CCPA Compliance Checklist for 2026: 14 Requirements Every Business Must Meet
Legal disclaimer: This article is informational only and not legal advice. Statutes and regulations change. Work with qualified privacy counsel to determine how the California Consumer Privacy Act applies to your business and what controls you need.
Last updated: May 25, 2026.
The California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.) is no longer the same law it was in 2020. The California Privacy Rights Act of 2020 (CPRA), which became enforceable on March 29, 2023, rewrote large portions of it: a new regulator, a new category of sensitive data, two new consumer rights, and explicit obligations around data minimization, contracts, and risk assessments. The 14-item checklist below maps each requirement to its statutory section so a privacy team, an engineering lead, or a general counsel can validate the program against the actual text of the law rather than a vendor’s summary.
What Is the CCPA (and How Did CPRA Change It)?
The CCPA is California’s omnibus consumer privacy statute, codified at Cal. Civ. Code §§1798.100-1798.199.100. It grants California residents a defined set of rights over personal information collected by covered businesses and imposes corresponding obligations on those businesses. The original law took effect on January 1, 2020. The CPRA, a 2020 ballot initiative (Proposition 24), amended and expanded it; the amendments became operative on January 1, 2023, with enforcement beginning March 29, 2023.
CCPA vs. CPRA: What’s New as of 2023
For practical purposes, “the CCPA” today means the CCPA as amended by the CPRA. The amendments did six things that matter for compliance:
- Created the California Privacy Protection Agency (CPPA) as a dedicated regulator with rulemaking and enforcement authority (§1798.199.10).
- Added Sensitive Personal Information (SPI) as a distinct category of regulated data (§1798.140(ae)).
- Added a right to correct inaccurate personal information (§1798.106).
- Added a right to limit the use and disclosure of SPI (§1798.121).
- Expanded the opt-out right to cover both selling and sharing personal information for cross-context behavioral advertising (§1798.120).
- Codified data minimization and purpose limitation as affirmative obligations (§1798.100(c)).
The original 30-day right to cure expired on January 1, 2023; the Attorney General and the CPPA can now initiate enforcement actions without giving businesses a cure window.
Sensitive Personal Information (SPI): The CPRA’s New Category
SPI is a defined subset of personal information that includes Social Security numbers, driver’s license and passport numbers, financial account numbers paired with access credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, the contents of mail, email, and text messages where the business is not the intended recipient, genetic data, biometric data processed to uniquely identify a consumer, health information, and sex life or sexual orientation data. Businesses that collect SPI must offer a separate “Limit the Use of My Sensitive Personal Information” link, unless their use of that SPI is restricted to a short list of business purposes enumerated in §1798.121(a) and the regulations.
The California Privacy Protection Agency (CPPA): California’s New Enforcer
The CPPA is the first dedicated data-protection regulator in the United States. It has authority to investigate complaints, issue subpoenas, conduct administrative hearings, and impose administrative fines of up to $2,500 per violation, or $7,500 per intentional violation or per violation involving a minor (§1798.155). The California Attorney General retains parallel civil enforcement authority. Both regulators are now actively building enforcement records (see Penalties section below).
Who Must Comply with the CCPA in 2026?
The CCPA applies to a “business,” defined at §1798.140(d) as a for-profit legal entity that does business in California, collects California consumers’ personal information (or determines the purposes and means of processing), and meets at least one of three thresholds.
The Three Compliance Thresholds (Revenue, Resident/Household Volume, Data-Sale Share)
A for-profit entity is a CCPA-covered business if it meets any one of the following in the preceding calendar year:
- Annual gross revenue over $25 million (adjusted for inflation per §1798.185(a)(5)).
- Buys, sells, or shares the personal information of 100,000 or more California residents or households (raised from 50,000 under the original CCPA).
- Derives 50 percent or more of annual revenue from selling California residents’ personal information.
Note the 100,000-resident-or-household threshold, which the CPRA raised from the original 50,000. Many pre-2023 compliance guides still cite the old number; it is no longer the law.
Who Is Exempt (HIPAA, Nonprofits, Government Agencies, GLBA)
The CCPA exempts protected health information processed under HIPAA, information collected by financial institutions and subject to the Gramm-Leach-Bliley Act, information regulated by the Driver’s Privacy Protection Act, and information collected by California consumer reporting agencies subject to the Fair Credit Reporting Act, among others (§1798.145). Nonprofits and government agencies are categorically outside the definition of “business,” though they may still be third parties or service providers to a covered business and inherit obligations through contract. The employer and B2B exemptions, which sunset on January 1, 2023, no longer apply: employee and business-contact personal information is fully covered.
Service Providers vs. Third Parties vs. Contractors
The CPRA tightened the taxonomy at §1798.140(ag), (ah), and (ai). A service provider processes personal information on behalf of a business under a written contract that restricts the service provider’s purposes. A contractor is similar but is used in the context of making personal information available rather than processing. A third party is anyone else who receives personal information; transfers to third parties are treated as sales or sharing unless an exception applies. The classification matters because the obligations cascade: the contracts you need, the disclosures the consumer sees, and whether opt-out signals apply all turn on it.
What Are the Requirements of the CCPA?
The CCPA requires covered businesses to give California consumers notice before collection, honor a defined set of consumer rights (know, delete, correct, opt out of sale or sharing, limit use of sensitive personal information, and non-discrimination), maintain reasonable data security, minimize data collection and retention to what is necessary for a disclosed purpose, contract with service providers and third parties on CCPA-compliant terms, post a privacy policy that is reviewed at least annually, and respond to verified consumer requests within 45 days. Larger businesses and those processing high-risk data must also conduct annual cybersecurity audits and risk assessments under regulations the CPPA is finalizing.
CCPA Compliance Checklist: 14 Requirements
The CCPA’s operational requirements break down into fourteen concrete tasks. Work through them in order; each one references the statutory section so the in-house team or outside counsel can verify the citation.
- Build a personal information data inventory and map (§1798.130).
- Audit third-party and service provider contracts (§1798.140(ag)-(ai)).
- Publish a CCPA-compliant privacy policy (§1798.130(a)(5)).
- Provide a “notice at collection” before or at the point of collection (§1798.100(b)).
- Implement a “Do Not Sell or Share My Personal Information” mechanism (§1798.135).
- Honor Global Privacy Control (GPC) signals (CCPA Regs §7025).
- Operationalize the right to know (§§1798.110, 1798.115).
- Operationalize the right to delete (§1798.105).
- Operationalize the right to correct (§1798.106).
- Operationalize the right to limit use of Sensitive Personal Information (§1798.121).
- Build an identity verification workflow for consumer requests (CCPA Regs §§7060-7063).
- Apply data minimization and retention policies (§1798.100(c)).
- Prepare for annual cybersecurity audits and risk assessments (§1798.185(a)(15)).
- Train employees and maintain an incident response plan (§§1798.130(a)(6), 1798.150).
Each item below expands the step and notes what it looks like in practice.
1. Build a Personal Information Data Inventory and Map (§1798.130)
You cannot honor consumer rights against data you cannot find. Build an inventory that lists every category of personal information collected, every source it comes from, every business or commercial purpose for using it, every category of third party it is disclosed to, and the retention period. This inventory anchors the privacy policy disclosures required by §1798.130(a)(5) and the response payload for right-to-know requests under §1798.110. Update it whenever you ship a new feature, integrate a new vendor, or change processing purposes. A spreadsheet works at first; mature programs maintain the inventory in a privacy management platform or in the same configuration store as their data catalog.
2. Audit Third-Party and Service Provider Contracts (§1798.140(ag))
Every entity that receives personal information must be classified as a service provider, contractor, or third party, and the contract must contain the terms §1798.140 requires for that classification. Service-provider and contractor contracts must restrict processing to the disclosed business purpose, prohibit retention or use outside that purpose, prohibit combining with personal information from other sources, and require the service provider to notify the business if it determines it can no longer meet its CCPA obligations. Missing contractual language reclassifies the recipient as a third party, which can turn a routine data transfer into a “sale” or “share.” Moesif’s Data Processing Addendum is one example of the kind of contractual instrument covered businesses use with their processors.
3. Publish a CCPA-Compliant Privacy Policy (§1798.130(a)(5))
The privacy policy must describe consumer rights, list categories of personal information and SPI collected in the preceding 12 months, list categories of sources, list business and commercial purposes for collection and use, list categories of third parties to whom information was disclosed, sold, or shared, list retention periods (or the criteria used to determine them), explain how a consumer can submit each type of request, describe the identity verification process, and explain the metric for handling requests received in the prior calendar year if the business buys, receives, sells, or shares personal information of 10 million or more consumers annually. Review and update the policy at least every 12 months.
4. Provide a “Notice at Collection” Before or At Data Collection (§1798.100(b))
A separate notice at or before collection must list categories of personal information and SPI collected, the purposes for each category, whether each category is sold or shared, the retention period, and a link to the full privacy policy. For website collection, a link in the footer near the “Do Not Sell or Share” link typically satisfies this; for in-person, telephone, or mobile contexts, the notice has to be delivered in that channel. The CCPA regulations specify the layout and language requirements in §7012.
5. Implement a “Do Not Sell or Share My Personal Information” Mechanism (§1798.135)
Businesses that sell or share personal information must post a clear link titled “Do Not Sell or Share My Personal Information” on the homepage and any page where personal information is collected. The link must lead to a request mechanism that does not require account creation, does not impose extra steps, and processes the opt-out within 15 business days. Businesses may use a single combined “Your Privacy Choices” link with the Privacy Rights icon defined in the regulations. The Sephora settlement (see Penalties) turned in part on the fact that Sephora did not post this link or provide a working opt-out path.
6. Honor Global Privacy Control (GPC) Signals (CCPA Regs §7025)
CCPA Regulation §7025 requires businesses to treat a user-enabled global privacy control signal, such as the Global Privacy Control (GPC), as a valid opt-out of sale or sharing. The signal must be processed regardless of whether the user is logged in, and it cannot be overridden by a contradictory cookie banner default. The Attorney General’s Sephora action and the more recent Sling TV settlement both rested on failures to process GPC properly. If the site relies on a third-party consent management platform, validate end-to-end that the GPC header propagates from the user’s browser through the CMP to every downstream advertising or analytics vendor.
7. Operationalize the Consumer Right to Know (§1798.110, §1798.115)
Section 1798.110 entitles consumers to know what personal information a business collected about them, the categories of sources, the business or commercial purpose, and the categories of third parties to whom it was disclosed. Section 1798.115 entitles them to know what was sold or shared and to whom. Verified requests must be honored within 45 days, with one 45-day extension allowed if necessary and disclosed to the consumer in writing. The response must cover the prior 12 months by default; if a consumer requests information collected on or after January 1, 2022, the business must produce it unless doing so is impossible or would involve disproportionate effort (§1798.130(a)(2)(B)).
8. Operationalize the Right to Delete (§1798.105)
A verified consumer can request deletion of personal information the business collected from the consumer. The business must delete the data and direct its service providers and contractors to delete it. Nine enumerated exceptions in §1798.105(d) allow retention for limited purposes including completing a transaction, detecting security incidents, exercising free speech, complying with a legal obligation, and certain internal uses reasonably aligned with consumer expectations. The business must document which exception applies whenever it withholds deletion. Importantly, this obligation extends to logs and backups; build a deletion workflow that includes downstream systems such as data warehouses, observability platforms, and email service providers.
9. Operationalize the Right to Correct (CPRA, §1798.106)
Added by the CPRA, §1798.106 gives consumers the right to request correction of inaccurate personal information. The business must use commercially reasonable efforts to correct it. Build a workflow that accepts the consumer’s evidence, applies the correction across all systems of record, and propagates the change to service providers. Document the decision when a correction is refused (for example, because the consumer’s evidence is insufficient to overcome the business’s reliable source).
10. Operationalize the Right to Limit Use of Sensitive Personal Information (CPRA, §1798.121)
If the business uses or discloses SPI for purposes beyond the narrow set permitted in §1798.121(a) and CCPA Regs §7027, it must offer a “Limit the Use of My Sensitive Personal Information” link or accept a combined “Your Privacy Choices” link. On receiving a limit request, the business must restrict use to the permitted purposes within 15 business days and notify service providers and contractors. Field-level controls, such as Moesif’s privacy rules and field-level redaction, help engineering teams drop or mask SPI from API event payloads at ingestion so the rest of the stack never has to discriminate between limited and unlimited SPI uses downstream.
11. Build an Identity Verification Workflow for Consumer Requests
Sections 7060-7063 of the CCPA Regulations require businesses to verify the identity of any consumer making a right-to-know, right-to-delete, right-to-correct, or right-to-limit request, while not requiring more information than necessary. Match the verification strength to the sensitivity of the request: a reasonable degree of certainty for category-level disclosures, a reasonably high degree for specific pieces of personal information or deletion. Authenticated users can be verified through the existing login; non-account-holders typically must match two or three pieces of personal information already on file. Reject requests where verification fails, document the reason, and inform the consumer in writing.
12. Apply Data Minimization and Retention Policies (CPRA, §1798.100(c))
The CPRA codified data minimization at §1798.100(c): a business’s collection, use, retention, and sharing of personal information must be reasonably necessary and proportionate to achieve the purposes disclosed at collection. This is now an affirmative obligation, not a best practice. Translate it into engineering policy: define a retention period for every data store, automate deletion at the end of that period, and require new processing purposes to go through a privacy review before they ship. The General Motors settlement (see Penalties) is widely cited as an enforcement action framed around data minimization.
13. Conduct Annual Risk Assessments and Cybersecurity Audits (CPRA, §1798.185)
Section 1798.185(a)(15) directs the CPPA to issue regulations requiring annual cybersecurity audits and risk assessments for businesses whose processing presents significant risk to consumers’ privacy or security. The CPPA’s final regulations on this front went through extensive rulemaking in 2024 and 2025; review the current text on cppa.ca.gov before scoping the program. At minimum, plan for a documented annual review of security controls (encryption, access management, logging, vulnerability management), and a documented risk assessment for any processing of SPI, automated decisionmaking, or large-scale consumer profiling.
14. Train Employees and Maintain an Incident Response Plan (§§1798.130, 1798.150)
Section 1798.130(a)(6) requires that employees responsible for handling consumer inquiries be trained on the CCPA’s requirements and on how to direct consumers to exercise their rights. Section 1798.150 creates a private right of action when a breach of nonencrypted, nonredacted personal information results from a failure to implement and maintain reasonable security; statutory damages range from $100 to $750 per consumer per incident. Maintain an incident response plan that covers breach detection, the §1798.82 notification obligation, evidence preservation, and the §1798.150 30-day cure window for the alleged violation in a private suit. Tabletop-test the plan annually.
CCPA Penalties: What Non-Compliance Costs in 2026
CCPA penalties come from three streams: administrative fines from the CPPA, civil penalties from the Attorney General, and statutory damages from private lawsuits for security failures.
Administrative Fines from the CPPA and Attorney General
Under §1798.155, the CPPA can assess administrative fines up to $2,500 per violation or $7,500 per intentional violation or per violation involving a consumer under age 16. The Attorney General can sue for civil penalties at the same levels under §1798.199.90, with violations counted on a per-consumer basis. There is no statutory ceiling, so penalties scale with the number of California consumers affected.
Statutory Damages from Private Lawsuits (Data Breaches)
Section 1798.150 gives consumers a private right of action only for data breaches caused by a failure to implement reasonable security. Statutory damages are $100 to $750 per consumer per incident, or actual damages, whichever is greater. Consumers do not have a private right of action for other CCPA violations.
Recent CPPA and OAG Enforcement Actions
The regulators are actively building a record on the major CCPA failure modes. The figures and dates below reflect publicly reported settlements as cited on the linked source pages; verify the current text on the OAG and CPPA sites before relying on any specific number:
- General Motors, $12.75 million (May 8, 2026, OAG). Reported as among the largest CCPA penalties to date and a leading example of an enforcement action framed around data minimization, settling allegations that GM sold the data of California drivers without adequate notice or opt-out. Source: oag.ca.gov.
- Disney, $2.75 million (February 11, 2026, OAG). Stipulated judgment alleging Disney failed to fully effectuate opt-out of sale or sharing across Disney+, Hulu, and ESPN+, including failure to link consumer devices for opt-out purposes the same way it linked them for ad targeting. Source: oag.ca.gov/privacy/privacy-enforcement-actions.
- Healthline Media, $1.55 million (July 1, 2025, OAG). Allegations that Healthline shared health-related data with third parties without CCPA-required protections; the settlement included a novel restriction on sharing article titles that reveal a consumer’s likely diagnosis. Source: oag.ca.gov/privacy/privacy-enforcement-actions.
- Jam City, $1.4 million (November 21, 2025, OAG). Allegations that the mobile gaming developer failed to offer opt-out across 21 apps and shared the data of users aged 13-16 without affirmative opt-in. Source: oag.ca.gov/privacy/privacy-enforcement-actions.
- American Honda Motor Co., $632,500 (March 12, 2025, CPPA). The CPPA Board’s first major settlement against a connected-vehicle manufacturer, alleging excessive verification requirements, asymmetric opt-out design, friction for authorized agents, and missing contract terms with ad-tech vendors. Source: cppa.ca.gov.
- Tilting Point Media, $500,000 (June 19, 2024, OAG and LA City Attorney). Allegations of collecting and sharing children’s data without parental consent in connection with the “SpongeBob: Krusty Cook-Off” mobile game. Source: oag.ca.gov/privacy/privacy-enforcement-actions.
- DoorDash, $375,000 (February 21, 2024, OAG). Allegations that DoorDash sold customer data through marketing co-operatives without providing notice or opt-out. Source: oag.ca.gov/privacy/privacy-enforcement-actions.
- Sephora, $1.2 million (August 24, 2022, OAG). The first major OAG settlement under the CCPA, alleging Sephora failed to disclose its sale of personal information, failed to process opt-outs sent via the Global Privacy Control, and did not cure within the then-available 30-day window. Source: oag.ca.gov.
Pattern recognition: most of the published actions turn on either failure to honor opt-out (Sephora, Disney, Sling TV, DoorDash, Jam City, GM) or on excessive friction in the consumer-rights workflow (Honda). Both are concrete, testable failures.
CCPA for API Programs: Special Considerations
The CCPA does not stop at the consumer-facing front end. API platforms ingest, transform, store, and ship personal information at high volume, and that processing is squarely in scope. The following considerations come up specifically for teams operating production APIs.
Why APIs Are a CCPA Risk Surface
Three structural factors raise CCPA risk in API platforms. First, APIs typically log request and response payloads in observability systems for debugging, which means personal information ends up in log stores that were not designed as systems of record. Second, API traffic crosses organizational boundaries, partners, embedded SDKs, third-party integrations, and each crossing is a potential “sale” or “share.” Third, the high-volume, machine-readable nature of API logs makes data minimization and retention enforcement harder than for application databases, which tend to have explicit schemas.
The Seven Business-Purpose Categories That Apply to APIs (§1798.140(e))
Section 1798.140(e) defines “business purpose” through an enumerated list. The seven categories most relevant to API platforms are:
- Auditing related to a current interaction with the consumer.
- Helping ensure security and integrity to the extent the use of personal information is reasonably necessary and proportionate.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, including non-personalized advertising shown as part of the consumer’s current interaction with the business.
- Performing services on behalf of the business, including customer service, processing or fulfilling orders, verifying customer information, processing payments, providing analytic services, and similar services.
- Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer.
- Undertaking internal research for technological development and demonstration.
Operating an analytics or observability platform falls squarely within categories 1, 2, 3, and 5. That does not exempt the processing from CCPA, it just means the data can be processed without it becoming a “sale” if the contract and operational controls are correct.
Tagging Personal Data by User Identity for Right-to-Know Fulfillment
A hard part of fulfilling a right-to-know or right-to-delete request against an API platform is finding every event associated with a specific consumer. The answer is to tag every API call with the authenticated user identity at ingestion. With each event linked to a user_id, a right-to-know request becomes a query; a right-to-delete becomes a parameterized purge. Without that tagging, the team has to scan unstructured logs across many systems, which scales poorly and does not produce a verifiable response.
Building Right-to-Delete Workflows Across API Logs
A right-to-delete workflow against API logs needs four things: a verification step keyed to the consumer’s account identifier, a delete operation that runs across every log store containing personal information (live API event store, cold archives, downstream warehouses), a documented exception process for logs covered by one of the §1798.105(d) exceptions (security investigation, legal hold), and an audit record showing what was deleted and when. Build it as a self-serve action for the privacy team rather than an engineering ticket.
Audit Logs That Can Stand Up in Court
Audit logs that demonstrate CCPA compliance need three properties. They have to be tamper-evident (append-only, with retention controls separate from the operators who could modify them). They have to be complete (every consumer-rights request, every disclosure response, every deletion). And they have to be queryable on the dimensions the regulators care about, by consumer, by request type, by deadline, by response. Moesif’s API audit logs and API security with long retention are the kind of infrastructure that supports this; whichever tool the team uses, the requirement is the same.
How Moesif Helps with CCPA Compliance for APIs
We build Moesif as API analytics and observability infrastructure. For CCPA compliance, three capabilities matter most. These controls can help support data minimization and consumer-rights workflows, but compliance still depends on the customer’s configuration, legal basis, retention rules, and operating procedures.
First, every API event we capture is tagged with a user identity, which helps make right-to-know and right-to-delete requests against API logs a query rather than an engineering project. The privacy team can pull the complete record of a consumer’s API interactions from a single place.
Second, our privacy rules and field-level redaction let engineering define which fields in API request and response payloads are dropped or masked at ingestion. This can help support data minimization under §1798.100(c) and the right to limit use of SPI under §1798.121 by ensuring the platform never persists SPI the customer has elected not to keep.
Third, our audit logs are designed to support compliance investigations and consumer-rights fulfillment. Combined with a CCPA-compliant Data Processing Addendum, they can help the privacy team build the contractual and technical foundation needed to respond to a CPPA or OAG inquiry.
Read more about our compliance posture on the GDPR and CCPA compliance documentation and the API analytics for compliance risk reduction product page. Moesif offers a 14-day free trial; no credit card required.
For broader context on the distinction between regulatory and operational privacy, see the difference between data compliance and data privacy. For platform-level controls, see API governance best practices.
Frequently Asked Questions About CCPA Compliance
What is the difference between CCPA and CPRA?
The CCPA is the original 2018 statute, effective January 1, 2020. The CPRA is a 2020 ballot initiative that amended the CCPA, effective January 1, 2023, with enforcement beginning March 29, 2023. The CPRA created the California Privacy Protection Agency, added the Sensitive Personal Information category, added the rights to correct and to limit use of SPI, expanded opt-out to cover “sharing” for cross-context behavioral advertising, codified data minimization, and raised the resident/household-volume threshold from 50,000 to 100,000. In current practice, “the CCPA” refers to the CCPA as amended by the CPRA.
Does the CCPA apply to companies outside California?
Yes, if the company is a for-profit entity that does business in California, collects personal information of California consumers, and meets one of the three thresholds in §1798.140(d). There is no requirement that the business be located in California. A company headquartered in New York or in another country can be a CCPA-covered business.
What is the penalty for violating the CCPA?
Administrative and civil penalties under §§1798.155 and 1798.199.90 are up to $2,500 per violation or $7,500 per intentional violation or per violation involving a consumer under age 16. Penalties are counted on a per-consumer, per-violation basis. Statutory damages for security-failure breaches under §1798.150 are $100 to $750 per consumer per incident. Recent settlements range from $375,000 (DoorDash) to $12.75 million (General Motors).
How long do businesses have to respond to a CCPA consumer request?
Forty-five days from receipt of a verified request, with one 45-day extension permitted if necessary and disclosed in writing to the consumer (§1798.130(a)(2)). Opt-out and limit requests must be honored within 15 business days under CCPA Regs §7026 and §7027.
Is CCPA compliance enough to comply with GDPR?
No. The two frameworks overlap but are not equivalent. The GDPR requires a lawful basis for every processing activity, while the CCPA assumes processing is permitted unless the consumer opts out (or opts in, for SPI use beyond the permitted set). The GDPR’s data subject rights are broader (data portability and a stronger right of access). A program built for the CCPA covers some GDPR requirements but is not a substitute for GDPR-specific work.
Do API logs need to be deleted under a right-to-delete request?
Generally yes. Personal information in API logs is personal information for CCPA purposes, and a verified deletion request reaches it unless one of the nine exceptions in §1798.105(d) applies. Common applicable exceptions include security investigation and detection of malicious activity, complying with a legal obligation, and certain internal uses reasonably aligned with consumer expectations. Document which exception applies whenever logs are retained over a deletion request.
Legal disclaimer: This article is informational only and not legal advice. CCPA statutes, CPRA regulations, and CPPA rulemaking change frequently; verify any specific obligation against the current text of Cal. Civ. Code §1798.100 et seq., the published CCPA regulations, and live guidance from oag.ca.gov/privacy/ccpa and cppa.ca.gov before acting on it. Work with qualified privacy counsel on the application to your business.