On this pageDoes the CCPA apply to your business?
State Law Practice Note

California Consumer Privacy Law (CCPA/CPRA)

California's Consumer Privacy Act, as amended by the CPRA, gives consumers rights over their personal information and imposes notice, privacy-policy, contracting, and security duties on businesses above defined thresholds — backed by CPPA and Attorney General enforcement and a narrow breach-only private right of action.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawCal. Civ. Code § 1798.140; Cal. Civ. Code § 1798.130; Cal. Civ. Code § 1798.100; Cal. Code Regs. tit. 11, § 7011; Cal. Code Regs. tit. 11, § 7051; Cal. Civ. Code § 1798.150; Cal. Code Regs. tit. 11, § 7150; Cal. Code Regs. tit. 11, § 7120; Cal. Code Regs. tit. 11, § 7200
Case lawIn re California Pizza Kitchen, Inc., 129 F.4th 667 (9th Cir. 2025)

Does the CCPA apply to your business?

Only if you meet a threshold. The CCPA applies to a for-profit entity that does business in California, determines the purposes and means of processing consumers' personal information, and satisfies at least one statutory threshold — the most common being annual gross revenue over $25,000,000, a figure the CPPA adjusts for inflation (currently $26,625,000) .

The revenue test is not the only trigger — the statute also reaches businesses that buy, sell, or share the personal information of 100,000 or more consumers or households, or that derive 50 percent or more of their annual revenue from selling or sharing personal information. Meeting any one threshold brings the whole CCPA to bear.

Sources for this answer

Primary law

A.1 Cal. Civ. Code § 1798.140

A for-profit entity is a covered 'business' only if it does business in California and meets a threshold — including annual gross revenue over $25,000,000, as adjusted for inflation.

had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to subdivision (d) of Section 1798.199.95.

See Cal. Civ. Code § 1798.140(d)(1)(A).

What must your California privacy policy contain?

A covered business must disclose its privacy practices in an online privacy policy and refresh that policy at least once every 12 months. The statute requires the policy to describe the consumer rights the CCPA grants and to give consumers two or more designated methods for submitting requests . Separately, at or before the point of collection, the business must give a notice at collection identifying the categories of personal information collected and the purposes for which they are used .

For a template privacy policy, that means the document is not a static disclaimer — it is a dated, annually-updated instrument that must, at minimum: (1) describe each consumer right under sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125; (2) list the categories of personal information collected, the sources, the business or commercial purposes, and the categories of third parties to whom information is disclosed or sold; and (3) state at least two methods for exercising rights. The notice at collection is a distinct, just-in-time disclosure given at the point of collection, not a substitute for the policy.

The CPPA's implementing regulation spells out the same obligation in granular form: it enumerates exactly what the privacy policy must include, beginning with a comprehensive description of the business's information practices . A template that maps each regulatory line item to a section of the policy is the most reliable way to demonstrate compliance.

Practice caution

Treat the requirement to update the policy at least once every 12 months as a hard maintenance obligation, not a courtesy. A privacy policy whose last-reviewed date has gone stale is itself a compliance gap, independent of whether the underlying practices changed — the statute makes the annual refresh a standalone duty .

Sources for this answer

Primary law

B.1 Cal. Civ. Code § 1798.130

A business must disclose CCPA-required information in its online privacy policy, including a description of consumer rights and request methods, and update it at least every 12 months.

Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every 12 months:

See Cal. Civ. Code § 1798.130(a)(5).

Primary law

B.2 Cal. Civ. Code § 1798.100

At or before the point of collection, a business must inform consumers of the categories of personal information collected and the purposes for which they are used.

A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers of the following:

See Cal. Civ. Code § 1798.100(a).

Regulation

B.3 Cal. Code Regs. tit. 11, § 7011PDF

The CPPA regulation enumerates the content a privacy policy must include, starting with a comprehensive description of the business's online and offline information practices.

The privacy policy shall include the following information:

See Cal. Code Regs. tit. 11, § 7011(e).

What must your contracts with vendors and service providers say?

Whenever a business sells personal information to a third party, shares it, or discloses it to a service provider or contractor for a business purpose, the CCPA requires a written agreement with specific terms — most importantly that the information is disclosed only for limited and specified purposes and that the recipient is contractually bound to comply with the CCPA .

This is the provision that makes a data processing agreement a statutory requirement rather than a best practice. A recipient that lacks a compliant contract does not qualify as a service provider or contractor, which means the disclosure can be treated as a sale or a share — triggering opt-out rights and disclosure obligations the business may not have planned for. The implementing CPPA regulation supplies the specific clauses a compliant template DPA must carry — including identifying the limited and specified business purposes and barring generic, contract-wide descriptions .

Sources for this answer

Primary law

C.1 Cal. Civ. Code § 1798.100(d)

A business that sells, shares, or discloses personal information to a third party, service provider, or contractor must enter a contract specifying that the information is used only for limited and specified purposes and obligating CCPA compliance.

A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:

See Cal. Civ. Code § 1798.100(d).

Regulation

C.2 Cal. Code Regs. tit. 11, § 7051PDF

The CPPA regulation requires a service-provider or contractor contract to identify the specific, limited business purposes for the processing and forbids describing them in generic, contract-wide terms.

Identify the specific business purpose(s) for which the service provider or contractor is processing personal information pursuant to the written contract with the business, and specify that the business is disclosing the personal information to the service provider or contractor only for the limited and specified business purpose(s) set forth within the contract.

See Cal. Code Regs. tit. 11, § 7051(a)(2).

Can a consumer sue your business after a data breach?

Yes, but only for a data breach. The CCPA's private right of action is narrow: it lets a consumer sue when nonencrypted, nonredacted personal information is exposed because the business failed to maintain reasonable security. Outside that breach scenario, the CCPA is enforced by the CPPA and the Attorney General, not by private plaintiffs .

There is no California appellate decision squarely defining the outer edges of this private right of action. The Ninth Circuit has, however, recognized that CCPA breach claims carry real settlement value: in reviewing a data-breach class settlement it noted the CCPA claims potentially conferred statutory damages to the California subclass and were weighed in assessing the settlement’s adequacy . For a business, the practical takeaway is that the litigation exposure is concentrated entirely at the security-failure-plus-breach boundary.

Sources for this answer

Primary law

D.1 Cal. Civ. Code § 1798.150

A consumer may bring a civil action when nonencrypted, nonredacted personal information is subject to unauthorized access as a result of the business's failure to maintain reasonable security.

Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action

See Cal. Civ. Code § 1798.150(a)(1).

Case law

D.2 In re California Pizza Kitchen, Inc., 129 F.4th 667 (9th Cir. 2025)

In reviewing the adequacy of a data-breach class settlement, the Ninth Circuit recognized that CCPA claims potentially conferred statutory damages to the California subclass.

The district court also considered the California Consumer Privacy Act (CCPA) claims—which potentially conferred statutory damages to the California subclass—in assessing the adequacy of the settlement.

See In re California Pizza Kitchen, Inc., 129 F.4th 667 (9th Cir. 2025).

Do the new CPPA rules on AI, risk assessments, and cybersecurity audits apply to you?

Possibly — and the deadlines are approaching. A 2025 CPPA rulemaking package, effective January 1, 2026, layered three new obligations on top of the base CCPA: risk assessments, annual cybersecurity audits, and rules governing automated decisionmaking technology (ADMT). Each reaches only businesses whose processing crosses a defined risk threshold, and the heaviest duties phase in on a staggered schedule rather than all at once .

There are three thresholds to map against your operations. First, a risk assessment is required before you begin any processing that presents significant risk to privacy — which the regulation defines to include selling or sharing personal information, processing sensitive personal information, and using ADMT for a significant decision . Second, an annual cybersecurity audit is required once your processing presents significant risk to security, with the first audit report due April 1, 2028 for the largest businesses and phasing in later for smaller ones . Third, if you use ADMT to make a significant decision about a consumer — in lending, housing, education, employment, or healthcare — you must reach compliance, including pre-use notices and opt-out and access rights, no later than January 1, 2027 .

Practice caution

For a template privacy program, inventory now where automated tools drive significant decisions and where high-risk processing occurs. The documentation obligations are dated: ADMT compliance by January 1, 2027 and the first cybersecurity-audit reports and risk-assessment submissions from April 1, 2028 — so the records need to exist before those dates, not after .

Sources for this answer

Regulation

E.2 Cal. Code Regs. tit. 11, § 7150PDF

A business must conduct a risk assessment before initiating any processing that presents significant risk to consumers' privacy, including selling or sharing personal information, processing sensitive personal information, or using ADMT for a significant decision.

Every business whose processing of consumers’ personal information presents significant risk to consumers’ privacy as set forth in subsection (b) must conduct a risk assessment before initiating that processing.

See Cal. Code Regs. tit. 11, § 7150(a).

Regulation

E.3 Cal. Code Regs. tit. 11, § 7120PDF

A business whose processing presents significant risk to consumers' security must complete a cybersecurity audit.

Every business whose processing of consumers’ personal information presents significant risk to consumers’ security as set forth in subsection (b) must complete a cybersecurity audit.

See Cal. Code Regs. tit. 11, § 7120(a).

Regulation

E.4 Cal. Code Regs. tit. 11, § 7121PDF

The first cybersecurity audit report is due April 1, 2028 for businesses with more than $100 million in 2026 annual gross revenue, with later dates for smaller businesses.

April 1, 2028, if the business’s annual gross revenue for 2026 was more than one hundred million dollars ($100,000,000) as of January 1, 2027.

See Cal. Code Regs. tit. 11, § 7121(a)(1).

Regulation

E.1 Cal. Code Regs. tit. 11, § 7200PDF

A business using ADMT to make a significant decision about a consumer must comply with the ADMT rules no later than January 1, 2027.

A business that uses ADMT for a significant decision prior to January 1, 2027, must be in compliance with the requirements of this Article no later than January 1, 2027.

See Cal. Code Regs. tit. 11, § 7200(b).