CCPA / CPRA Compliance
California's privacy laws create enforceable consumer rights for any business serving California residents above revenue or data thresholds.
Overview
The California Consumer Privacy Act (CCPA, effective 2020) and its amendment the California Privacy Rights Act (CPRA, effective January 2023) are the most comprehensive US privacy laws to date. They apply to for-profit businesses that: earn over $25M in annual gross revenue, buy/sell/receive/share personal data on 100,000+ consumers/households per year, or derive 50%+ of revenue from selling personal information. CPRA created a dedicated enforcement agency — the California Privacy Protection Agency (CPPA) — and expanded consumer rights significantly.
Who This Applies To
- Online retailers with California customers above revenue or data thresholds
- Businesses running targeted advertising using consumer data
- Companies using data brokers or lead generation platforms
- Loyalty program operators collecting California member data
- B2B SaaS platforms that process California employee or customer data
Your Obligations
"Do Not Sell or Share" Opt-Out
Businesses must prominently offer a 'Do Not Sell or Share My Personal Information' link on their homepage. Sharing data with ad networks (Meta, Google) for cross-context advertising counts as 'sharing.'
Privacy Notice at Collection
Before collecting personal information, disclose the categories being collected and the purpose. This includes checkout forms, newsletter signups, and tracking pixels.
Consumer Request Handling
Businesses have 45 days to respond to opt-out, deletion, and access requests. Automated request portals are strongly recommended for high-volume sites.
Sensitive Personal Information
CPRA adds a right to limit use of sensitive data (precise geolocation, racial origin, health data). Loyalty programs and personalization engines often process sensitive data without realizing it.
Data Minimization & Retention Limits
Under CPRA, you may only retain personal information for as long as reasonably necessary and must disclose retention periods in your privacy policy.
Real Enforcement Cases
These are not hypothetical risks. The following cases represent actual regulatory enforcement actions and civil litigation — each with documented penalties.
Sephora (California AG)
The first major CCPA enforcement action. California AG Rob Bonta cited Sephora for selling consumer data to third parties (via tracking pixels) without disclosure and failing to process opt-out requests. Sephora was given 30 days to cure — they didn't — and paid $1.2M plus remedial requirements.
DoorDash
The California AG settled with DoorDash for selling customer data to a marketing co-op without adequate disclosure, despite CCPA's opt-out requirements. DoorDash also had to implement a comprehensive privacy program.
Honda (American Honda Motor Co.)
Honda's privacy request portal required consumers to provide excessive information (including VIN numbers) to exercise their CCPA rights — creating an unlawful barrier. The settlement required Honda to redesign its opt-out flow.
Tilting Point Media
A mobile gaming company was fined for knowingly selling children's personal information to advertisers in violation of CCPA's children's data protections — signalling that children's privacy is a top enforcement priority under CPRA.
Is your e-commerce store exposed?
Deskulpt engineers audit your current technology stack against CCPA / CPRA Compliance requirements, identify gaps, and produce a prioritised remediation roadmap. No retainer required to start.
Book Your Free CCPA/CPRA Compliance Audit →