> For the complete documentation index, see [llms.txt](https://docs.assenteo.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.assenteo.com/key-legislation/ccpa.md).

# CCPA

### Contents

* [1. What is CCPA?](#id-1.-what-is-ccpa)
* [2. Does CCPA apply to you?](#id-2.-does-ccpa-apply-to-you)
* [3. What counts as PI?](#id-3.-what-counts-as-pi)
* [4. CCPA data subject rights](#id-4.-ccpa-data-subject-rights)
* [5. What are the penalties for non-compliance?](#id-5.-what-are-the-penalties-for-non-compliance)
* [6. A basic CCPA compliance checklist](#id-6.-a-basic-ccpa-compliance-checklist)

### 1. What is CCPA?

The **California Consumer Privacy Act (CCPA)** is a state privacy law introduced on **1 January 2020**. The Act grants California residents rights over their personal information (PI). In order to do so, it imposes obligations on companies which collect and/or process individuals’ PI.

In comparison to GDPR, the Controller and Processor terminology is replaced by ‘Business’ and ‘Service Provider’. E.g If you collect PI in California to send a newsletter you are the Business and an email sender is the Service Provider.

Users are also referred to as ‘Consumers’.

### 2. Does CCPA apply to you?

To determine if the CCPA applies to your company you must consider:

* Does your company collect the personal information (PI) of California residents OR do business in California?
* Is your company a for-profit business?

Note that, ‘doing business’ should be interpreted broadly; operating a website accessible to California residents or offering goods to Californians is included.

If the answer to both the above questions is yes, your company may be subject to CCPA. You must consider if it meets one or more of the following thresholds:

* Annual gross revenue in excess of $25 million; or
* Processes the personal information of 100,000 or more California residents/ households; or
* Derives 50% or more of annual revenue from selling or sharing personal information<br>

If your business meets any of these criteria, it is subject to CCPA. You must ensure it remains compliant with the requirements of the CCPA in order to avoid severe penalties.<br>

If however, it is not possible to determine if your business meets one of the criteria in Step 2, you should assume CCPA is applicable to your business.

### 3. What counts as PI?

The CCPA understands personal information (PI) to be any information that identifies or can be reasonably linked to a particular individual or household (unless a specific statutory exception applies). It is important to note that information can be PI even if it is not tied to a named individual, but rather to a specific family or residence, understood as a ‘household’.

However, unlike GDPR, information is not considered PI if it is publicly available.

### 4. CCPA data subject rights

Californian consumers have **six key data subject rights** under the CCPA.<br>

These are:

<table><thead><tr><th width="180.42578125">Right</th><th>What it covers</th></tr></thead><tbody><tr><td>Right to <strong>know</strong></td><td><p>Consumers can request disclosure of:</p><ul><li>the PI collected about them, including specific PI</li><li>categories of data sources</li><li>purposes for collecting, processing or sharing PI</li><li>categories of third parties the business shares PI with</li><li>categories of PI disclosed to those third parties.</li></ul></td></tr><tr><td>Right to <strong>delete</strong></td><td>Consumers can request deletion of most PI collected about them, subject to certain exceptions such as legal obligations.</td></tr><tr><td>Right to <strong>opt out of sale or sharing</strong></td><td>Consumers can request that a business stop selling or sharing their PI.</td></tr><tr><td>Right to <strong>non-discrimination</strong></td><td>Consumers cannot be treated differently for choosing to exercise their rights under the CCPA.</td></tr><tr><td>Right to <strong>correct</strong></td><td>Consumers may request correction of inaccurate PI held about them.</td></tr><tr><td>Right to <strong>limit use and sharing of sensitive PI</strong></td><td>Consumers can require businesses to restrict the use and sharing of sensitive PI for limited purposes. Sensitive PI can include precise geolocation, genetic data, or financial account information.</td></tr></tbody></table>

### &#x20;5. What are the penalties for non-compliance?<br>

Fines reach $2,500 for each unintentional violation and up to $7,500 for each intentional violation. However, each affected customer counts as a separate violation, so fines increase rapidly. In 2025, Healthline Media faced a fine of $1.55 million for failing to allow consumers to opt out of targeted advertising and for sharing sensitive health PI with third parties without the protections required under the CCPA.

Significant reputational damage can also occur through CCPA non-compliance; customers and investors may lose trust in your company. Furthermore, if your business chooses not to put in the measures necessary to be CCPA compliant, you risk the loss of business and profits resulting from the lack of access to the Californian market.

### 6. A basic CCPA compliance checklist

**Opt-out Procedures**

* [ ] Framework for informing data subjects before you collect data
  * [ ] Notices explaining privacy practices
  * [ ] Provide an accessible link where customers can opt out

**Consumer Transparency**

* [ ] Publish a comprehensive privacy policy in an accessible location such as on your business website
* [ ] Secure processes (portals/ phone lines) where consumers can easily access, delete or correct PI. Also where they can retroactively opt out of sale.
  * [ ] Including, maintenance of at least two methods for consumers to submit data subject access requests
* [ ] Respond to consumer requests within 45 days
  * [ ] Keep records of these consumer requests for 2 years

**Third Party PI Monitoring**

* [ ] Communicate your business incentives for sharing consumer PI with third parties
* [ ] Make sure that contracts with third parties require them to also comply with CCPA

**Appointing a** [**Privacy Partner**](/privacy-professionals-when-do-you-need-them/when-do-you-need-a-privacy-partner.md)

* [ ] Assists with all of the above and more.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.assenteo.com/key-legislation/ccpa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.