The California Consumer Privacy Act: What It Requires, What Changed, and What's Coming in 2026
Your VP of Sales just forwarded a post about Tractor Supply getting hit with a $1.35M fine - the largest the California Privacy Protection Agency has ever issued. The Slack thread is already spiraling: "Could this happen to us?" Most California Consumer Privacy Act explainers still describe how the law worked when it first took effect in 2020. But the CCPA has evolved. The 2024 amendments, new enforcement patterns, and regulations taking effect January 1, 2026 have rewritten the compliance playbook.
What You Need (Quick Version)
Am I covered? You're subject to the CCPA if your for-profit business does business in California and meets any one of these:
- Annual gross revenue exceeds $25M
- You buy, sell, or share personal information of 100,000+ California consumers or households
- You derive 50%+ of annual revenue from selling or sharing personal information
Biggest change coming next: The CPPA adopted regulations on automated decision-making technology (ADMT), cybersecurity audits, and risk assessments on July 24, 2025, taking effect January 1, 2026. If you meet the audit triggers - like $25M+ revenue plus high-volume PI/SPI processing, or 50%+ revenue from selling/sharing PI - you'll have new audit obligations.
What regulators actually punish: Broken opt-out flows, ignored Global Privacy Control signals, and missing vendor contracts. Not missing documents. Broken systems. Jump to the enforcement section for the cases that matter.
What Is the CCPA?
The California Consumer Privacy Act started as AB-375, signed into law in 2018 and effective January 1, 2020. It was the first comprehensive consumer privacy law in the United States, giving California residents rights over their personal information that no federal law provided.
Then it evolved. In November 2020, California voters passed Proposition 24 - the California Privacy Rights Act (CPRA) - which significantly amended and expanded the original statute. The CPRA's substantive provisions took effect January 1, 2023. It added new consumer rights for correction and limiting sensitive personal information use, tightened business obligations, and created a dedicated enforcement body: the California Privacy Protection Agency (CPPA).
The CCPA and CPRA aren't two separate laws anymore. The CPRA amended the CCPA. When people say "CCPA" today, they mean the combined, amended statute. California now has two enforcement bodies - the Attorney General, who brought the original enforcement actions, and the CPPA, which handles rulemaking and its own investigations. By the end of 2025, 20 states enforce consumer privacy laws, but California's remains the most aggressive and the most litigated.
If your CCPA knowledge comes from a 2020 explainer, you're operating on a different law.
Who Must Comply
The CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds. You don't need to be headquartered in California - "doing business in" is interpreted broadly.
Threshold 1: Annual gross revenue exceeds $25 million (adjusted periodically).
Threshold 2: You buy, receive, sell, or share the personal information of 100,000 or more California consumers or households annually.
Threshold 3: You derive 50% or more of annual revenue from selling or sharing consumers' personal information.
Meet any single threshold and you're in. Nonprofits and government entities are generally exempt, as are businesses covered by sector-specific federal laws like HIPAA for the data those laws already regulate.
The B2B Exemption That No Longer Exists
Here's the thing that catches B2B companies off guard: if you're collecting prospect data on California residents - names, work emails, company information, browsing behavior on your site - that's personal information under the CCPA. The B2B exemption that existed in early drafts was temporary and expired on January 1, 2023, when the CPRA took effect. If your company meets the thresholds, your sales prospecting data is covered. There's no carve-out for business-to-business data anymore.
The CA Attorney General's CCPA page lays out these thresholds in consumer-friendly language, but the compliance implications run deeper than the FAQ suggests.
Consumer Rights Under the CCPA
The law grants California residents core rights. Response timelines are strict - miss them and you're creating enforcement risk.
| Right | What It Means | Deadline | Added by CPRA? |
|---|---|---|---|
| Know | What PI you collect, use, share | 45 days (+ 45 ext.) | No |
| Delete | Remove their PI (exceptions apply) | 45 days (+ 45 ext.) | No |
| Opt-out of sale/sharing | Stop selling or sharing their PI | - | Expanded |
| Correct | Fix inaccurate PI | 45 days (+ 45 ext.) | Yes |
| Limit SPI use | Restrict sensitive PI processing | 45 days (+ 45 ext.) | Yes |
| Non-discrimination | No penalty for exercising rights | Ongoing | No |
| Portability | Receive PI in portable, machine-readable format | 45 days (+ 45 ext.) | No |
The opt-out right now explicitly covers "sharing" - not just "selling" - which captures cross-context behavioral advertising. That distinction is central to modern adtech enforcement.
Opt-Out Requirements
Global Privacy Control (GPC) is a browser-level signal that functions as a valid opt-out request under the CCPA. Businesses must honor it. Ignoring GPC has been a core violation in multiple enforcement actions.
The opt-out requirements go beyond posting a link. Your systems must actually cease transmitting data to third parties once a consumer opts out, and you must treat GPC signals as equivalent to a manual opt-out request. If your consent management platform doesn't recognize GPC signals, you have a compliance gap right now. Businesses that process sensitive personal information must also support requests to limit the use and disclosure of that SPI, including through a "Limit the Use of My Sensitive Personal Information" mechanism.
What Counts as Personal Information
The Broad Definition
The CCPA defines personal information expansively: any information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." That's intentionally broad.
Categories include identifiers like name, email, and IP address; commercial information such as purchase history; biometric data; internet activity including browsing and search history; geolocation; professional or employment information; education records; and inferences drawn from any of the above to create a consumer profile. Even data tied to a household address or device can qualify - you don't need to identify an individual by name.
Sensitive Personal Information
SPI gets its own, stricter treatment. The full list per the AG's guidance: Social Security numbers, government IDs, account credentials, precise geolocation, contents of mail/email/text messages, genetic data, biometric data used for identification, health information, sex life or sexual orientation, race or ethnicity, religious or philosophical beliefs, and union membership.
As of January 1, 2025, there's a new addition: neural data. Governor Newsom signed AB 1008 and SB 1223 on September 28, 2024, adding "consumer's neural data" to the SPI categories. Neural data means information generated by measuring the activity of a consumer's central or peripheral nervous system - critically, it must be directly measured, not inferred from non-neural information. Consumer neurotech is already in market: meditation headbands measuring EEG, gaming controllers reading EMG signals, sleep trackers monitoring neural activity. Any business collecting this data from California residents now has SPI obligations.
The AI System Clarification
The same 2024 amendments clarified something compliance teams had been debating for years: personal information can exist in physical, digital, and abstract digital formats. That includes compressed files, encrypted files, metadata, and - the big one - AI systems capable of outputting personal information.
If you've trained a model on consumer data and that model can regenerate or output personal information, the data inside that model is still PI under the statute. This isn't a theoretical edge case anymore. It's statutory text.
Business Compliance Obligations
Privacy Notices and Links
Your website needs a "Do Not Sell or Share My Personal Information" link when you sell or share personal information. If you process sensitive personal information and are required to offer SPI limitation, you also need a "Limit the Use of My Sensitive Personal Information" mechanism. Your privacy policy must disclose what PI you collect, why, who you share it with, and how consumers can exercise their rights.
The Tractor Supply case put a bright spotlight on employment-related notices: the CPPA alleged Tractor Supply failed to notify job applicants about their privacy rights and how to exercise them, and treated that as a violation in the $1.35M action.
Request Handling and Verification
When a consumer submits a data subject access request, you have 45 days to respond, with a possible 45-day extension if you notify the consumer. Verification must be reasonable - not excessive. In the Todd Snyder enforcement action, the CPPA alleged the company required excessive information, including demanding a photo of the consumer holding their driver's license. Collect only what you need to confirm identity, and don't turn privacy requests into an excuse to collect more sensitive data.
Vendor Contracts and GPC
If you share personal information with third parties, you need contracts that include specific CCPA-required terms governing how that data can be used. Sharing without contracts was one of Tractor Supply's alleged violations.
Your business remains liable when third-party privacy management tools fail. If your consent management platform breaks and stops processing opt-outs for 40 days - as happened with Todd Snyder - that's your violation, not your vendor's. Test your flows. Continuously.
The B2B exemption is gone. Every California prospect email you collect is personal information under the CCPA. Prospeo is GDPR compliant with opt-out enforcement, DPAs available, and 98% email accuracy - so you prospect on clean, verified data without compliance headaches.
Compliant prospecting at $0.01 per verified email. No contracts.
What Changed in 2024-2026
Neural Data Amendments (2024)
AB 1008 and SB 1223, signed September 28, 2024 and operative January 1, 2025, made two significant changes. Neural data became sensitive personal information, giving consumers the right to limit its use. The amendments also clarified that personal information exists across physical, digital, and abstract digital formats - including AI systems capable of outputting personal information.
The neural data provision isn't just about brain-computer interfaces in a lab. Consumer-grade neurotech is already shipping, and connected devices broadly - including connected vehicles, IoT sensors, and wearables - are an emerging enforcement priority. If your product collects data from any of these sources, treat it as sensitive until you've confirmed otherwise.
New Regulations Effective January 1, 2026
On July 24, 2025, the CPPA Board voted to finalize a major regulations package covering automated decision-making technology, risk assessments, and cybersecurity audits, all taking effect January 1, 2026.
ADMT scope: The final rules apply to technologies that replace or substantially replace human decision-making for significant decisions - employment eligibility, credit approval, healthcare treatment, and housing. Behavioral advertising was removed from the definition of "significant decisions," narrowing the scope from earlier proposals.
Cybersecurity audit triggers: You need an independent cybersecurity audit if you either derive 50%+ of revenue from selling or sharing PI, or have revenue exceeding $25M and process PI of 250,000+ consumers/households or SPI of 50,000+ consumers in the preceding calendar year. Auditors must be qualified, objective, and independent - whether internal or external.
Risk assessment triggers: Required for SPI processing (with a limited employment compensation/benefits exemption), profiling based on sensitive locations, and ADMT training or use for significant decisions.
What's Coming Next
The CPPA has launched preliminary rulemaking on reducing friction in the exercise of privacy rights and expanding Opt-out Preference Signals beyond GPC. Comments are due April 6, 2026. These aren't finalized rules yet, but they signal the direction clearly: the CPPA has emphasized dark patterns and data minimization as enforcement priorities, and the agency will keep tightening operational requirements, not loosening them.
Enforcement - What Regulators Punish
Every CCPA guide tells you the thresholds. Almost none tell you what regulators are actually fining companies for. In our experience, the companies that get fined aren't the ones without privacy policies - they're the ones that never tested their opt-out flows.
Tractor Supply - $1.35M (September 2025)
The CPPA's largest fine to date. Tractor Supply's alleged violations read like a compliance failure checklist: inadequate privacy notices, failure to notify job applicants of their rights, a broken opt-out mechanism, non-compliance with GPC signals, and data sharing with third parties without the required contractual terms.
The remedial measures tell the real story. Beyond the fine, Tractor Supply must update all privacy notices, modify opt-out submission methods, ensure required contractual terms with every data recipient, recognize GPC, audit all tracking technology, and designate a compliance officer who must certify compliance annually for four years.
Healthline - $1.55M (July 2025)
The California Attorney General's settlement with Healthline Media is one of the most technically revealing enforcement actions to date. After consumers opted out via banners, forms, and GPC, Healthline's site still had up to 118 active trackers sharing data. Article titles and URLs - containing terms like "HIV," "MS," and "diabetes" - enabled third parties to make sensitive health inferences about visitors.
The AG treated article URLs as personal information capable of revealing health conditions. If your site publishes content about sensitive topics and runs third-party analytics or ad tech, this case applies to you directly.
Todd Snyder - $345K (May 2025)
Todd Snyder's consent management platform was misconfigured, causing a 40-day delay in processing opt-out requests. The cookie banner disappeared prematurely. GPC signals were ignored. And the CPPA alleged the company demanded excessive information, including a photo of the consumer holding their driver's license, just to process a privacy request.
Jerico Pictures / National Public Data - $46K (2025)
A different enforcement vector entirely. The CPPA pursued Jerico Pictures, operator of National Public Data, for failing to register as a data broker under the Delete Act - registering 230 days late. This case signals that the CPPA isn't just auditing consumer-facing websites; it's going after the data supply chain itself.
| Company | Fine | Key Violations | Enforcer |
|---|---|---|---|
| Healthline | $1.55M | 118 trackers post-opt-out | CA AG |
| Tractor Supply | $1.35M | Notices, GPC, contracts | CPPA |
| Todd Snyder | $345K | 40-day opt-out delay, GPC | CPPA |
| Jerico Pictures | $46K | Late data broker registration | CPPA |
The Pattern
Three major enforcement actions, one consistent theme: regulators are testing flows like real users. They click the opt-out button, check whether trackers actually stop firing, and verify that GPC signals produce a real response - not just a 200 status code.
Paper compliance is dead. Having a privacy policy on your website doesn't matter if your consent management platform is broken. Having vendor contracts doesn't matter if those vendors are still receiving data after opt-out. The CCPA has become an engineering problem, not a legal document exercise.
This extends to your data stack. Your compliance posture is only as strong as your weakest data vendor. We've seen this pattern repeatedly: a company's own privacy practices are solid, but their data vendors are shipping stale, non-compliant records. Prospeo addresses this directly - GDPR compliant with opt-outs enforced globally, a 7-day data refresh cycle versus the 6-week industry average, and 98% verified email accuracy - so downstream compliance risk stays low.
Private Litigation - Expanding Threat
The CCPA's private right of action under Section 1798.150(a)(1) applies when nonencrypted and nonredacted personal information is subject to unauthorized access, exfiltration, theft, or disclosure due to a business's failure to implement reasonable security. Statutory damages run $100-$750 per consumer per incident - numbers that become catastrophic at class-action scale.
The tracker/pixel litigation trend is the most underreported CCPA development of 2024-2025. We've tracked this closely, and the trajectory is clear.
In In re BetterHelp Data Disclosure Cases (N.D. Cal., July 2024), the court found that disclosing emails and health information to third parties via trackers constituted a plausible "disclosure" under the statute. In M.G. v. Therapymatch (N.D. Cal., September 2024), third-party analytics code collecting treatment-seeking information was enough - no classic breach allegations required. Shah v. Capital One pushed further: standard trackers from Google, Meta Pixel, and Microsoft were the basis for claims. These aren't exotic attack vectors. They're tools running on virtually every commercial website.
Let's be honest about the math: if your deal sizes are modest and you're running a high-traffic site with standard analytics, the tracker/pixel litigation risk is a bigger financial threat than a regulatory fine. Even at the $100 statutory minimum, 500,000 affected consumers means $50M in potential damages. "Reasonable security" is increasingly benchmarked against NIST frameworks and CIS Critical Security Controls. If you can't demonstrate alignment, you're exposed.
CCPA vs. GDPR
| Category | CCPA | GDPR |
|---|---|---|
| Consent model | Opt-out | Opt-in |
| Scope | CA residents | EU data subjects |
| Enforcement | AG + CPPA | National DPAs |
| Private action | Breach-only (expanding via tracker cases) | Any GDPR violation |
| Max penalty | $7,500/intentional violation; $2,500/unintentional | 4% global revenue |
| Extraterritorial | Yes (doing business in CA) | Yes (targeting EU) |
The fundamental philosophical difference: GDPR requires consent before processing; the CCPA lets businesses process but gives consumers the right to opt out. In practice, CCPA compliance is more about building functional opt-out infrastructure than collecting consent upfront. Both laws reach across borders - if you're selling to California residents or EU data subjects, geography doesn't save you.
Compliance Checklist
Priority order, based on what regulators are actually punishing:
- Honor GPC signals - quick fix if your CMP supports it, multi-week project if it doesn't. Test that it actually responds, not just acknowledges.
- Update privacy notices - include job applicant notifications. Mostly legal review, but don't skip it.
- Audit vendor contracts - ensure every data recipient has CCPA-required contractual terms. Time-intensive if you have dozens of vendors.
- Build and test DSAR workflows - 45-day response for know/delete/correct. Multi-week engineering project for most teams.
- Inventory all trackers and pixels - verify that opt-out actually stops data transmission. Run the Healthline test on your own site.
- Assess cybersecurity audit triggers - do you hit the January 2026 thresholds? Quick internal assessment.
- Evaluate ADMT use - are you using automated systems for employment, credit, healthcare, or housing decisions? If yes, start risk assessments now.
- Designate a compliance officer - someone who owns this operationally, not just legally.
For teams that want a sample opt-out request to test their own flows, EPIC.org publishes template DSAR letters that work as a starting point. Skip the cybersecurity audit prep if you're well below the revenue and volume thresholds - focus your time on items 1-5 first.
Bad data doesn't just tank deliverability - it creates CCPA liability. Every bounce is a record you shouldn't have. Prospeo's 5-step verification, 7-day data refresh, and spam-trap removal mean you only reach real people at real addresses.
Stop storing stale data that regulators can fine you for.
California Consumer Privacy Act FAQ
Does the CCPA apply to small businesses?
Only if you meet one of three thresholds: $25M+ revenue, 100,000+ California consumers'/households' data bought/sold/shared, or 50%+ revenue from selling/sharing PI. The 100K threshold catches more companies than expected - especially those with high-traffic websites running analytics pixels.
What's the difference between the CCPA and CPRA?
The CPRA amended and expanded the CCPA effective January 1, 2023. They're the same law now. "CCPA" refers to the combined statute, which includes CPRA additions like the right to correct data, sensitive PI protections, and the CPPA enforcement agency.
Can consumers sue under the CCPA?
Yes, but only for data breaches involving nonencrypted or nonredacted PI caused by inadequate security. Statutory damages are $100-$750 per consumer per incident. Courts are expanding "disclosure" theories to include tracker and pixel transmissions - dramatically increasing litigation exposure beyond traditional breaches.
What is Global Privacy Control?
GPC is a browser-level signal that tells websites you want to opt out of data selling and sharing. Businesses must honor it under the CCPA. Ignoring GPC was a central violation in the Tractor Supply ($1.35M) and Todd Snyder ($345K) enforcement actions.
How does the CCPA affect sales prospecting?
If your company meets the thresholds, California residents' prospect data is fully covered - the temporary B2B exemption expired January 1, 2023. Teams relying on third-party data providers should verify those providers honor opt-out requests and maintain current, compliant records. The consensus on r/sales is that most reps don't think about this until a bounce rate spike or a legal letter forces the conversation - by then, the damage is done.