What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a state privacy law, effective January 1, 2020, that grants California residents specific rights over how businesses collect, sell, and use their personal information. For marketers and advertisers, it directly restricts data-driven targeting, third-party data sales, and behavioral tracking unless consumers are informed and given a meaningful opt-out.

Who Must Comply

CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds:

• Annual gross revenues exceeding $25 million
• Buying, selling, receiving, or sharing for commercial purposes the personal information of 100,000 or more consumers or households per year
• Deriving 50% or more of annual revenues from selling consumers’ personal information

A business does not need to be headquartered in California to fall under the law. Any company targeting California residents through digital advertising, email campaigns, or data purchases that crosses these thresholds is subject to compliance obligations.

What Counts as Personal Information

CCPA defines personal information broadly, covering far more than names and email addresses. Under the law, personal information includes:

Category	Marketing Relevance
Identifiers (IP address, cookie IDs, device IDs)	Affects programmatic advertising and retargeting
Commercial information (purchase history, browsing records)	Restricts CRM segmentation and loyalty data use
Internet or network activity (browsing history, search history)	Impacts behavioral targeting and lookalike audiences
Geolocation data	Limits location-based mobile advertising
Inferences drawn from other data to create profiles	Restricts predictive scoring and audience modeling

The Four Core Consumer Rights

California residents hold four enforceable rights under CCPA that directly affect marketing operations:

1. Right to know: Consumers can request disclosure of what personal information a business has collected, the sources, the business purpose, and any third parties with whom it has been shared.
2. Right to delete: Consumers can request deletion of their personal information, with limited exceptions for completing transactions or complying with legal obligations.
3. Right to opt out of sale: Consumers can direct a business to stop selling their personal information to third parties. This is the provision most directly tied to digital advertising ecosystems.
4. Right to non-discrimination: Businesses cannot deny services, charge different prices, or provide a degraded experience to consumers who exercise their CCPA rights.

The 2020 California Privacy Rights Act (CPRA), which amended CCPA effective January 1, 2023, added a fifth right: the right to correct inaccurate personal information. CPRA also established the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, separate from the Attorney General’s office.

The “Sale” of Data and What It Means for Advertisers

CCPA’s definition of “sale” is intentionally broad. Sharing consumer data with third parties for value, including non-cash arrangements like data exchange agreements, can qualify as a sale. This has significant implications for how advertisers share audience segments with demand-side platforms (DSPs), data brokers, and data management platforms.

Businesses that sell or share personal information for cross-context behavioral advertising must display a “Do Not Sell or Share My Personal Information” link on their homepage. Under the CPRA amendments, “sharing” for targeted advertising now counts as selling, closing a loophole that previously exempted many ad tech data flows.

Penalties and Enforcement

The California Attorney General can seek civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation. Because CCPA calculates penalties per consumer record, exposure compounds rapidly at scale.

In 2022, Sephora became the first major CCPA enforcement action when California Attorney General Rob Bonta announced a $1.2 million settlement. The violation centered on two failures: Sephora did not honor opt-out requests transmitted through the Global Privacy Control (GPC) signal, and it did not disclose that it sold consumer data through tracking pixels and advertising technologies. The case established that GPC signals carry legal weight under CCPA and that standard ad tech integrations can constitute data sales.

CCPA vs. GDPR: Key Differences for Marketers

GDPR operates on an opt-in consent model, requiring explicit permission before processing personal data for marketing purposes. CCPA uses an opt-out model, permitting data collection and use unless a consumer actively exercises their right to opt out of sales. This distinction makes CCPA compliance generally less disruptive to existing marketing workflows than GDPR. That gap has narrowed under CPRA, however, which added opt-in consent requirements for sensitive personal information.

Impact on First-Party and Third-Party Data Strategies

CCPA accelerates the shift from third-party data toward first-party data strategies. Third-party data acquired through brokers or ad exchanges carries compliance risk if the original collection did not meet CCPA standards. First-party data collected directly from consumers with clear disclosures and accessible opt-out mechanisms is considerably lower risk.

Brands that build direct relationships through owned channels, consent-based email programs, and loyalty platforms are better positioned under CCPA. Those relying on purchased audience data or behavioral tracking across third-party properties carry more compliance risk.

Compliance Checklist for Marketing Teams

• Update privacy policy to include CCPA-required disclosures (categories of data collected, purposes, third parties)
• Add a “Do Not Sell or Share My Personal Information” link to the homepage and privacy policy
• Honor Global Privacy Control (GPC) signals as valid opt-out requests
• Audit data vendor contracts to identify and document all third-party data sharing
• Implement a process to respond to consumer data requests within 45 days
• Train marketing operations and CRM teams on request handling and deletion workflows
• Review ad tech integrations (pixels, tags, cookies) to determine whether they constitute data sales under CCPA

Calculating Compliance Exposure

A rough estimate of maximum penalty exposure for a single campaign-level violation follows this structure:

Max Penalty = Number of Affected California Consumers × $7,500 (intentional) or $2,500 (unintentional)

For a mid-size brand with 50,000 California consumers in a non-compliant data segment, even an unintentional violation could expose the business to $125 million in statutory penalties. Actual enforcement settlements are typically far lower, but that ceiling shapes how legal and compliance teams assess risk.

Frequently Asked Questions About CCPA

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a state privacy law that took effect January 1, 2020, giving California residents the right to know what personal data businesses collect about them, request its deletion, and opt out of its sale. It applies to for-profit businesses above certain revenue or data-volume thresholds and directly affects digital advertising, audience targeting, and data-sharing programs.

Does CCPA apply to businesses outside California?

Yes. CCPA applies to any for-profit business that targets California residents and meets at least one compliance threshold, regardless of where the company is based. A business headquartered in New York or London that collects data from California consumers through a website or ad platform can still be subject to CCPA.

What is the “Do Not Sell or Share My Personal Information” requirement?

Under CCPA, businesses that sell or share consumer data for cross-context behavioral advertising must display a “Do Not Sell or Share My Personal Information” link on their homepage. They must also honor opt-out signals from the Global Privacy Control (GPC), a browser-level setting that communicates a consumer’s opt-out preference automatically.

What are the penalties for violating CCPA?

The California Attorney General can seek $2,500 per unintentional violation and $7,500 per intentional violation, calculated per consumer record. The Sephora enforcement action in 2022, which resulted in a $1.2 million settlement, remains the most cited example of CCPA enforcement against a major brand.

How is CCPA different from GDPR?

GDPR requires businesses to obtain explicit consent before collecting and using personal data for marketing. CCPA uses an opt-out model: data collection is permitted by default, and consumers must actively request that their data not be sold. CCPA is generally less restrictive than GDPR for routine marketing operations, though CPRA’s 2023 amendments added opt-in requirements for sensitive data categories, narrowing that gap.

Key Takeaway

CCPA is less a technical privacy regulation than a structural constraint on the data economy that powers digital marketing. Marketers who treat it as a legal checkbox risk both enforcement exposure and consumer trust erosion. Those who use it as a forcing function to build cleaner, consent-based data strategies tend to find their audience quality improves even as raw data volume decreases.