FeaturesPricingAudit GuideFree StatementDashboard →

CCPA and CPRA: California Privacy Compliance

CCPA and CPRA requirements for California websites. Privacy compliance, consumer rights, and accessibility intersection.

9 min read

Overview

The California Consumer Privacy Act (CCPA) gives California residents rights over their data. The California Privacy Rights Act (CPRA) strengthened these rights. While privacy-focused, CCPA intersects with accessibility requirements.

Jurisdiction

California, United States (applies to all companies processing California resident data)

Who must comply

For-profit businesses with California resident data and annual revenue exceeding $25 million, OR that buy/sell personal information of 100,000+ Californians, OR that buy/sell data of 100,000+ households

Penalties

$2,500 per violation (intentional); $7,500 per violation (CCPA); $2,500-$7,500 (CPRA)Up to $7,500 per intentional violation; class action damages; injunctions; significant legal fees

Key Requirements

Right to Know

Users can request what personal information is collected, sources, purposes. Request process must be accessible.

Right to Delete

Users can request deletion of personal data. Deletion mechanism must be accessible and functional.

Right to Opt-Out

Users can opt-out of data sale/sharing. Opt-out mechanism must be clear, accessible, and functional (CPRA: 'Do Not Sell/Share My Personal Information' link required).

Right to Correct

Users can request correction of inaccurate personal information (CPRA addition). Correction interface must be accessible.

Compliance Checklist

Privacy policy explains data collection clearly

Data subject rights request form accessible

"Do Not Sell/Share My Personal Information" link prominent and functional

Request process works for users with disabilities

Response to data requests within 45 days

Opt-out preference center accessible

Cookie/tracking consent mechanism accessible

No discrimination against exercising CCPA rights

Penalties & Enforcement

Penalty range: $2,500 per violation (intentional); $7,500 per violation (CCPA); $2,500-$7,500 (CPRA) to Up to $7,500 per intentional violation; class action damages; injunctions; significant legal fees
CCPA enforced by California Attorney General and private attorneys. Unlike GDPR, CCPA has private right of action (individuals can sue for data breaches). Combined with ADA accessibility violations creates double liability.

Timeline

2018

CCPA signed into law (June); effective January 1, 2020

2020

CCPA enforcement begins; fines and settlements issued

2023

CPRA takes effect (January 1); adds right to correct, right to limit, more consumer rights

2026

CPRA fully enforced; California becomes privacy leader in US

Frequently Asked Questions

Does CCPA apply to my business?
If you have California resident data AND meet size thresholds (revenue >$25M, or handle data of 100k+ Californians), yes. Many online businesses meet thresholds without realizing it.
Are privacy rights accessible requirements?
Implicitly yes. If users can't access data request forms because of accessibility barriers, they can't exercise CCPA rights. This creates discrimination and potential exposure.
What's the difference between CCPA and GDPR?
GDPR is EU, requires opt-in consent. CCPA is California, allows opt-out. GDPR penalties higher. CCPA has private right of action (individuals can sue). Both require accessible mechanisms.

Check your website for free

Get your ADA, WCAG, privacy & security score in 90 seconds.

No credit card
WCAG 2.1
ADA
Privacy

Related guides