惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
MyScale Blog
MyScale Blog
Microsoft Security Blog
Microsoft Security Blog
量子位
B
Blog
aimingoo的专栏
aimingoo的专栏
Apple Machine Learning Research
Apple Machine Learning Research
阮一峰的网络日志
阮一峰的网络日志
The GitHub Blog
The GitHub Blog
T
The Exploit Database - CXSecurity.com
N
News | PayPal Newsroom
Cloudbric
Cloudbric
A
About on SuperTechFans
AI
AI
Hacker News: Ask HN
Hacker News: Ask HN
S
Schneier on Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
C
Cyber Attacks, Cyber Crime and Cyber Security
L
LINUX DO - 最新话题
T
The Blog of Author Tim Ferriss
Simon Willison's Weblog
Simon Willison's Weblog
有赞技术团队
有赞技术团队
H
Heimdal Security Blog
J
Java Code Geeks
大猫的无限游戏
大猫的无限游戏
D
Docker
Security Archives - TechRepublic
Security Archives - TechRepublic
N
News and Events Feed by Topic
IT之家
IT之家
Know Your Adversary
Know Your Adversary
N
Netflix TechBlog - Medium
T
Tailwind CSS Blog
B
Blog RSS Feed
C
Cybersecurity and Infrastructure Security Agency CISA
C
Cisco Blogs
博客园 - 叶小钗
美团技术团队
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
H
Hackread – Cybersecurity News, Data Breaches, AI and More
L
LangChain Blog
The Hacker News
The Hacker News
Y
Y Combinator Blog
I
Intezer
The Register - Security
The Register - Security
F
Full Disclosure
V
V2EX
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Last Week in AI
Last Week in AI
Martin Fowler
Martin Fowler

Compliance Solutions for Websites, Apps and Organizations | iubenda

AI can build your website. It can't manage your consent. | iubenda Browser signals and machine-readable consent: what they are and what the EU’s Digital Omnibus could change How to increase your cookie banner opt-in rates: 5 mistakes to fix today | iubenda DPO Newsletter: Global Data Protection & Privacy News (issue #153) Why your consent management setup is a marketing performance question Everything you need to know about GDPR The redesigned cookie banner and configurator What nobody tells you about handing over the company you built European marketers are betting on retention. Privacy could be the edge they’re not using yet. The 5 best alternatives to Didomi in 2026: Pros, cons, pricing, and comparison Looking back on 15 years: what iubenda's founder would tell his 2011 self | iubenda The best cookie policy generator in 2026 DPO Newsletter: Global Data Protection & Privacy News (issue #152) | iubenda What publishers should expect from the EU’s Digital Omnibus proposal Uncertainty is the biggest blocker to AI adoption in marketing | iubenda Everything AI app builders need to know about vibecoding and privacy compliance | iubenda Introducing 1-Click Embedding for Google Tag Manager The Essential Small Business Terms and Conditions Template: What You Need to Know Terms of Use Template | iubenda IAB Europe Raises Concerns Over GDPR Procedural Regulation Draft Report | iubenda Learn from HelloFresh's Costly Mistake: Ensure Compliance with iubenda | iubenda Understanding the Spanish DPA Guide on Audience Measurement Cookies | iubenda The Austrian Data Protection Authority's FAQs on Cookies and Privacy | iubenda DPO Newsletter: Global Data Protection & Privacy News (issue #127) | iubenda Microsoft Ensuring European Data Stays Within the EU Cloud Boundary | iubenda Businesses Beware: ICO’s Record £14.3m in Fines for Data Misuse in 2023 Understanding the Risks and Responsibilities of Model-as-a-Service Companies in AI Development Facebook's New “Link History” Feature: A Blend of Convenience and Surveillance? | iubenda OpenAI’s Strategic Move in the EU: Aligning with Data Privacy Regulations TikTok Faces Lawsuit Over Tracking Non-Users What’s the Digital Markets Act (DMA) and how will it affect you? | iubenda Simplifying Cookie Consent: The European Commission's Approach | iubenda Google Settles Landmark Privacy Lawsuit for $5 Billion | iubenda Navigate GDPR Compliance with Confidence: Lessons from Recent Fines in Italy Simplifying the Commission's New Reporting Template for Digital Market Gatekeepers | iubenda Understanding the GDPR Complaint Against X (Twitter) for Illegal MicroTargeting | iubenda Spanish Media Giants Take On Meta in a Groundbreaking $600 Million Lawsuit | iubenda DPO Newsletter: Data Protection & Privacy News (issue #126) | iubenda Belgian DPA Mandates Cookie Banner Changes for Major Media Websites | iubenda UK's Top Websites Warned by ICO to Revise Cookie Practices | iubenda Understanding the European Union's Data Act | iubenda Google Announces Consent Mode v2 – here’s what it means for your business and advertising Noyb Challenges EU Commission Over Controversial Ad Campaign | iubenda OECD Updates AI Definition: A Step Forward in Shaping EU’s AI Law Firefox To Introduce Simplified Global Privacy Control Berlin Court Cracks Down on LinkedIn’s Privacy Violations The YouTube Ad Blocker Controversy: A Test of the ePrivacy Directive? | iubenda DPO Newsletter: Data Protection & Privacy News (issue #125) Facebook and Instagram Subscription: Meta adds a paywall | iubenda GDPR Violation: Lack of Transparency in Data Processing via Google Fonts Amazon Introduces AWS European Sovereign Cloud to Address EU Regulations | iubenda Texas New Data Privacy Law TDPSA: Everything you need to know How to Make Money with a Website Without Selling Anything Oregon Consumer Privacy Act: Overview | iubenda Google’s Move to Disable Third-Party Cookies: What Advertisers Need to Know IMY Fines H&M for GDPR Violations: A Closer Look EU Commission Requests Information from X Under Digital Services Act: What You Need to Know | iubenda Understanding California’s “Delete Act” and Data Broker Regulations TCF v 2.2 Initial Layer (Banner) Requirements | iubenda Grindr Faces €5.8 Million Fine: A Reminder on the Importance of GDPR Compliance | iubenda Newly Enacted Iowa Consumer Data Protection Act (ICDPA) | iubenda The Witch’s Brew of Privacy: A Halloween Tale of Compliance and Consequences IAB TCF 2.2 – What you need to do DPO Newsletter: Data Protection & Privacy News (issue #124) Blog Ideas That Make Money: How To Make Money From Your Blog + Examples | iubenda Maximize your Growth with Online Presence Management | iubenda Meta's New Pivot in Europe: To Pay or Not to Pay for an Ad-Free Experience? | iubenda Consumer Reports Launches Free ‘Permission Slip’ App to Protect Your Data | iubenda DAZN’s Access Request Saga Personal Brand Logo: How to Stand Out in a Crowded Marketplace UK-US Data Bridge: A New Era for Secure Data Transfers 7 Ways How to Promote Affiliate Links Effectively (And Boost Commissions) | iubenda Mastering LinkedIn Personal Branding: A Guide to More Opportunities Meta's New Approach: Pay for Your Privacy? | iubenda No Return, No Refund Policy Template & Guide GDPR in the US: a GDPR Checklist for US Companies Crafting a Niche with Branding and Identity Design | iubenda The Online Safety Bill: A Leap Towards a Safer Digital United Kingdom Understanding Google's $93m Settlement over Consumer Location Data Accusations | iubenda CCPA vs CPRA: Key Differences You Need to Know | iubenda How To Use Ecommerce Retargeting to Grow Your Business | iubenda PECR: Everything you need to know | iubenda How Mobile Apps Illegally Share Your Personal Data: A Deep Dive | iubenda Legal Spotlight: Privacy Concerns Surrounding OpenAI’s ChatGPT and Microsoft’s Involvement Legal Scrutiny Looms Over Transatlantic Data Deal: French MEP Takes Action Understanding the Digital Markets Act: A Comprehensive Guide Block AI Crawlers: Here’s How To Stop Your Site From Being Used for AI Training (OpenAI and Google Bard Irish Regulator Slaps $368M Fine on TikTok DPO Newsletter: Data Protection & Privacy News (issue #123) | iubenda The Privacy Pitfalls of Vehicle Data Collection: What You Need to Know | iubenda Twitter customer’s data on the menu for xAI models Update: Revised Swiss Privacy Law Takes Effect Fitbit and the GDPR Hurdle: What You Need to Know About Your Data Privacy | iubenda Terms of Service Template for your site | iubenda Senators Urge FTC to Investigate YouTube and Google for Violating Children's Privacy: What You Need to Google AdSense Requirements: Here's What You Need to Know | iubenda Users can’t opt out from marketing emails: FTC fines Experian $650,000 | iubenda DPO Newsletter: Data Protection & Privacy News (issue #122) | iubenda 7 Ways Business Process Automation Can Increase Your Profits Google Faces Setback in Privacy Lawsuit Over Incognito Mode
California Consumer Privacy Act (CCPA): Complete Guide
Sabreen Swan · 2026-03-30 · via Compliance Solutions for Websites, Apps and Organizations | iubenda

What is the California Consumer Privacy Act?

The California Consumer Privacy Act (CCPA) is a privacy law that gives California residents more control over how businesses collect and use their personal information. Today, the CCPA law is one of the most important privacy frameworks in the United States.

At its core, the law is about transparency and choice, and gives people the right to ask businesses:

  • What personal data they collect
  • Why they collect it
  • Who they share it with
  • Whether it can be deleted

The law was signed in 2018 and came into effect in 2020. It applies to many businesses that collect data from people in California, even if those businesses are based somewhere else.

It was one of the first major privacy laws of its kind in the United States, often referred to as the California CCPA, and helped change how businesses think about consumer data.

In 2020, California voters approved an update to the law, the California Privacy Rights Act (CPRA). This strengthened the original law and introduced additional privacy protections.

Together, the CCPA and CPRA now form California’s main privacy framework. You might also see this referred to more broadly as the California Privacy Act.

In this in-depth guide, we’ll walk through what these laws cover, who they apply to, and what they mean in practice. For a shorter overview, take a look at our CCPA explainer post.

How the CPRA expanded the CCPA

The California Privacy Rights Act builds on the original California Consumer Privacy Act and strengthens it in a few crucial ways.

It introduced new consumer rights, added stronger protections for sensitive personal information, and created a dedicated privacy regulator.

Because of these changes, many businesses now refer to the framework as CCPA/CPRA. Here’s a quick look at how the two compare.

Key differences between CCPA and CPRA

AreaCCPACPRA
Effective timeline2020Expanded rules starting in 2023
EnforcementCalifornia Attorney GeneralCalifornia Privacy Protection Agency and Attorney General
Consumer rightsAccess, deletion, opt outAdds correction and limits on sensitive data
Sensitive personal informationNot clearly definedNew category with stronger protections

Note: the CPRA did not replace the original law. It expanded it and added more protections for consumers. For a detailed breakdown of how the two laws differ in practice, this guide to CCPA vs CPRA is a good place to start.

What counts as personal information under the California Consumer Privacy Act?

Under the California Consumer Privacy Act, personal information includes any data that identifies, relates to, or could reasonably be linked to a person or household.

Examples include:

CategoryExample
IdentifiersName, email address, phone number
Online identifiersIP address, device ID
Internet activityBrowsing history, search history
Location dataGPS or location tracking
Commercial dataPurchase history

The CPRA also introduced a new category called sensitive personal information. Consumers have additional rights when it comes to this type of data, including:

  • Social security numbers
  • Financial account details
  • Precise location data
  • Health information
  • Racial or ethnic origin

Note: If it can’t reasonably be linked back to an individual, it’s generally not considered personal information.

Consumer rights under the California Consumer Privacy Act and CPRA

The CCPA gives California residents several rights over their personal data.

These rights are designed to give people more visibility and more control over how their information is used.

Right to know

Consumers can ask what personal information a business has collected about them, how it is used, and who it is shared with.

Right to delete

Consumers can ask businesses to delete personal information collected about them, although some exceptions apply.

Right to opt out of data sales or sharing

Consumers can tell a business to stop selling or sharing their personal information with third parties.

Right to correct inaccurate information

The CPRA introduced the right to request corrections if a business holds inaccurate personal data.

Right to limit the use of sensitive personal information

Consumers can also limit how businesses use sensitive personal information.

Right to non-discrimination

Businesses cannot penalize consumers for exercising their privacy rights.

How consumers exercise these rights

Consumers usually exercise these rights by submitting a request directly to the business.

Businesses typically provide ways to do this through:

  • Online request forms
  • Support email addresses
  • Toll-free phone numbers

They also need to verify who is making the request and respond within the timeframes set by law.

Does the CCPA apply to your business?

The CCPA applies ot your business if it operates in California and meets at least one of the following conditions:

  • Earns more than 25 million dollars in annual revenue
  • Processes personal data from 100,000 or more California residents or households per year
  • Generates 50% or more of its revenue from selling personal data

Even if a company is based outside the state, it may still need to comply if it collects personal data from California residents.

The California Privacy Protection Agency

The California Privacy Protection Agency (CPPA) was created by the CPRA to oversee and enforce the state’s privacy laws.

The agency can:

  • Investigate privacy violations
  • Issue regulations and guidance
  • Conduct audits
  • Enforce penalties

In practice, that means privacy enforcement in California now has a dedicated regulator.

CCPA compliance checklist for businesses

If your business falls under the CCPA, compliance usually involves a few practical steps. If you want a more detailed walkthrough, this CCPA compliance guide breaks the process down step by step.

Map the personal data you collect

Start by identifying what personal information your business collects, where it comes from, and how it is used.

Update your privacy policy

Your privacy policy should clearly explain what data you collect, why you collect it, and how consumers can exercise their rights. If you’re updating your notice for Californian users, this guide to creating a CCPA privacy policy can help.

Provide consumer request mechanisms

Consumers need a clear way to submit requests to access, delete, or opt out of data sharing.

Review vendor relationships

If third parties process personal data on your behalf, your contracts should reflect the relevant privacy obligations.

Train employees

Teams that handle customer data or respond to privacy requests should understand the law and know how to respond.

Monitor compliance regularly

Privacy rules change often, so it is worth reviewing your setup regularly.

Frequently asked questions about penalties and enforcement

Who enforces the CCPA and CPRA?

The CCPA and CPRA can be enforced by both the California Attorney General and the California Privacy Protection Agency (CPPA).

The Attorney General handled enforcement when the CCPA first came into effect.

The CPRA later introduced the CPPA, which now plays a central role in enforcing California privacy law and investigating potential violations.

What happens if a business does not comply?

If a business fails to meet its obligations under the law, it can face regulatory action, financial penalties, and, in some cases, legal claims from consumers.

Civil penalties can reach:

  • $2,500 per violation
  • $7,500 per intentional violation

That can add up quickly, especially when large volumes of user data are involved.

Can consumers sue businesses under the CCPA?

In some cases, yes.

The CCPA includes a private right of action for certain data breaches. This means consumers may be able to take legal action if their personal information is exposed because a business failed to implement reasonable security measures.

Has the law already been enforced in practice?

Yes. California regulators have already taken action against businesses that failed to meet privacy requirements.

Enforcement has focused on issues such as:

  • Missing or incomplete privacy disclosures
  • Failure to provide clear opt-out options
  • Poor handling of consumer rights requests
  • Non-compliant cookie and tracking practices

What are the real risks beyond fines?

For many businesses, the bigger risk is losing trust.

If customers feel their personal data is being collected without transparency or handled carelessly, that can affect brand reputation, customer loyalty, conversion rates, and long-term growth.

Employee and B2B data: special considerations

Privacy compliance doesn’t stop with customers and website visitors.

The CCPA and CPRA can also affect how businesses handle data related to employees, job applicants, contractors, and business contacts.

Does CCPA/CPRA apply to employee data?

In many cases, yes.

When the CCPA first took effect, some employee and HR-related data were temporarily exempt from certain parts of the law. Over time, that has changed.

Under the CPRA, many of those exemptions have expired, meaning employee-related personal data is now more clearly within scope.

This can include information collected during:

  • Hiring and recruitment
  • Onboarding
  • Payroll and HR processes
  • Performance management
  • Internal communications

If your business collects personal information from employees or job applicants in California, that data may now fall under the same broader privacy framework.

What about B2B data?

Business-to-business data was also treated differently under the original CCPA for a period of time, but those exemptions didn’t last forever.

Today, many businesses need to think more carefully about how they collect and manage data from suppliers, partners, contractors, business contacts, leads, and sales prospects.

If your business handles contact details or personal information in a professional context, that doesn’t automatically place it outside the law.

What does this mean for HR and internal teams?

It means privacy compliance needs to go beyond the marketing team or website setup. HR and people operations teams should consider what employee data is being collected, where it is stored, who has access to it, how long it is kept, and how employees can exercise their rights where applicable

This is especially important for businesses using multiple internal tools or third-party HR systems.

CCPA/CPRA vs GDPR: how California compares to Europe

If your business operates internationally, there’s a good chance you’ve also come across the General Data Protection Regulation (GDPR), but where and how do the CCPA and GDPR differ?

The GDPR is the European Union’s main privacy law, and while it shares some goals with the CCPA and CPRA, the two frameworks are not the same.

Both are designed to give people more control over their personal data, but they take different approaches to rights, consent, and business obligations.

CCPA/CPRA vs GDPR

AreaCCPA/CPRAGDPR
Geographic scopeApplies to certain businesses handling data from California residentsApplies to organizations handling data from people in the EU
Main approachFocuses on transparency and consumer controlFocuses on lawful processing and consent
Consumer rightsAccess, deletion, opt-out, correction, limit sensitive data useAccess, deletion, correction, portability, restriction, objection
Consent requirementsOften based on opt-out, especially around sale or sharingOften requires prior consent before processing
Sensitive dataSpecial protections under CPRASpecial category data has stricter rules
EnforcementCPPA and California Attorney GeneralNational data protection authorities across the EU
Potential finesLower than GDPR, but still significantCan be much higher depending on the violation
Data Protection OfficerNot generally requiredMay be required in some cases

Which law is stricter?

In general, the GDPR is broader and more demanding when it comes to legal basis, consent, and documentation.

The CCPA and CPRA, on the other hand, focus more heavily on transparency, user rights, and control over the sale or sharing of personal data.

While the GDPR is often seen as stricter overall, California’s privacy framework still imposes significant obligations on businesses.

What does this mean for international businesses?

If your business serves users in both California and Europe, you may need to comply with both frameworks.

That usually means putting processes in place to support clear privacy notices, valid consent where needed, rights request handling, vendor oversight, and ongoing legal updates

For many businesses, the challenge is in building a privacy setup that works across different rules without becoming difficult to manage internally. This is where having the right digital tools in place can make a real difference.

This is where iubenda can help. Instead of managing privacy requirements manually across different tools, businesses use iubenda to generate and maintain privacy documents, manage consent, and support user rights requests in one place.

Final thoughts on the CCPA and CPRA

The California Consumer Privacy Act and the California Privacy Rights Act have raised the bar for how businesses handle personal data.

For businesses, the takeaway is clear: privacy can no longer be treated as a one-off legal task. It needs to be built into how data is collected, managed, and communicated over time.

The good news is that compliance becomes much more manageable once the basics are in place, from clear privacy disclosures to simple processes for handling user rights and keeping documents up to date. iubenda can help by bringing those moving parts together in one place, automated and with room to grow. Create a new project to get a free website compliance report.

Privacy laws will continue to evolve, but the underlying expectation is unlikely to change: businesses should be transparent, responsible, and clear about how they use personal data.