The California Consumer Privacy Act (CCPA) gives California residents significant rights over their personal data. If your website serves California users, understanding CCPA compliance is essential—even if you are based outside the United States.
This guide explains CCPA requirements in plain language and provides practical steps for website owners to ensure compliance.
Disclaimer: This article provides general information about CCPA compliance. It is not legal advice. Consult with a qualified attorney for advice specific to your situation.
What You Will Learn:
- What CCPA requires and who it applies to
- Consumer rights under CCPA
- Website compliance requirements
- How to implement "Do Not Sell" functionality
- Penalties for non-compliance
What Is CCPA?
The California Consumer Privacy Act, enacted in 2018 and effective January 2020, is one of the most comprehensive data privacy laws in the United States.
Key Provisions
- Gives California consumers rights over their personal information
- Requires businesses to disclose data collection practices
- Mandates "Do Not Sell" opt-out mechanisms
- Imposes penalties for violations
CCPA vs CPRA
The California Privacy Rights Act (CPRA), effective January 2023, expanded and amended CCPA. Together, they create California's comprehensive privacy framework. This guide covers current requirements under both laws.
Who Must Comply?
CCPA applies to for-profit businesses that meet any of these thresholds:
Revenue Threshold
Annual gross revenue over $25 million
Data Volume Threshold
Annually buys, sells, or shares personal information of 100,000 or more California consumers, households, or devices
Revenue from Data Sales
Derives 50% or more of annual revenue from selling or sharing California consumers' personal information
You might also find helpful: CCPA Compliance for AdSense Publishers: California Privacy Law Guide →
What About Small Publishers?
Many small websites do not meet these thresholds. However:
- Ad networks you work with may require compliance
- Preparing for compliance demonstrates professionalism
- Other states are adopting similar laws
- Being proactive builds user trust
Consumer Rights Under CCPA
CCPA grants California residents several rights:
Right to Know
Consumers can request:
- What personal information you collect
- Sources of that information
- Business purposes for collection
- Categories of third parties you share with
Right to Delete
Consumers can request deletion of their personal information, with some exceptions.
Right to Opt-Out
Consumers can opt out of the "sale" or "sharing" of their personal information.
Right to Non-Discrimination
You cannot discriminate against consumers who exercise their privacy rights.
You might also find helpful: Cookie Consent for AdSense: GDPR and CCPA Compliance Guide 2026 →
Right to Correct
Consumers can request correction of inaccurate personal information.
Right to Limit Use
Consumers can limit use of sensitive personal information.
What Counts as Personal Information?
CCPA defines personal information broadly:
Examples Include:
- Names and email addresses
- IP addresses
- Browsing history
- Purchase history
- Device identifiers
- Geolocation data
- Inferences about preferences
What Is "Selling" Data?
Under CCPA, "selling" includes sharing data for valuable consideration—not just money. This can include:
- Sharing data with ad networks for targeted advertising
- Sharing email lists with partners
- Using third-party analytics that share data
Website Requirements
To comply with CCPA, your website needs:
Updated Privacy Policy
Your privacy policy must include:
You might also find helpful: Terms of Service Template: Legal Protection for Your Website [2025] →
- Categories of personal information collected
- Purposes for collection
- Categories of third parties you share with
- Consumer rights explanation
- How to submit requests
- Statement about selling/sharing data
"Do Not Sell" Link
If you sell or share personal information, you must provide a clear link titled "Do Not Sell or Share My Personal Information" on your homepage.
Request Handling Process
You need processes to:
- Receive consumer requests
- Verify consumer identity
- Respond within 45 days
- Maintain records of requests
Implementing "Do Not Sell" Functionality
Creating the Link
Add a footer link labeled "Do Not Sell or Share My Personal Information" that leads to an opt-out mechanism.
Opt-Out Methods
- Simple web form
- Cookie preference center
- Consent management platform
Honoring Global Privacy Control
California requires honoring the Global Privacy Control (GPC) browser signal. When a user's browser sends GPC, treat it as a valid opt-out request.
For AdSense Publishers
If using Google AdSense, review the AdSense Program Policies:
- Enable CCPA compliance options in AdSense settings
- Implement Google's Consent Management solutions
- Consider using Funding Choices for user consent
Practical Implementation Steps
Step 1: Audit Your Data Practices
- List all personal information you collect
- Identify all third parties you share data with
- Determine if you "sell" data under CCPA definition
Step 2: Update Privacy Policy
- Add required CCPA disclosures
- Explain consumer rights clearly
- Provide contact methods for requests
Need help creating a compliant privacy policy? Our guide on privacy policy requirements for AdSense covers the essential elements you need to include.
Related reading: DMCA Protection for Blogs: Complete Guide to Stop Content Theft →
Step 3: Add Required Links
- Add "Do Not Sell" link to footer
- Create opt-out page or form
- Consider a cookie preference center
A comprehensive cookie consent solution can help you manage both CCPA and GDPR requirements. Learn more in our complete cookie consent guide for AdSense publishers.
Step 4: Set Up Request Handling
- Create a dedicated email for privacy requests
- Document your verification process
- Establish response timelines
Step 5: Train Your Team
- Ensure team understands CCPA requirements
- Create procedures for handling requests
- Document everything
Common Compliance Mistakes
Missing "Do Not Sell" Link
If you share data with advertising partners, you likely need this link. Many publishers overlook this requirement.
Inadequate Privacy Policy
Generic privacy policies often lack CCPA-specific disclosures. Review and update yours. You should also ensure your disclaimer page addresses data collection and third-party advertising practices.
Slow Response Times
You must respond to requests within 45 days. Have processes in place before requests arrive.
Ignoring GPC Signals
California requires honoring Global Privacy Control signals. Implement detection and response.
Penalties for Non-Compliance
CCPA violations can result in:
You might also find helpful: Affiliate Disclosure & FTC Requirements: How to Stay Compliant →
California Attorney General Actions
- Up to $2,500 per unintentional violation
- Up to $7,500 per intentional violation
- 30-day cure period for some violations
Private Right of Action
For data breaches involving certain personal information:
- $100-$750 per consumer per incident
- Or actual damages, whichever is greater
Beyond CCPA: Other State Laws
Multiple states have enacted similar privacy laws. If you also serve European visitors, the General Data Protection Regulation (GDPR) applies:
- Virginia (VCDPA)
- Colorado (CPA)
- Connecticut (CTDPA)
- Utah (UCPA)
- And more states following
If you comply with CCPA, you are well-positioned for other state laws, though specific requirements vary.
Frequently Asked Questions
Does CCPA apply if my business is outside California?
Yes, if you serve California consumers and meet the thresholds. CCPA applies to businesses that collect California residents' personal information, regardless of where the business is located.
Does displaying AdSense mean I "sell" data?
Potentially yes. If you use personalized ads, user data is shared with Google and advertisers, which may constitute "selling" under CCPA's broad definition.
What if I do not meet the thresholds?
You are not technically required to comply, but implementing basic privacy practices is still recommended. You may grow to meet thresholds in the future.
How do I verify consumer identity for requests?
Use reasonable verification methods like confirming email addresses, matching account information, or asking security questions. The level of verification should match the sensitivity of the request.
Can I charge fees for handling requests?
Generally no. Requests must be processed free of charge unless they are manifestly unfounded or excessive.
![Terms of Service Template: Legal Protection for Your Website [2025]](/images/articles/terms-of-service-template-website.svg)