractor

A person to whom the business makes consumer PI available for a business purpose under a written contract, distinct from a service provider, who receives PI directly.
  • Same processing restrictions as a service provider
  • Written certification of compliance
  • Subject to business' monitoring rights
  • Flow obligations to its own engagements
  • Permits ongoing reviews + automated scans

Third Party

Any person other than the business, its service providers, or its contractors. The default category, and the trigger for "sale" and "share" definitions.
  • Cannot sell or share onward without notice + opt-out
  • Inherits restrictions if opt-out is communicated
  • Subject to anti-avoidance rule (§ 1798.190)
  • Same level of protection required by contract
⚡ Role-determination rule · § 1798.140 + § 1798.190
A receiving entity is a service provider or contractor only if the contract contains every required restriction in § 1798.140(ag) or (j). Without those terms, or if the entity violates them, the recipient is automatically a third party, the transfer is a sale or share, and the consumer's opt-out and notice rights apply. The anti-avoidance provision in § 1798.190 directs courts to disregard intermediate steps designed to evade these definitions.
§ 06 · § 1798.140(ad) + (ah)

Sale and share are not the same.

CPRA introduced "share" as a parallel concept to "sell" specifically to capture cross-context behavioural advertising, the trade in personal information for ad targeting that often involves no money. Both trigger the same opt-out, but the definitions diverge in subtle, consequential ways.

§ 1798.140(ad) · Sell
Sell.
Disclosing personal information to a third party for monetary or other valuable consideration.
Trigger
Money or any other valuable consideration changing hands.
Examples
Selling email lists to a marketing firm; licensing customer data to an analytics broker.
Opt-out
"Do Not Sell or Share My Personal Information" link or GPC signal.
Not a sale
Disclosure at consumer's direction; M&A asset transfer; opt-out signaling between businesses.
◇ Why this distinction matters
Many ad-tech arrangements involve no exchange of money; they trade access to audiences. Pre-CPRA, those arrangements escaped the "sale" definition. The "share" concept closes that gap, ensuring the opt-out reaches behavioural advertising regardless of the business model. The anti-avoidance rule in § 1798.190 specifically calls out contracts engineered to eliminate consideration in order to evade the definition of sell.
§ 07 · § 1798.130

The 45-day clock.

From the moment a verifiable consumer request lands in your intake channel, the response window is 45 days, extendable once by another 45 days where reasonably necessary. Statutory aggregate cap: 90 days. This is the operational backbone every covered business must build.

DAY 0
Request received
Through any of two designated methods (toll-free phone + web, or email-only if online-exclusive). Do not require account creation.
PROMPTLY
Verify the consumer
Use commercially reasonable verification proportionate to the data's sensitivity. Verification does not extend the 45-day clock.
DAY ≤ 45
Respond + deliver
Free of charge. Through the consumer's account, or by mail/electronic at their option. Cover the prior 12 months, longer on request, post-2022 data.
EXTENSION
+ 45 days, once
When reasonably necessary, with notice to the consumer inside the first 45-day window. Aggregate cap of 90 days under § 1798.145(h).
FORWARD
Cascade to vendors
Notify service providers, contractors, and any third parties to whom you sold or shared the PI to delete or correct, unless impossible or disproportionate.
✓ Service-provider assist · § 1798.130(a)(3)(A)
A service provider or contractor must cooperate with the business by appropriate technical and organisational measures, including by handing over the PI in its possession that originated with the business, but it is not required to respond directly to a consumer request submitted to it. Direct requests get redirected to the controlling business.
§ 08 · CPPA Regulations · OAL approval 23 Sept 2025

What's new for 2026.

The CPPA's first major regulatory package became effective 1 January 2026. It does not amend the statute, but it operationalises three of its most contested provisions. Implementation is phased through 2028–2029 to give businesses runway.

ADMT obligations

Automated decision-making technology used for "significant decisions" about consumers triggers new pre-use notice, opt-out, and access duties under § 1798.185(a)(15).
  • Specific purpose disclosure (no generic phrasing)
  • Logic, parameters, and likely outcome
  • How the output factored into the decision
  • Right to opt-out of the ADMT itself

Risk assessments

Mandatory before processing that presents significant risk to consumer privacy or security, with structured weighing of benefits against harms (§ 1798.185(a)(14)(B)).
  • Filed periodically with the CPPA
  • Public summary of aggregate findings
  • Restrict or prohibit processing where risks outweigh benefits
  • Trade-secret protections preserved

Cybersecurity audits

Annual independent audits for businesses meeting size + processing thresholds, under § 1798.185(a)(14)(A). Phased in by revenue.
  • 1 Apr 2028 · > $100M revenue
  • 1 Apr 2029 · $50–100M revenue
  • 1 Apr 2030 · < $50M (if eligible)
  • Records retained ≥ 5 years
◇ The Tractor Supply benchmark · 2025
In 2025 the CPPA fined Tractor Supply Company $1.35M in part because its "Do Not Sell" form did not actually stop the sale or sharing of data, and its website failed to recognise Global Privacy Control signals until July 2024. The signal: published policy is not enough. The technical infrastructure must do what the policy says it does.
§ 09 · §§ 1798.150 · 1798.155 · 1798.199.90

Three layers of exposure.

CCPA enforcement is unusual: it pairs a robust public-enforcement track (the CPPA and Attorney General) with a private right of action for security breaches. The 2025 CPI adjustment lifted every monetary cap by ~6.5%. Current values run through 2026 until the next biennial review.

Layer 01 · Private action · breach
$799per consumer · per incident2025 adj. · floor $107 · was $100–$750
Data breach involving non-encrypted, non-redacted personal information (§ 1798.150)
Statutory damages or actual damages, whichever is greater. Available where the business failed to implement reasonable security under § 1798.81.5. 30-day notice + cure window applies before statutory-damages action.
Class-action exposure
Layer 02 · Intentional / minors
$7,988per violation2025 adj. · was $7,500
Intentional violation, or any violation involving consumers known to be under 16 (§§ 1798.155, 1798.199.90)
Brought administratively by the CPPA, or as a civil action by the Attorney General. Fines and proceeds deposited in the Consumer Privacy Fund. Per-violation, per-consumer compounding applies.
Per-violation cap
Layer 03 · Standard violation
$2,663per violation2025 adj. · was $2,500
Any violation of the title by a business, service provider, contractor, or other person
Per-violation, per-consumer, per-incident: meaning a single non-compliant practice affecting thousands of records can compound dramatically. Good-faith cooperation may reduce the assessed amount.
Per-violation cap
◇ No double recovery · § 1798.199.100
A business cannot be required to pay both an administrative fine and a civil penalty for the same violation. The Attorney General is also barred from filing a civil action after the CPPA has issued a decision on the same conduct. Good-faith cooperation must be considered as a mitigating factor in any assessment.
§ 10 · §§ 1798.145 · 1798.146

What the law leaves untouched.

CCPA exemptions are precise: not blanket carve-outs for whole industries, but targeted exclusions for data already governed by sector-specific federal regimes. Two notable temporary exemptions for employee and B2B data sunset on 1 January 2023; everything else remains active.

Active

HIPAA / CMIA medical information

§ 1798.145(c)(1)(A) · § 1798.146

Protected health information held by covered entities and business associates, plus medical information under California's CMIA. Health-app and wearable data outside HIPAA may still be in scope.

Active

FCRA consumer report data

§ 1798.145(d)

Data on creditworthiness, character, or reputation handled by consumer-reporting agencies, furnishers, and users under the federal Fair Credit Reporting Act. The § 1798.150 breach action still applies.

Active

GLBA + California Financial Privacy

§ 1798.145(e)

Financial information governed by Gramm-Leach-Bliley or California's Financial Information Privacy Act. The § 1798.150 breach right of action still applies independently.

Active

Driver's Privacy Protection Act

§ 1798.145(f)

Personal information processed under the federal Driver's Privacy Protection Act of 1994 (motor-vehicle records). Breach action under § 1798.150 still applies.

Active

Clinical-trial / Common Rule research

§ 1798.145(c)(1)(C) · § 1798.146(a)(5)

Personal information collected as part of a clinical trial or biomedical study conducted under the federal Common Rule, ICH GCP, or FDA human-subject protections.

Active

Vehicle warranty + recall data

§ 1798.145(g)

Vehicle and ownership information shared between dealers and manufacturers solely to effectuate a warranty repair or recall. Narrow purpose-bound carve-out, not a full exemption.

Active

Deidentified + aggregate data

§ 1798.140(b) + (m) · § 1798.145(a)(1)(F)

Information that meets the statutory deidentification standard or is aggregate consumer information. Reidentification flips it back into scope.

Active

Wholly out-of-state conduct

§ 1798.145(a)(1)(G)

Commercial conduct that takes place wholly outside California. Storing California-collected PI on a device that travels out of state does not strip protection.

Active

Household data carve-out

§ 1798.145(p)

Sections 1798.105, 1798.106, 1798.110, and 1798.115 do not apply to household data, but the opt-out and limit-use rights still do.

Active

Commercial credit reporting

§ 1798.145(o)

Sections 1798.105 and 1798.120 do not apply to commercial credit-reporting agencies' use of business-controller information about owners, directors, and officers.

Sunset 1 Jan 2023

Employee + applicant data

§ 1798.145(m) · inoperative

The temporary exemption for HR data ended on 1 January 2023. Applicants, employees, owners, directors, officers, medical-staff and contractor data is now fully in scope, including the right to non-discrimination.

Sunset 1 Jan 2023

B2B communications

§ 1798.145(n) · inoperative

The temporary exemption for personal information reflecting communications between businesses also ended on 1 January 2023. Account contacts at customer companies now have full CCPA rights.

§ 11 · Self-Assessment

Where do you stand?

A guided walk through the Act's logic. Answer up to five questions to identify whether the CCPA covers your operation and what to do next. This is a heuristic, not legal advice. The wording of §§ 1798.140(d), 1798.145, and 1798.146 governs the actual classification.