What Is the CCPA? A Plain-English Guide for Small Businesses
The California Consumer Privacy Act explained in simple terms. What it requires, who it applies to, and how to comply without a lawyer.
2026-02-20
What Is the CCPA?
The California Consumer Privacy Act (CCPA), amended by the CPRA in 2023, is California's comprehensive privacy law. It gives California residents specific rights over their personal data and imposes obligations on businesses that collect it.
Even if your business isn't based in California, the CCPA likely applies to you if you have California customers.
Who Does the CCPA Apply To?
The CCPA applies to for-profit businesses that collect California residents' personal information and meet any one of these thresholds:
- Annual gross revenue over $25 million
- Buy, sell, or share the personal information of 100,000+ consumers or households per year
- Derive 50% or more of annual revenue from selling or sharing personal information
Important: If you use Google Analytics, Facebook Pixel, or similar tracking tools, you may be "sharing" personal information under the CCPA's broad definition — even if you never sell a mailing list.
What Rights Do Consumers Have?
Under the CCPA, California residents can:
- Know what personal data you collect and why
- Delete their personal data from your systems
- Opt out of the sale or sharing of their data
- Correct inaccurate personal information
- Limit the use of sensitive personal information
- Non-discrimination — you can't penalize them for exercising these rights
What Do You Need to Do?
At minimum, most e-commerce businesses need:
- A privacy policy that discloses what data you collect, why, and how consumers can exercise their rights
- A "Do Not Sell or Share My Personal Information" link on your website
- A way to process consumer requests (delete, access, correct) within 45 days
- A cookie consent mechanism if you use tracking technologies
What Are the Penalties?
- $2,500 per unintentional violation
- $7,500 per intentional violation
- Private lawsuits are allowed for data breaches (statutory damages of $100–$750 per consumer per incident)
The California Attorney General and the California Privacy Protection Agency (CPPA) actively enforce the law.
How ClearConsent Helps
ClearConsent scans your website and identifies exactly what's missing. We detect tracking scripts, cookies, privacy policy gaps, and missing consent mechanisms — then generate the fixes for you. A privacy policy, cookie banner, and compliance roadmap, all tailored to your site's actual data practices.