🔮 What’s coming for Data Privacy in 2024? Download our definitive trend guide for exclusive insights
5 min read

Do I have to comply with CCPA?

Although the California Consumer Privacy Act (CCPA) is a state-level law, it affects businesses outside of the state—even international companies that operate in the United States. The CCPA applies to for-profit businesses that do business in California and fall under one of three main criteria for gross annual income and the use, storage, or sale of personal information.

If your business fits the description, you’ll have to comply with the regulations set by the CCPA. If you’re wondering: “does CCPA apply to government agencies?”, follow the link to see the answer.

What Is The CCPA?

The CCPA is a data privacy law that gives California consumers more control over their personal information or “information that identifies, relates to, or could reasonably be linked with” a California resident or their household.

The law protects personal information beyond basic details such as names and addresses; it also includes other non-commercial or private data, as well as any insights on the behavior or preferences of a consumer based on their online activity.

The CCPA Secures Four Basic Rights For California Consumers:

  • The right to know what personal information a business collects, uses, and shares
  • The right to delete their personal information collected by businesses (with some exceptions)
  • The right to opt-out of the sale of their personal information
  • The right to non-discrimination for exercising their rights under the CCPA

Businesses Under The CCPA

Not all businesses have to comply with the CCPA. The law makes the scope clear; it only applies to for-profit businesses that do business in California and meet at least one of the following:

  • Has a gross annual revenue of over $25 million
  • Buys, receives, or sells (or in any way makes available to another, e.g. renting, disseminating, etc.) the personal information of at least 50,000 California residents, devices, or households
  • Derives at least half of its annual revenue from the sale of California residents’ personal information

This means that even businesses that aren’t located in California but do business in the state, e.g. online shops, marketing agencies, etc., must comply with the CCPA. And while it isn’t generally strict with small businesses that don’t need or have the resources to collect, store, or sell personal information through third-party means, businesses are encouraged to adhere to the law’s regulations just to be safe.

How To Comply With The CCPA

The CCPA sets regulations that guide businesses to comply with the law. Here are some examples:

Add An Opt-Out Option

To afford consumers their “right to opt-out,” businesses must provide a clear and conspicuous “Do Not Sell Personal Information” button or link on their website homepages or their mobile application’s settings menu. Businesses are not required, however, to get opt-in cookie consent.

Update Privacy Policy

Businesses must review and update their privacy policies to include the details of the CCPA, describing the rights established by the law. It must also make the data practices of the business transparent so consumers know how their personal information is collected and used.

Provide Channels For Data Access Requests

Businesses must provide channels for consumers to request access and/or deletion of personal information collected from them. To this end, businesses have to create a procedure that confirms, verifies, and processes such requests promptly, on top of making sure that there is proper storage of copies of such requests.

Obtain Consent

Businesses aren’t allowed to sell the personal information of minors without affirmative consent to opt-in. So businesses must obtain opt-in consent through forms or links on their sites from consumers between the ages of thirteen and fifteen or from the parent or guardian of a consumer under thirteen years old before using their personal data.

Train Employees About CCPA

To ensure that the CCPA is followed, businesses must train their employees about the law and how its implementation may affect the operations of the business.

Review Agreements With Third Parties And Service Providers

Many businesses manage personal information through third-party sites and service providers. So business owners must take responsibility for making sure that agreements made in these partnerships are compliant with the CCPA.


Although not all businesses have to comply with the CCPA, all companies, especially those that deal with consumers in California, are encouraged to follow the law to avoid any hefty fines or lost business with the state.

Being transparent about your company’s data practices is also a good way to future-proof operations, especially since international markets are putting value on data privacy. It won’t be long until other states or countries adopt data privacy laws like the CCPA; it’s best to stay ahead.

November 2, 2021

Continue reading

Marketing, Privacy Tech
3 major privacy challenges for retail & ecommerce brands
Colleen Barry
7 min read
Marketing, Privacy Tech
Navigating a cookieless future with Google Privacy Sandbox
Colleen Barry
7 min read
Ketch at IAPP Global Privacy Summit: the inside scoop 👀
Colleen Barry
3 min read

Get started with Ketch

Simplifying your privacy program has never been easier. Begin your journey to simplified privacy operations and granular data control across the enterprise.