CCPA/CPRA Compliance Requirements for 2026

Summary

For-profit businesses meeting any California threshold must comply with the CCPA as amended by the CPRA. The CPPA's final rules (OAL-approved September 23, 2025) took effect January 1, 2026, adding visible opt-out confirmations, expanded sensitive-data protections, risk assessments, automated decision-making technology (ADMT) duties, and phased mandatory cybersecurity audits. Penalties run $2,500 per unintentional and $7,500 per intentional violation, counted per affected consumer with no aggregate cap. [src1, src6]

Rule

For-profit businesses meeting California thresholds must comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). As of January 1, 2026, new regulations require visible opt-out confirmation signals, expanded sensitive personal information protections (now including data of consumers under 16), mandatory cybersecurity audits for businesses posing "significant risk" to consumers, and risk assessments for automated decision-making technology (ADMT). Businesses must honor consumer rights to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information. [src1, src2]

Evidence

The CCPA applies to for-profit businesses with annual gross revenue exceeding $26,625,000 (2025-2026 adjusted threshold), or those processing personal information of 100,000+ California residents/households, or deriving 50%+ of annual revenue from selling or sharing personal information. Fines reach $2,500 per unintentional violation and $7,500 per intentional violation, counted per affected consumer with no cap on aggregate penalties. The CPPA's final ADMT/cybersecurity/risk-assessment rules were OAL-approved September 23, 2025 and took effect January 1, 2026, with deadlines phasing in through 2030. Risk-assessment compliance began January 1, 2026; initial assessments of pre-existing processing are due December 31, 2027, with attestation plus a summary submitted to the CPPA by April 1, 2028. ADMT obligations for "significant decisions" (finance, housing, education, employment, health care -- not advertising) begin January 1, 2027, with pre-use notice, opt-out, and access duties required from April 1, 2027. Mandatory cybersecurity audits phase in by 2026 revenue band: April 1, 2028 (>$100M), April 1, 2029 ($50-100M), and April 1, 2030 (<$50M). 2025 enforcement included Tractor Supply ($1.35M), a health-website publisher ($1.55M), an automaker ($632,500), and Todd Snyder ($345,178). [src1, src6, src7]

Key Properties

• Penalty (unintentional violation): $2,500 per violation (2026 adjusted: up to $2,663)
• Penalty (intentional violation): $7,500 per violation (2026 adjusted: up to $7,988)
• Revenue threshold: $26,625,000 annual gross revenue (2025-2026 adjusted)
• Data volume threshold: 100,000+ California residents/households
• Enforcement body: California Privacy Protection Agency (CPPA), with concurrent jurisdiction by the California Attorney General
• ADMT compliance deadline: January 1, 2027 for significant-decision uses; pre-use notice, opt-out, and access duties from April 1, 2027
• Cybersecurity audit deadlines (by 2026 revenue): April 1, 2028 (>$100M), April 1, 2029 ($50-100M), April 1, 2030 (<$50M)
• Risk-assessment attestation: due to the CPPA by April 1, 2028 (initial assessments of existing processing by December 31, 2027)

Conditions

• Applies when: For-profit businesses operating in California that exceed any one of the three thresholds (revenue, data volume, or revenue-from-selling); applies to all personal information of California residents regardless of where the business is headquartered
• Does NOT apply when: Non-profit organizations, government agencies, businesses below all three thresholds, or data covered by sector-specific federal laws (HIPAA, GLBA, FCRA) which are partially exempt
• Confidence degrades when: CPPA issues new enforcement guidance or rulemaking, ADMT regulations finalize with changes from draft, or the revenue threshold adjusts for inflation in future years

Constraints

• Jurisdiction: applies only to personal information of California residents; other US states have separate privacy laws [src1]
• Temporal: ADMT significant-decision duties begin April 1, 2027; risk-assessment attestation due April 1, 2028; cybersecurity audits phase in April 1 2028/2029/2030 by revenue band; revenue threshold adjusts annually for inflation [src6]
• Entity threshold: for-profit businesses only; must exceed at least one of three thresholds [src1]
• Exemptions: HIPAA-covered data, GLBA-covered financial data, and FCRA-covered data are partially exempt [src4]
• Interaction: does not preempt stricter state or federal laws; Tractor Supply enforcement ($1.35M, Sep 2025) highlights vendor contract compliance [src3]

Rationale

The CPRA (Proposition 24, passed November 2020) amended the CCPA to shift from a primarily opt-out, disclosure-focused regime to one with affirmative obligations around data minimization, purpose limitation, and algorithmic transparency. The creation of the California Privacy Protection Agency (CPPA) as a dedicated enforcement body -- the first of its kind in the US -- signals California's intent to build GDPR-level regulatory capacity. Per-violation fines without an aggregate cap create significant exposure for businesses with large California user bases. [src1, src4]

Framework Selection Decision Tree

START -- User needs US privacy/data protection compliance guidance
|-- Which state/jurisdiction?
|   |-- California residents --> CCPA/CPRA Summary <-- YOU ARE HERE
|   |-- EU/EEA residents --> GDPR Summary
|   |-- Multiple US states --> Check each state law separately
|   +-- Federal sector-specific --> Check HIPAA, GLBA, FCRA
|-- Is the business for-profit?
|   |-- YES --> Check thresholds below
|   +-- NO --> CCPA does not apply (non-profits and government exempt)
+-- Does the business meet any threshold?
    |-- Revenue >$26.625M --> CCPA applies
    |-- 100K+ CA residents processed --> CCPA applies
    |-- 50%+ revenue from selling/sharing --> CCPA applies
    +-- None met --> CCPA does not apply

Decision Logic

If the business is a non-profit, government agency, or below all three thresholds

--> CCPA/CPRA does not apply; no consumer-rights mechanisms or audits are required (re-check yearly as the revenue threshold adjusts for inflation). [src1, src7]

If the business meets any threshold and shares data with ad-tech or analytics partners

--> Treat that as "sharing" for cross-context behavioral advertising; deploy a "Do Not Sell or Share" link plus a visible "Opt-Out Request Honored" confirmation. [src1, src5]

If the business uses ADMT for significant decisions (finance, housing, education, employment, health care)

--> Plan for the April 1, 2027 duties now: pre-use notice, opt-out, human-review/access, and an ADMT risk assessment; advertising-only ADMT is out of scope. [src6]

If 2026 gross revenue exceeds $100M (or the business poses "significant risk")

--> Schedule the first independent cybersecurity audit for the April 1, 2028 deadline; $50-100M bands target April 1, 2029 and sub-$50M target April 1, 2030. [src6]

If the business already processes sensitive data, sells/shares data, or runs employee surveillance

--> Begin written risk assessments immediately; complete assessments of pre-existing processing by December 31, 2027 and file the CPPA attestation by April 1, 2028. [src1, src6]

If the data is covered by HIPAA, GLBA, or FCRA

--> Run a sector-specific overlap analysis before assuming exemption; only the covered data is partially exempt, not the whole business. [src4]

If the business is headquartered outside California but processes California residents' data

--> CCPA still applies; determine obligations by data processing and thresholds, not by office location. [src1]

Application Checklist

Step 1: Determine applicability

• Inputs needed: Business type, annual gross revenue, number of California residents whose data is processed, percentage of revenue from selling/sharing
• Output: Confirmed CCPA applicability or exemption
• Constraint: All three thresholds must be checked -- meeting any single one triggers full compliance [src1]

Step 2: Implement consumer rights mechanisms

• Inputs needed: Inventory of personal information collected, processing purposes, third-party sharing/selling activities
• Output: "Do Not Sell or Share" link, opt-out confirmation signals, privacy policy, request handling mechanisms
• Constraint: Visible "Opt-Out Request Honored" confirmations mandatory since January 2026 [src2]

Step 3: Update vendor agreements and conduct risk assessments

• Inputs needed: List of service providers and contractors, data sharing agreements, ADMT usage
• Output: Updated service provider agreements, completed risk assessments
• Constraint: Vendor agreements must include subcontractor flow-down provisions and opt-out honor requirements [src4]

Step 4: Prepare for ADMT and cybersecurity obligations

• Inputs needed: Inventory of automated decision-making technology, cybersecurity program documentation, 2026 gross revenue band
• Output: ADMT compliance plan (significant-decision duties from April 1, 2027), cybersecurity audit schedule (April 1, 2028 for >$100M; 2029 for $50-100M; 2030 for <$50M), risk assessment attestation plan (due April 1, 2028)
• Constraint: Escalate to legal counsel for ADMT pre-deployment assessments [src3]

Anti-Patterns

Wrong: Assuming CCPA only applies to California-based businesses

Businesses headquartered outside California frequently assume the law does not reach them. CCPA applies to any for-profit meeting thresholds that processes California residents' data, regardless of location. [src5]

Correct: Apply CCPA based on data processing, not business location

Determine applicability by checking California resident data processing and thresholds. Headquarters location is irrelevant. [src1]

Wrong: Treating "sharing" the same as pre-CPRA "selling"

Under CPRA, "sharing" for cross-context behavioral advertising is separately regulated. Many businesses miss this expanded scope that pulled hundreds of thousands of companies into compliance. [src3]

Correct: Audit all data flows for both "sale" and "sharing" under CPRA definitions

Map every third-party data flow including ad-tech and analytics. Any cross-context behavioral advertising constitutes "sharing" requiring opt-out mechanisms. [src1]

Wrong: Silent opt-out processing without visible confirmation

Before January 2026, silent processing sufficed. The new regulations mandate visible confirmation signals. Failure to display confirmation is a per-violation offense. [src2]

Correct: Display visible "Opt-Out Request Honored" confirmation

Implement toggles, badges, or messages that clearly confirm to consumers their opt-out has been processed and honored. [src2]

Counter-Arguments

• The threshold-based applicability creates a compliance cliff where businesses just below thresholds have no obligations, while those just above face full compliance costs. [src5]
• CCPA's sector-specific exemptions (HIPAA, GLBA) create complex overlap analysis that increases legal costs without clear consumer benefit. [src4]
• The per-violation penalty structure without a reasonable cap can lead to disproportionate exposure for technical violations affecting millions of users. [src3]

Common Misconceptions

Misconception: CCPA is essentially the same as GDPR, so GDPR compliance means CCPA compliance.
Reality: GDPR is opt-in requiring a legal basis; CCPA/CPRA is opt-out with Do Not Sell/Share requirements. Complying with one does not satisfy the other. [src4]

Misconception: CCPA only applies to large tech companies.
Reality: Any for-profit meeting any single threshold is covered. CPRA's "sharing" definition pulled in mid-size e-commerce and media businesses. [src3]

Misconception: The revenue threshold is based on California revenue only.
Reality: The $26.625M threshold is based on annual gross revenue from all sources worldwide, not just California operations. [src1]

Misconception: CCPA does not have a private right of action.
Reality: Consumers have a private right of action for data breaches resulting from failure to implement reasonable security measures (Cal. Civ. Code 1798.150). [src1]

Comparison with Similar Rules

When This Matters

Fetch this when a user asks about California privacy law, CCPA or CPRA compliance requirements, consumer data rights for California residents, or whether a business meets CCPA applicability thresholds.