United States · updated 2026-06-15
California (USA)
California flips the GDPR model: processing is allowed by default and users opt out rather than in — but 'sale/share' is defined so broadly that running ad pixels triggers it. The 'Do Not Sell' link is your first obligation.
- Law:
- CCPA as amended by CPRA (Civil Code §1798.100 et seq.)
Cookie consent
No banner mandate
Breach deadline
Without unreasonable delay
DPA with vendors
Required
Max fine
$2,500 per violation, $7,500 per intentional violation or violation involving minors — per consumer, uncapped in aggregate
What California (USA) requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Applicability check
§1798.140(d)CCPA applies if you do business in California and cross one threshold: $25M+ annual revenue, data on 100k+ California consumers/households, or 50%+ revenue from selling/sharing personal information.
How to implement Many startups are exempt until they scale — but check the 100k-consumer threshold against your traffic, not your customer list; free users count.
Conditional -
Privacy policy with California section
§1798.130Policy must list categories of data collected, sold, and shared in the past 12 months, consumer rights, and how to exercise them. Must be updated at least annually.
How to implement Add a 'California Privacy Rights' section with the categories table the regulations prescribe. The annual-update requirement means a dated 'last updated' stamp matters legally.
Required -
'Do Not Sell or Share' link + GPC support
§1798.135If you sell or share personal information (ad pixels and cross-context behavioral advertising count), a conspicuous opt-out link and automatic honoring of the Global Privacy Control signal are mandatory.
How to implement Add the footer link and configure your CMP or tag manager to respect GPC. Sephora's $1.2M settlement was specifically about ignoring GPC — it's the AG's favorite test.
Conditional -
Service-provider contracts
§1798.100(d)Vendor contracts need CCPA-specific clauses restricting use of personal information to the contracted purpose.
How to implement Most major SaaS vendors offer a CCPA addendum alongside their GDPR DPA — sign both. Without the clauses, disclosure to that vendor may count as a 'sale'.
Required -
Notice at collection
§1798.100(a)At or before collection, tell consumers what categories you collect and why — typically a link near forms and in the footer.
How to implement Link 'Notice at Collection' anchoring to the relevant policy section from signup forms and your homepage footer.
Required -
Risk assessments & cybersecurity audits
CPPA regulations (2025)The CPPA's 2025 rulemaking requires annual cybersecurity audits and risk assessments for higher-risk processing, phasing in by revenue tier.
How to implement If you profile, sell data, or process sensitive categories at scale, calendar the assessment. Requirements phase in between 2028 and 2030 by company size.
Conditional
The details
- Cookie consent
- No opt-in banner required. Instead, if you 'sell' or 'share' personal information (which includes routine ad-tech data flows), you must offer opt-outs: a 'Do Not Sell or Share My Personal Information' link and honor the GPC (Global Privacy Control) browser signal.
- Data Protection Officer
- No DPO requirement. CPRA instead requires annual cybersecurity audits and risk assessments for high-risk processing under CPPA regulations.
- Processing agreements
- Contracts with 'service providers' and 'contractors' must contain specific CCPA clauses (purpose limitation, no re-selling, assistance duties) — functionally similar to a GDPR DPA, with different required language.
- Breach notification
- California's breach statute (Civil Code §1798.82) requires notifying affected residents without unreasonable delay, and the AG when 500+ Californians are affected. No fixed 72-hour clock, but breaches carry a private right of action with statutory damages.
- Enforcement in practice
- Sephora paid $1.2M in 2022 for ignoring GPC signals; the CPPA fined Honda $632k in 2025 over dark-pattern opt-out flows; DoorDash settled over sale of data without notice.
Data subject rights
What users can demand from you in California (USA), and the engineering that satisfies each right.
Right to know / access
§1798.100, .110, .115Consumers can request the specific pieces and categories of personal information collected, sold, or shared, twice a year for free.
Respond within 45 days (one 45-day extension allowed). Verification of identity is required and regulated — don't just email data to any requester.
Right to delete
§1798.105Deletion of collected personal information, with exceptions (transactions, security, legal obligations).
You must also instruct service providers to delete. Two-step confirmation of deletion requests is explicitly allowed.
Right to opt out of sale/sharing
§1798.120Opt out of sale and of sharing for cross-context behavioral advertising, including via the GPC browser signal.
Honor GPC automatically without requiring login. Opt-out must take effect within 15 business days and propagate to downstream recipients.
Right to correct
§1798.106Correction of inaccurate personal information (added by CPRA).
Self-service profile editing plus a documented correction workflow satisfies this.
Right to limit sensitive data use
§1798.121Consumers can limit use of sensitive personal information (geolocation, health, biometrics, contents of messages) to core service purposes.
If you use sensitive data beyond delivering the service, add a 'Limit the Use of My Sensitive Personal Information' link.
Non-discrimination & minors' opt-in
§1798.125, .120(c)No penalizing users for exercising rights; selling data of under-16s requires opt-in (parental consent under 13).
Price and service must stay equivalent for opt-out users (loyalty programs have carve-outs). If minors use your service, default them out of sale/sharing.
Tools that cover California (USA)
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
compliance suite
OneTrust
Market leader for CCPA request workflows, GPC handling, and the prescribed categories disclosures.
Visit OneTrust → -
privacy policy
Termly
Generates combined GDPR+CCPA policies with the California categories table and required links.
Visit Termly → -
cookie consent
Osano
Consent platform with US opt-out mode: GPC support and 'Do Not Sell or Share' link management.
Visit Osano →
Frequently asked questions
Do I need a cookie banner in California?
Not an EU-style opt-in one. But if you run advertising pixels, that's likely 'sharing' — requiring the 'Do Not Sell or Share' link and GPC support. Many companies use one banner configured as opt-in for EU visitors and opt-out for California.
What is GPC and why does it keep appearing in settlements?
Global Privacy Control is a browser signal that says 'opt me out'. California regulations make honoring it mandatory, and it's trivially easy for regulators to test — Sephora ($1.2M) and Honda ($632k) both stem from GPC/opt-out failures. Configure your tag manager to treat GPC as an opt-out.
Can individuals sue me under CCPA?
Only for data breaches caused by inadequate security — with statutory damages of $100–$750 per consumer per incident, which fuels class actions. All other violations are enforced by the CPPA and AG. Encrypting data at rest removes most of the private-right-of-action exposure.
I'm GDPR-compliant. What extra work does California add?
Four things: the 'Do Not Sell or Share' footer link, GPC signal handling, the California categories disclosure in your policy, and CCPA clauses in vendor contracts. Your GDPR rights workflows (access, deletion, correction) mostly carry over with a 45-day timer instead of 30.
Similar jurisdictions
Free download
Get GDPR updates for California (USA)
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.