CCPA/CPRA Compliance Requirements for 2026

Rule

For-profit businesses meeting California thresholds must comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). As of January 1, 2026, new regulations require visible opt-out confirmation signals, expanded sensitive personal information protections (now including data of consumers under 16), mandatory cybersecurity audits for businesses posing "significant risk" to consumers, and risk assessments for automated decision-making technology (ADMT). Businesses must honor consumer rights to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information. [src1, src2]

Evidence

The CCPA applies to for-profit businesses with annual gross revenue exceeding $26,625,000 (2025-2026 adjusted threshold), or those processing personal information of 100,000+ California residents/households, or deriving 50%+ of annual revenue from selling or sharing personal information. Fines reach $2,500 per unintentional violation and $7,500 per intentional violation, with no cap on aggregate penalties. The January 2026 regulations require businesses to display visible "Opt-Out Request Honored" confirmations. Risk assessment requirements took effect January 1, 2026, with the first attestation submission to the CPPA due by April 1, 2028. ADMT compliance is required by January 1, 2027 for existing uses. [src1, src2, src3]

Key Properties

• Penalty (unintentional violation): $2,500 per violation (2026 adjusted: up to $2,663)
• Penalty (intentional violation): $7,500 per violation (2026 adjusted: up to $7,988)
• Revenue threshold: $26,625,000 annual gross revenue (2025-2026 adjusted)
• Data volume threshold: 100,000+ California residents/households
• Enforcement body: California Privacy Protection Agency (CPPA), with concurrent jurisdiction by the California Attorney General
• ADMT compliance deadline: January 1, 2027 for existing uses of automated decision-making technology

Conditions

• Applies when: For-profit businesses operating in California that exceed any one of the three thresholds (revenue, data volume, or revenue-from-selling); applies to all personal information of California residents regardless of where the business is headquartered
• Does NOT apply when: Non-profit organizations, government agencies, businesses below all three thresholds, or data covered by sector-specific federal laws (HIPAA, GLBA, FCRA) which are partially exempt
• Confidence degrades when: CPPA issues new enforcement guidance or rulemaking, ADMT regulations finalize with changes from draft, or the revenue threshold adjusts for inflation in future years

Constraints

• Jurisdiction: applies only to personal information of California residents; other US states have separate privacy laws [src1]
• Temporal: ADMT regulations effective January 1, 2027; risk assessment attestations due April 1, 2028; revenue threshold adjusts annually for inflation [src3]
• Entity threshold: for-profit businesses only; must exceed at least one of three thresholds [src1]
• Exemptions: HIPAA-covered data, GLBA-covered financial data, and FCRA-covered data are partially exempt [src4]
• Interaction: does not preempt stricter state or federal laws; Tractor Supply enforcement ($1.35M, Sep 2025) highlights vendor contract compliance [src3]

Rationale

The CPRA (Proposition 24, passed November 2020) amended the CCPA to shift from a primarily opt-out, disclosure-focused regime to one with affirmative obligations around data minimization, purpose limitation, and algorithmic transparency. The creation of the California Privacy Protection Agency (CPPA) as a dedicated enforcement body -- the first of its kind in the US -- signals California's intent to build GDPR-level regulatory capacity. Per-violation fines without an aggregate cap create significant exposure for businesses with large California user bases. [src1, src4]

Framework Selection Decision Tree

START -- User needs US privacy/data protection compliance guidance
|-- Which state/jurisdiction?
|   |-- California residents --> CCPA/CPRA Summary <-- YOU ARE HERE
|   |-- EU/EEA residents --> GDPR Summary
|   |-- Multiple US states --> Check each state law separately
|   +-- Federal sector-specific --> Check HIPAA, GLBA, FCRA
|-- Is the business for-profit?
|   |-- YES --> Check thresholds below
|   +-- NO --> CCPA does not apply (non-profits and government exempt)
+-- Does the business meet any threshold?
    |-- Revenue >$26.625M --> CCPA applies
    |-- 100K+ CA residents processed --> CCPA applies
    |-- 50%+ revenue from selling/sharing --> CCPA applies
    +-- None met --> CCPA does not apply

Application Checklist

Step 1: Determine applicability

• Inputs needed: Business type, annual gross revenue, number of California residents whose data is processed, percentage of revenue from selling/sharing
• Output: Confirmed CCPA applicability or exemption
• Constraint: All three thresholds must be checked -- meeting any single one triggers full compliance [src1]

Step 2: Implement consumer rights mechanisms

• Inputs needed: Inventory of personal information collected, processing purposes, third-party sharing/selling activities
• Output: "Do Not Sell or Share" link, opt-out confirmation signals, privacy policy, request handling mechanisms
• Constraint: Visible "Opt-Out Request Honored" confirmations mandatory since January 2026 [src2]

Step 3: Update vendor agreements and conduct risk assessments

• Inputs needed: List of service providers and contractors, data sharing agreements, ADMT usage
• Output: Updated service provider agreements, completed risk assessments
• Constraint: Vendor agreements must include subcontractor flow-down provisions and opt-out honor requirements [src4]

Step 4: Prepare for ADMT and cybersecurity obligations

• Inputs needed: Inventory of automated decision-making technology, cybersecurity program documentation
• Output: ADMT compliance plan (deadline: Jan 2027), cybersecurity audit schedule, risk assessment attestation plan (due Apr 2028)
• Constraint: Escalate to legal counsel for ADMT pre-deployment assessments [src3]

Anti-Patterns

Wrong: Assuming CCPA only applies to California-based businesses

Businesses headquartered outside California frequently assume the law does not reach them. CCPA applies to any for-profit meeting thresholds that processes California residents' data, regardless of location. [src5]

Correct: Apply CCPA based on data processing, not business location

Determine applicability by checking California resident data processing and thresholds. Headquarters location is irrelevant. [src1]

Wrong: Treating "sharing" the same as pre-CPRA "selling"

Under CPRA, "sharing" for cross-context behavioral advertising is separately regulated. Many businesses miss this expanded scope that pulled hundreds of thousands of companies into compliance. [src3]

Correct: Audit all data flows for both "sale" and "sharing" under CPRA definitions

Map every third-party data flow including ad-tech and analytics. Any cross-context behavioral advertising constitutes "sharing" requiring opt-out mechanisms. [src1]

Wrong: Silent opt-out processing without visible confirmation

Before January 2026, silent processing sufficed. The new regulations mandate visible confirmation signals. Failure to display confirmation is a per-violation offense. [src2]

Correct: Display visible "Opt-Out Request Honored" confirmation

Implement toggles, badges, or messages that clearly confirm to consumers their opt-out has been processed and honored. [src2]

Counter-Arguments

• The threshold-based applicability creates a compliance cliff where businesses just below thresholds have no obligations, while those just above face full compliance costs. [src5]
• CCPA's sector-specific exemptions (HIPAA, GLBA) create complex overlap analysis that increases legal costs without clear consumer benefit. [src4]
• The per-violation penalty structure without a reasonable cap can lead to disproportionate exposure for technical violations affecting millions of users. [src3]

Common Misconceptions

Misconception: CCPA is essentially the same as GDPR, so GDPR compliance means CCPA compliance.
Reality: GDPR is opt-in requiring a legal basis; CCPA/CPRA is opt-out with Do Not Sell/Share requirements. Complying with one does not satisfy the other. [src4]

Misconception: CCPA only applies to large tech companies.
Reality: Any for-profit meeting any single threshold is covered. CPRA's "sharing" definition pulled in mid-size e-commerce and media businesses. [src3]

Misconception: The revenue threshold is based on California revenue only.
Reality: The $26.625M threshold is based on annual gross revenue from all sources worldwide, not just California operations. [src1]

Misconception: CCPA does not have a private right of action.
Reality: Consumers have a private right of action for data breaches resulting from failure to implement reasonable security measures (Cal. Civ. Code 1798.150). [src1]

Comparison with Similar Rules

When This Matters

Fetch this when a user asks about California privacy law, CCPA or CPRA compliance requirements, consumer data rights for California residents, or whether a business meets CCPA applicability thresholds.