























Businesses today must navigate a growing and complicated web of privacy laws. Compliance issues come up in every customer encounter, and IBM’s 2025 Cost of a Data Breach Report found Personally Identifiable Information (PII) to be the category of data targeted in most breaches (53%).
The figure isn’t that surprising, just another reminder of the importance of data privacy laws, especially with regulations quickly evolving in places like California.
California’s CCPA represents one of the most comprehensive regulations designed to protect consumer data and hold businesses accountable for the personal data they gather.
Many businesses will look at that and think they’re exempt because they’re B2B. That’d be a mistake. The CCPA also extends to business-to-business operations.
This article explains everything you need to know about California’s data privacy regulations, including how the CPRA amended and expanded upon the CCPA, recent updates to the CCPA and the implications for businesses and data processing services — including web analytics.
California’s main data privacy law is the California Consumer Privacy Act (CCPA), which went into effect in Jan. 2020. It sets up core data privacy rights for consumers, granting them control over their Personal Information (PI) and setting initial business compliance requirements.
State lawmakers strengthened the CCPA via the California Privacy Rights Act (CPRA), an amendment that has been in effect since Jan. 2023. It expanded consumer rights and created the California Privacy Protection Agency (CPPA) for enforcement.
Another data privacy law, the Delete Act, was passed by the state legislature in 2023. This law introduces new compliance standards for data brokers, as well as a platform that sends consumer requests for deletion to all applicable brokers.
The goal of this California data privacy law is to give consumers in the state greater PI protection. It accomplishes this by holding businesses to higher standards for data handling, requiring them to configure their systems to comply with the rules.

It’s important for businesses to know the difference between PI and a similar term used in data privacy: Personally Identifiable Information (PII). PII describes information that directly identifies an individual: name, social security number or driver’s licence number.
PI is much broader than PII.
As mentioned above, the CCPA’s definition includes not only information that directly identifies someone but also information that can be indirectly linked to them. The wider definition is important because it covers data points that might not identify an individual on their own (like an IP address or browsing history) but can be linked to them if combined with other information.
The CCPA grants Californian consumers six core rights:

The CCPA also imposes significant obligations on businesses operating in the state. These include:
On that last point, it’s important to understand that consent means far more than what’s generally understood as permission. It can’t be inferred from silence, pre-checked boxes or the closing of a consent manager. Affirmative consent must be:
Enforcement of the CCPA is handled by the California Attorney General (AG) and the CPPA.
Both are able to take consumer reports about potential CPPA violations and take action against non-compliant businesses. The difference is that the AG handles cases via the legal system, and the CPPA does it through their own internal administrative proceedings.
Since the CPPA operates within its own system, it can enforce the law faster. However, the AG has authority over the CPPA, and the AG can pause a case or take it over.
The AG can also enforce additional laws if violations are found, as they did in Feb. 2026 by fining Disney $2.75m USD for both CCPA and Unfair Competition Law violations.

CPPA also has its own additional powers beyond enforcement that the AG doesn’t. It’s responsible for spreading awareness of consumer rights, updating the CCPA with new regulations and taking input from consumers and businesses about proposed updates.
The CPPA outlines the following penalty amounts as of a January 2025 update:
These amounts are set to be adjusted in January of every odd year, meaning they will be adjusted next in 2027.
Prior to the CPRA, businesses were allowed a 30-day window to fix violations, but this was removed in 2023.
A 2025 update to the CCPA mandates annual cybersecurity audits and audit reports from all businesses whose processing of PI presents a significant risk to consumers’ privacy or security.
Businesses must comply with security audits by these dates if they make the specified amount of revenue in the year provided:
Another new requirement (effective 1st Jan. 2026) is the risk assessment, which applies to businesses processing PI that present a significant risk to a consumer’s privacy. This covers (but isn’t limited to) selling or sharing PI, processing SPI or using Automated Decisionmaking Technology (ADMT) for important decisions about the consumer.
Risk assessments must examine the concrete benefits the business, consumer and other parties will get from this specific processing use case, possible negative impacts, the safeguards the business will employ and more.
The last major update is a set of rules regarding the use of ADMT in making significant decisions about a consumer. This will go into effect on 1st Jan. 2027.
Businesses must inform consumers of their rights regarding the use of ADMT, including but not limited to their use of ADMT, the consumer’s right to opt out of it and the right of the consumer to non-discrimination for opting out.
There are some stipulations where a business doesn’t need to provide an opt-out, like for certain hiring decisions.
While not technically part of the CCPA itself, the Delete Act is an amendment to a 2019 data broker law that similarly protects Californian consumer rights. It’s also enforced and managed by the CPPA.

As of 1st Jan. 2026, residents can use the Delete Request and Opt-Out Platform (DROP) to submit requests for brokers to delete their PI. On 1st Aug. 2026, data brokers must comply with DROP and adhere to requests within 45 days or 90 days (with an extension). They will then need to delete any newly collected information every 45 days.
Non-compliance will result in penalties and fines.
Organisations that need to follow the CCPA must look beyond just avoiding penalties. Here are some compliance areas that companies can get started with.
While the CCPA doesn’t demand data mapping by name, implementing it makes compliance simpler, as it helps you know which third parties have access to PI, what has happened to the data, etc. Most importantly, it helps companies quickly and efficiently respond to consumer requests.
The CCPA mandates that organisations must update their privacy policies at least once a year.
Privacy policies must inform consumers about their rights, like the right to know and the right to correction. The policy should also detail the categories of PI collected, the sources and the business purpose for collecting it.
The California data privacy law specifies that businesses must establish a clear process for consumers to submit requests to exercise their rights. Typical systems should involve at least two ways requests can be submitted, such as a toll-free number and a website form.
The formal term the CCPA uses is Data Subject Access Requests (DSARs), and the law gives organisations 45 days to respond to DSARs. Failure to do so, or to request a 45-day extension from the consumer, can result in significant fines.
Ignorance is no defence. The CCPA clearly states that employees who handle consumer inquiries or are responsible for compliance must be adequately trained.
Training must cover all the requirements of the law and consumer rights, as well as how to deal with DSARs. It should also emphasise the importance of data security and privacy.
The law also mandates protection against data breaches by requiring businesses to implement “reasonable” security measures to protect the personal data in their care.
This usually includes measures like encryption, access controls and regular security assessments.
And while the term “reasonable” isn’t strictly defined in legislation, it’s often benchmarked against industry standards like the Centre for Internet Security (CIS) Controls.
Implicit in all of these strategies is the need for effective data management tools that’ll support efforts to achieve and maintain compliance. As a baseline, the tools that organisations deploy should help them with data anonymisation, pseudonymisation, consent management and fulfil DSARs.
For a more hands-on walkthrough for privacy-focused web analytics, read our CCPA compliance guide.

Achieving and maintaining that compliance can seem daunting. But there are tools that make the job easier and are helpful in satisfying the technically challenging demands of data privacy. Matomo is one of these.
It empowers businesses with full data ownership and control of their analytics data, not allowing it to be shared with third parties.
Matomo is a privacy-first web analytics platform that primarily uses first-party cookies. That’s something that ticks one of the boxes of almost all privacy regulations worldwide.
Matomo protects consumer rights with consent management features, support for Consent Mode v2 and integration with external Consent Management Platforms. Its design supports data minimisation and retention policies as well as anonymisation and pseudonymisation.
More importantly for compliance with the CCPA, Matomo assists with accountability by providing clear records of data processing.
And for businesses seeking maximum control, the platform is available as a self-hosted, on-premise option that keeps data entirely within your infrastructure.
California’s journey with the CCPA is a major step for data privacy in the US. The “California Effect” is already happening as other states follow suit by developing their own privacy legislation.
One thing is certain: privacy laws are increasingly becoming the norm, as evidenced by the CCPA and GDPR. Trying to exploit the gaps by following each country’s laws individually is an expensive exercise in futility. A more sensible approach is to use tools that are built with these laws in mind.
A privacy-centric web analytics tool like Matomo that can easily be configured for compliance is a great place to start. Download Matomo On-Premise completely free or start your 21-day free trial of Matomo Cloud (no credit card required).
In terms of ballot-level legislation, the newest data privacy law in California is CPRA, an amendment to the existing CCPA. However, the CPPA is continuously updating the CCPA and introduced three new articles in 2025 dealing with security audits, risk assessment and ADMT.
CCPA is the original California data privacy law. CPRA is an amendment that expanded consumer rights, enacted harsher penalties for non-compliance and introduced an enforcement agency.
The states with the strictest data privacy laws are California, with the CCPA, and Maryland, with the Maryland Online Data Privacy Act (MODPA):
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。