CCPA Compliance Guide for Online Stores

Step 1: Determine If the CCPA Applies to Your Business

The CCPA applies to for-profit businesses that collect personal information from California consumers and meet at least one of three thresholds: annual gross revenue exceeding $25 million, buying, selling, or sharing the personal information of 100,000 or more California consumers, households, or devices annually, or deriving 50% or more of annual revenue from selling or sharing personal information.

The $25 million threshold is based on worldwide revenue, not just revenue from California customers. The 100,000 consumer threshold includes cookies and device identifiers, which means a website receiving 100,000 unique visitors from California in a year meets this threshold even if many of those visitors never make a purchase. Given that California has 39 million residents and accounts for roughly 12% of U.S. internet traffic, an ecommerce site with moderate national traffic can easily reach 100,000 California visitors annually.

Even if you fall below all three thresholds today, voluntary compliance is a practical decision for several reasons. The thresholds are based on the previous calendar year, so rapid growth could bring you into scope unexpectedly. Other state privacy laws with lower or different thresholds may already apply to you. Building compliant practices from the start is cheaper than retrofitting them later. And following CCPA standards satisfies most other state privacy laws simultaneously, simplifying your multi-state compliance.

Step 2: Map Your Data Collection and Sharing

Create a comprehensive inventory of every category of personal information your business collects, processes, and shares. The CCPA uses specific categories that you must reference in your privacy policy disclosures: identifiers (name, email, phone, address, IP address, account name), commercial information (purchase history, products viewed, shopping cart contents), internet or electronic network activity (browsing history, search history, interaction with your website), geolocation data, audio, electronic, visual, or similar information (call recordings, security camera footage), professional or employment information (if you collect it from business customers), education information, and inferences drawn from any of the above (predicted preferences, purchase likelihood, customer segments).

For each category, document the sources (directly from the consumer, automatically through cookies, from third parties like data brokers or advertising platforms), the business purposes for collection (order fulfillment, marketing, analytics, fraud prevention), the categories of third parties with whom you share the data, and whether the sharing constitutes a "sale" or "sharing" under the CCPA. The CCPA defines "sale" broadly as making personal information available to a third party for monetary or other valuable consideration. "Sharing" includes providing personal information to third parties for cross-context behavioral advertising (targeted advertising), regardless of whether money changes hands.

For most ecommerce stores, the data sharing that triggers CCPA obligations includes Facebook Pixel sending browsing data to Meta for ad targeting, Google Analytics sending visitor data to Google, retargeting platforms receiving browsing behavior, and any third-party tool that uses your customer data for its own purposes beyond serving you. Sharing data with service providers who only process data on your behalf (like your payment processor) is not a sale, but the service provider relationship must be documented in a written contract.

Step 3: Update Your Privacy Policy

The CCPA requires your privacy policy to include specific disclosures, updated at least once every 12 months. Required elements include a list of the categories of personal information collected in the preceding 12 months, the categories of sources for each type of information, the business or commercial purpose for collecting or selling each category, the categories of third parties to whom you disclose personal information, whether you sell or share personal information and which categories, a description of each consumer right under the CCPA, instructions for submitting consumer rights requests (including at least two methods), and your contact information.

If you sell or share personal information, your privacy policy must also include a separate section listing the categories of personal information sold or shared in the preceding 12 months and the categories of third parties to whom each category was sold or shared. If you did not sell or share any personal information, state that explicitly.

The CPRA amendment added requirements around sensitive personal information. If you collect sensitive data (Social Security numbers, precise geolocation, racial or ethnic origin, religious beliefs, health information, or the contents of messages), you must disclose this separately and describe the consumer's right to limit the use and disclosure of sensitive personal information. If you process sensitive data, add a "Limit the Use of My Sensitive Personal Information" link alongside your "Do Not Sell or Share" link.

Step 4: Implement Consumer Rights Request Processes

You must provide at least two methods for consumers to submit requests, with at least one being a toll-free phone number. Most online businesses offer a website form and either a toll-free number or a dedicated email address. The request intake system must be accessible, easy to use, and capable of handling four types of requests: right to know (what data do you have on me), right to delete (remove my data), right to correct (fix inaccurate data), and right to opt out (stop selling or sharing my data).

After receiving a request, verify the consumer's identity. For account holders, having them log in to their account provides sufficient verification. For consumers without accounts, verify by matching at least two pieces of information they provide against data you already have (name and email, email and order number, phone and address). For deletion of sensitive information, require a higher level of verification, such as matching three data points.

Fulfill verified requests within 45 calendar days. You can extend this by an additional 45 days for complex requests if you notify the consumer of the extension and the reason within the initial 45-day period. For right-to-know requests, provide the consumer with a report listing the specific pieces of personal information collected, the categories of sources, the purposes, and the third parties to whom the data was disclosed. Deliver the response in a portable, machine-readable format (PDF, CSV, or JSON) through a secure method.

For deletion requests, delete the consumer's personal information from your systems and direct all service providers and third parties who received the data to delete their copies. You can retain data that is necessary to complete a transaction, detect security incidents, comply with legal obligations, or exercise free speech. If you retain data under an exception, explain which data you retained and the legal basis to the consumer.

Step 5: Add the Do Not Sell or Share Link

If your business sells or shares personal information (which includes sharing data with advertising platforms like Facebook and Google for targeted advertising), you must display a clear and conspicuous link labeled "Do Not Sell or Share My Personal Information" on your website homepage. Many businesses place this link in the footer alongside the privacy policy link. The link must lead to a page or mechanism that allows the consumer to opt out without requiring them to create an account.

The opt-out must be effective across all data sharing relationships. When a consumer opts out, you must stop sharing their data with all third parties for advertising purposes, not just one platform. This means implementing technical controls that suppress opted-out consumers from your Facebook Pixel audiences, Google remarketing lists, and any other data sharing relationships. Consent management platforms like OneTrust, Osano, and Termly can automate this process by detecting opt-out signals and suppressing tracking scripts for opted-out users.

The CPRA also requires businesses to honor the Global Privacy Control (GPC), a browser-level signal that consumers can enable to automatically opt out of data sales and sharing on every website they visit. If your website detects a GPC signal, you must treat it as a valid opt-out request. Most consent management platforms recognize GPC signals automatically, but verify that your implementation actually responds to them.

You cannot require consumers to verify their identity to opt out (verification is required for know, delete, and correct requests, but not opt-out). You cannot use dark patterns, confusing language, or extra steps to discourage opt-out. The process must be as easy as the process for opting in, and you cannot require the consumer to provide more information than necessary to process the request.

Step 6: Update Service Provider and Third-Party Contracts

The CCPA requires written contracts with every entity that receives personal information from your business. These contracts must specify the business purpose for which the data is shared, prohibit the receiving party from selling the data or using it for purposes beyond the specified business purpose, require the receiving party to comply with the CCPA and provide the same level of protection as the CCPA requires, and grant you the right to take reasonable steps to ensure the receiving party uses the data consistently with your CCPA obligations.

For service providers (companies that process data solely on your behalf), the contract must also prohibit them from combining your data with data received from other sources for their own purposes, require them to notify you if they can no longer meet their CCPA obligations, and allow you to stop and remediate unauthorized use of the data. Most major SaaS companies include CCPA-compliant terms in their service agreements, but verify by reviewing the data processing section of each provider's terms.

For third parties that receive data for their own business purposes (such as advertising platforms), the contractual requirements are different. The contract must acknowledge that the third party understands the restrictions the CCPA imposes on the data, must agree to comply with the CCPA, and must agree to provide the same level of privacy protection. Given that advertising platforms like Meta and Google have their own CCPA compliance programs, their standard terms generally meet these requirements, but review them to confirm.

Enforcement and Penalties

The California Privacy Protection Agency (CPPA) is the primary enforcement body for the CCPA/CPRA. The agency can investigate businesses on its own initiative or in response to consumer complaints, issue compliance orders, and impose administrative fines of $2,500 per unintentional violation and $7,500 per intentional violation. Each affected consumer counts as a separate violation, so a data practice affecting 10,000 California consumers can result in penalties of $25 million to $75 million.

The CCPA also includes a private right of action for data breaches. If a business suffers a data breach due to failure to implement reasonable security measures, affected California consumers can sue for statutory damages of $100 to $750 per consumer per incident, or actual damages, whichever is greater. For a breach affecting 50,000 California consumers, the statutory damages range from $5 million to $37.5 million, which is why the data security requirements should not be treated as optional.

The CPPA has published enforcement priorities including businesses that process large volumes of consumer data, businesses that fail to honor opt-out requests, businesses that use dark patterns to interfere with consumer rights, and businesses that target minors' data. The agency conducted its first enforcement sweep in 2024, sending inquiry letters to businesses with suspected violations and giving them 30 days to come into compliance before pursuing penalties.