CCPA compliance: your guide for a compliant website

The California Consumer Privacy Act (CCPA) is a landmark piece of legislation that secures far-reaching data privacy rights for California residents. Since the CCPA came into effect on January 1, 2020, many businesses that collect personal information from California residents must comply with more stringent rules around data collection, sharing, and selling.

As one of the US’s most comprehensive data protection laws, it’s essential your organization understands it – and that your website is fully compliant.

ccpa compliance illustration

What is the California Consumer Privacy Act (CCPA)?  

The CCPA is so important because it protects individual privacy rights and provides an additional level of digital consumer protection. Under the CCPA, residents of California can exercise more control over how businesses collect, share, and sell their personal information. The CCPA specifically guarantees the following rights:

  • The right to know what personal information is collected, shared, used, or sold, both as to the categories and specific pieces of personal information.
  • The right to delete personal information held by businesses and by extension, a business’s service provider.
  • The right to opt-out of the sale of personal information.
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under the CCPA.

Even if the CCPA doesn’t apply to your business, it’s important to note that other US states are taking steps to adopt similar legislation, not to mention the potential for a federal law covering similar ground in the future. It’s a smart idea to be proactive and begin aligning your data privacy processes and practices with the CCPA – even if you’re currently operating outside of the law’s scope.

Who enforces the CCPA?

The California Attorney General’s office is responsible for enforcing the CCPA. Enforcement of the law began on July 1, 2020.

Who must be CCPA compliant?  

Let’s start with the simplest part: The CCPA only applies to for-profit businesses. Charities, non-profit organizations, and government agencies are exempt.

Next, the law doesn’t just apply to businesses with physical operations in the Golden State. Any for-profit business that does business in California, collects the personal information of California residents, and meets any of the following requirements is subject to the CCPA:

  1. Exceeds gross annual revenues of $25 million, or
  2. Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices, or
  3. Derives 50% or more of annual revenues from selling California residents’ personal information.

It’s important to note that if your business shares common branding, such as a shared name, service mark, or trademark, with another business that is liable under the CCPA, you will also be subject to CCPA standards.

Certain health and financial sectors covered by existing federal data security law are also exempt. This includes health providers and insurers already under HIPAA, banks and financial companies under Gramm-Leach-Bliley, and credit reporting agencies under the Fair Credit Reporting Act. 

data privacy ccpa illustration

What data is covered by the California Consumer Privacy Act?  

The CCPA defines personal information as: “Information that identifies, relates to, describes, it capable of being associated with, or could reasonably be linked directly or indirectly, with a particular consumer or household.” 

So, if the data you sell, process, or transfer can be used to identify a consumer, either individually or as part of a household, it’s classed as personal data.

Examples of personal data that you might collect include:

  • Postal addresses
  • Names
  • Passport numbers
  • Records of products purchased
  • Biometric data, such as fingerprints, face, or video recordings
  • Email addresses
  • IP addresses
  • Cookies
  • Social security numbers
  • Geolocation data
  • Browsing and search history
  • Other personal information that could create a profile about your preferences and characteristics.

Anonymous and aggregate data is exempt from the CCPA, unless it is any way re-identifiable. Information that has lawfully been made publicly available from federal, state, or local government records, such as professional licenses, also falls outside of the CCPA’s scope. 

Cookies and CCPA compliance

Under the CCPA, cookies are classified as “unique identifiers”, as the data they collect can be considered identifiable personal information. This means that CCPA guidelines need to be considered when managing your website cookies, with the exception of cookies essential for its proper functioning.

The best way to stay CCPA-compliant is to include a disclosure of what personal information your cookies are collecting, how you will process and use that data, and clear information on how to opt-out of the sale of this personal information. This information should be present in your privacy policy, as well as at or before the point of cookie data collection. If you don’t provide this disclosure notice, you are not compliant with the CCPA. Using an automated cookie tracking solution can simplify this process by providing essential website cookie insights.

world map illustrationwolrd map illustration


The General Data Protection Regulation (GDPR) and the CCPA are both data protection laws that aim to safeguard consumer data and apply to organizations that process personal information. But the CCPA differs from the GDPR in several significant ways.

The key difference between the CCPA and the GDPR is that the GDPR operates on the principle of privacy by default. The GDPR requires prior consent before an organization can process a user’s personal information. The CCPA’s focus is on enabling users to opt out of data selling practices, rather than mandating prior consent (with the exception of minors), meaning that businesses do not need to obtain prior consent before collecting, storing, selling, or sharing a California resident’s personal information.

Additionally, the GDPR protects “data subjects”, not citizens or residents, unlike the CCPA which grants rights to “consumers” – a narrower definition. The GDPR safeguards the privacy rights of any individual located in the European Union (EU) at the time of data collection or processing. In comparison, the CCPA only protects individuals that fall under its definition of a consumer as being a California resident.

Finally, whereas the CCPA regulates the processing of data done by businesses, it excludes non-profit organizations, charities, and government agencies, the GDPR applies to all “data controllers” – defined as any entity that collects and processes data within the EU – a substantially wider scope.

When it comes to non-compliance, there are also large differences. The CCPA is enforced by the California Attorney General through relatively small fines of up to $7,500. While the GDPR is also enforceable through monetary penalties, they are issued by national data protection authorities present in the EU member states. Notably, these fines can reach truly eye-watering figures – 4% of an organization’s global annual turnover, or €20 million (whichever is highest).

Read our CCPA vs GDPR comparison guide for more information.

CPRA compliance vs CCPA compliance  

In November 2020, Californians voted to pass Proposition 24: The California Privacy Rights Act (CPRA) – otherwise known as CCPA 2.0.

When the CPRA comes into force it will go much further in safeguarding the privacy rights of California residents than its predecessor, including:

  • Consumers may opt-out of the sharing of their personal information – not just the sale of it
  • Limiting the use of “sensitive personal information,” including precise location, race, religion, sexual orientation, social security information, and specified health information
  • Prohibiting retention of personal information for longer than necessary
  • Upping penalties for violations involving minors under 16
  • Expanded right of access, with businesses having to provide access to more than 12 months of personal information unless doing so is impossible or involves disproportionate effort
  • Establishing a new state agency, the California Privacy Protection Agency, to supersede the Attorney General’s office as the statute’s enforcer
  • Expanding the private right of action for consumers
  • Creating new obligations around the use of opt-out links

The CPRA will also change the scope of which businesses will be exempt from the law, placing more small businesses outside of the CPRA’s scope. In particular, it will only apply to companies serving at least 100,000 California residents, higher than the CCPA’s 50,000 threshold.

The CPRA comes into effect on January 1, 2023, with enforcement action not kicking off until six months later on July 1, 2023. It’s advisable for businesses to use these two years to start familiarizing themselves with and preparing for the upcoming law.

H2: CCPA compliance checklist: How to have a CCPA compliant website in nine steps  
If your business meets any of the three CCPA thresholds, it’s important you implement the necessary changes to align your website with the law. Follow this nine-step CCPA checklist to help you understand, implement, and maintain CCPA compliance.

1. Identify the personal data you hold

You can’t be CCPA-compliant if you’re not keeping track of what consumer data you have, where it’s stored, or how it’s used. Step one is all about mapping that information. Questions you need to answer include: 

  • What personal data do you collect?
  • How do you collect it?
  • Where and how do you store this data?
  • Who do you share this data with?
  • Do you sell this data?
  • How is personal data retained and secured?
  • What data disposal practices do you use? 

For larger organizations, this personal data might be stored across multiple web domains, systems, applications, databases, and multimedia files. The best way to get a full overview is to create – and afterwards maintain – a comprehensive data inventory. Automated data privacy solutions, like Siteimprove Data Privacy, are a good way to speed up this task and reliably track data processing history.

2. Align your privacy policy with the law

Ensuring compliance with the CCPA starts with updating your privacy policy and placing it somewhere highly visible on your website – such as your header or footer. Your policy must clearly list the privacy rights for visitors to your website. A comprehensive, CCPA-compliant privacy policy will specify:

  • The categories of personal information you collect
  • Why you are collecting this personal information
  • Where you gather that personal information from
  • The purposes for which you will use the information
  • Any Third parties you share personal data with
  • That your website visitors can refuse access to their personal information – and how
  • How to make personal information-related requests

Update your privacy policy annually to stay in compliance with the CCPA. If your privacy policy changes in any significant way in regards to how you collect, store, or share personal information, you must clearly state that this, and communicate those changes with your consumers.

3. Give consumers the right information in the right places

Your website should inform consumers that you intend to collect their personal information at or before the point of data collection. This disclosure notice might take the form of a pop-up or banner when a visitor first land on your web page, or at a specific data-gathering point, such as the point of purchase or a sign-up form.

4. Allow your users to opt-out of the following:

  1. The selling of personal information to third-parties: The CCPA states that you must provide the option for consumers to opt-out of personal data selling. Therefore, your website should include a clear “Do Not Sell My Information” link. Your website visitors must be able to submit this request without having to create an account on your website. Place this link somewhere highly visible on your website, such as the footer of your home page.
  2. The storage of personal data: Consumers have the right to ask your business to delete any personal information you hold on them – this is known as the “Right to be Forgotten”. Ensure your privacy policy covers how they should go about doing this.
  3. Sharing personal data for marketing purposes: Make it clear if your business will use personal data for marketing purposes. Include a list of third parties you share a consumer’s personal data with in your privacy policy.

5. Develop a robust process for handling “Right to Access” consumer requests

Under the CCPA, consumers have the right to know what personal information you have collected, used, shared, or sold about them, as well as the purpose behind it. Therefore, your website needs to provide clear channels for visitors to make these requests, such as a “Contact Us” page.

Provide at least two ways for website visitors to submit their access requests, such as an email address, a toll-free phone number, a website form, or a postal copy.

You have 45 calendar days to respond to requests, and you can extend this deadline to a total of 90 days if you notify the requester. For verification purposes, you can also ask the requester for personal information.

In some cases, you can deny a disclosure or deletion request. Examples include:

  • If you could not verify the request
  • If the consumer has already submitted two previous requests in a single year
  • Information related to business security practices
  • Certain medical information, sensitive information and consumer credit reporting information

6. Ensure non-discrimination for opted-out consumers

As a business, you cannot deny goods or services, charge a different price, or provide a different quality of goods or services if a consumer opts out of personal data sharing or marketing. You can, however, offer special discounts and promotions to website visitors in exchange for their personal information, but only if the financial incentive offered is reasonable in relation to the value of their personal information. You can withdraw special offers from website visitors who request deletion of their personal data or that you stop selling their personal information.

7. Ensure you get prior cookie consent from minors

The CCPA doesn’t prevent businesses from selling consumer information, with the exception of minors resident in California. The law states that businesses must obtain prior cookie consent from minors before selling their personal information. For minors aged between 13-16, it’s your business’s responsibility to obtain it from them. For minors aged under 13, you must obtain prior consent from their parents or guardians.

8. Train key stakeholders about CCPA compliance

It’s important that your employees understand how the CCPA works so they always comply with it. Set up employee training sessions to educate them on what the CCPA entails and how your organization complies with it. Ensure new hires also receive this training as part of their onboarding process.

9. Invest in a data privacy management software

Data privacy breaches can be expensive and reputation-damaging. With the responsibility of initial and ongoing CCPA compliance in your business’s hands, it’s a good idea to invest in a specialist data privacy solution. With other states likely to follow California’s lead, it’s beneficial to start ramping up your data privacy processes now.

CCPA lawsuits illustration

What are the penalties for failing to comply with CCPA?  

Violations of the CCPA are subject to enforcement by the California Attorney General. Failure to comply with the CCPA can result in civil penalties for businesses of up to $7,500 per intentional violation. Non-intentional violations can lead to fines of up to $2,500.

Additionally, private plaintiffs can bring a civil action under the CCPA against a business in the event of a data security breach that results in unauthorized access and exfiltration, theft, or disclosure of the individual’s personal information, if the business failed to implement reasonable data security procedures. Statuary damages related to these breaches allow for the recovery of up to $750, per consumer, per incident, or actual damages – whichever figure is greater. More than 50 lawsuits have already invoked the CCPA since 2020, with the majority being class-action suits. Businesses sued include Hanna Andersson, Walmart, Minted, TikTok, Zoom, and Sunshine Behavioral Health Group.

There is no ceiling on the number of CCPA violations, meaning the cost of CCPA non-compliance could severely damage a business’s financial standing.

Remember; avoiding penalties is just one reason for complying with the CCPA. Data from Deloitte reveals that 80% of consumers are more likely to spend their money with businesses that safeguard their personal information. That’s why it’s so important to implement a robust process for securing customer data.

Siteimprove Data Privacy: an all-in-one solution for CCPA compliance

Need help getting started on your CCPA compliance journey? Siteimprove Data Privacy makes working towards CCPA compliance easier by helping you efficiently manage the personal information you hold on your website(s).

Regain control of personal information: Siteimprove’s IP & Domain Maps feature detects domains that may potentially belong to your organization. This means you’ll never lose track of personal information on any of the domain, page, or files your business is responsible for.

Respect consumer privacy requests: The CCPA obliges businesses to create robust procedures to respond to consumer requests to opt-out, know about, and delete personal information. Use Siteimprove’s Universal Search feature to instantly locate personal information across all your HTML pages, documents, and meta data. From there, it’s easy to flag information for removal within the law’s deadline.

Make your compliance visible: Under the CCPA, organizations must maintain records of consumer requests and how they responded for a period of 24 months. Establish a visible paper trail to demonstrate your compliance to management and the authorities with User Action Logs and Tracked Search Terms.

Increase data transparency: Consumers have a right to know what personal information is collected, used, shared, or sold about them. Siteimprove’s Cookie Tracker provides automated insights into what cookies are being placed where and who this information is being shared with.