Understanding California’s data privacy laws: CCPA in 2026

Businesses today must navigate a growing and complicated web of privacy laws. Compliance issues come up in every customer encounter, and IBM’s 2025 Cost of a Data Breach Report found Personally Identifiable Information (PII) to be the category of data targeted in most breaches (53%).

The figure isn’t that surprising, just another reminder of the importance of data privacy laws, especially with regulations quickly evolving in places like California.

California’s CCPA represents one of the most comprehensive regulations designed to protect consumer data and hold businesses accountable for the personal data they gather.

Many businesses will look at that and think they’re exempt because they’re B2B. That’d be a mistake. The CCPA also extends to business-to-business operations.

This article explains everything you need to know about California’s data privacy regulations, including how the CPRA amended and expanded upon the CCPA, recent updates to the CCPA and the implications for businesses and data processing services — including web analytics.

Key takeaways

1. California’s main data privacy law, the California Consumer Privacy Act (CCPA), was amended by the California Privacy Rights Act (CPRA) and has gotten stricter since it first went into effect, with ongoing updates businesses must watch for.
2. The CCPA details how businesses, contractors, service providers and third parties must handle the personal information (PI) of California residents. It has tighter stringencies for a subcategory of PI known as sensitive personal information (SPI).
3. The CCPA has six rights for consumers: the rights to know, delete, opt-out, non-discrimination, correct and to limit how SPI is used and shared.
4. The California Privacy Protection Agency (CPPA) was introduced to help the Attorney General enforce this privacy law. They have additional powers, as well, like updating regulations.
5. Penalties for non-compliance increased in 2025 and will increase every odd year to match the cost performance index.
6. A recent update to the CCPA mandates security audits and audit reporting, as well as risk assessments for certain businesses.
7. New rules have also been added to address the use of Automated Decisionmaking Technology (ADMT).
8. The Delete Request and Opt-Out Platform (DROP), introduced by 2023’s Delete Act (separate from the CCPA), is available as of 1st Jan. 2026. Data brokers will need to comply with requests starting 1st Aug. 2026.

What is California’s data privacy law?

California’s main data privacy law is the California Consumer Privacy Act (CCPA), which went into effect in Jan. 2020. It sets up core data privacy rights for consumers, granting them control over their Personal Information (PI) and setting initial business compliance requirements.

State lawmakers strengthened the CCPA via the California Privacy Rights Act (CPRA), an amendment that has been in effect since Jan. 2023. It expanded consumer rights and created the California Privacy Protection Agency (CPPA) for enforcement.

Another data privacy law, the Delete Act, was passed by the state legislature in 2023. This law introduces new compliance standards for data brokers, as well as a platform that sends consumer requests for deletion to all applicable brokers.

CCPA fundamentals in 2026

The goal of this California data privacy law is to give consumers in the state greater PI protection. It accomplishes this by holding businesses to higher standards for data handling, requiring them to configure their systems to comply with the rules.

CCPA key definitions

• Consumer: A California resident. They must be a “natural person” per the wording of the bill and not a business entity. The CCPA protects them even if they’re temporarily out of state.
• Business: A for-profit entity that collects consumers’ PI, does business in California and meets at least one of the following thresholds:
• Annual gross revenue of $26,625,000 USD or more (per a 2025 update)
• Buys, receives, sells or shares the PI of 100k or more consumers or households
• 50% or more of their annual revenue is received through the sale of consumer PI
• Business purpose: Narrowly scoped purposes that a business, service provider or contractor can collect and use PI for. Some examples include internal research, specific forms of ad and marketing analytics and debugging certain types of errors.
• Contractor: A person that a business provides with a consumer’s PI for a business purpose. Contractors must follow strict requirements laid out in a written contract drawn up by the business, covering prohibited actions (e.g., no selling or sharing PI) and compliance monitoring terms. If the contractor involves any other parties in their handling of PI, the business must approve, and they must sign the contract.
• Service provider: A person who processes PI on behalf of a business for a business purpose. They must sign contracts with similar terms to those of contractors.
• Third party: Any person who is neither the business the consumer is willingly interacting with nor one of the business’s service providers or contractors.
• Consent: The clear and unambiguous agreement to PI processing for a specific and defined purpose. Consent can be given by the consumer, their legal guardian, the person with power of attorney over them or their conservator.
• Personal Information (PI): Information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes but is not limited to names, email addresses, IP addresses, browsing history, purchase history and certain professional information. Publicly available information (like real estate or professional licensing records) is not considered PI.
• Sensitive Personal Information (SPI): A subset of PI added by CPRA. Businesses have stricter requirements for handling SPI. The amended CCPA text defines SPI as a consumer’s:
  • Specific government identifiers, including passport and social security numbers
  • Account logins, financial accounts and debit/credit card numbers with security codes, passwords or any other credentials required for access
  • Precise geolocation data
  • Mail, email or text message contents
  • Genetic data, such as DNA test results
  • Processed biometric information used for identification
  • Health information
  • Sex life and sexual orientation information
  • Racial/ethnic origin, religious/philosophical beliefs or union membership

Personal Information vs Personally Identifiable Information

It’s important for businesses to know the difference between PI and a similar term used in data privacy: Personally Identifiable Information (PII). PII describes information that directly identifies an individual: name, social security number or driver’s licence number.

PI is much broader than PII.

As mentioned above, the CCPA’s definition includes not only information that directly identifies someone but also information that can be indirectly linked to them. The wider definition is important because it covers data points that might not identify an individual on their own (like an IP address or browsing history) but can be linked to them if combined with other information.

Consumer rights under CCPA

The CCPA grants Californian consumers six core rights:

• Right to know: Twice a year and without cost, they can ask a business what PI it collects, where it got it, what it’s used for and who it’s shared with.
• Right to delete: They can request that a business delete PI collected from them.
• Right to opt-out: They can tell a business not to sell or share their PI. The business will not be able to do so again unless authorised again by the consumer at a later date.
• Right to non-discrimination: Businesses can’t treat them differently because they exercised their CCPA rights. This covers service denial, changing prices and the offering of lower quality products or services.
• Right to correction: Consumers can ask businesses to correct inaccurate PI they hold.
• Right to limit how SPI is used and shared: They can tell businesses to use their SPI only for what’s needed to provide the goods or services they asked for.

The obligations of businesses

The CCPA also imposes significant obligations on businesses operating in the state. These include:

• Providing clear privacy notices: The businesses must inform consumers about their data collection practices. They must explain what types of PI they collect, why it’s collected and how consumers can exercise their rights.
• Implementing reasonable security measures: Protecting PI is critical, and businesses are expected to do everything they can to prevent unauthorised access, use, disclosure, alteration or destruction of PI.
• Responding to consumer requests: Businesses must put in verifiable processes to be able to respond to consumer requests within specified timeframes. For instance, they must respond within 15 days of an opt-out request.
• Not selling or sharing of minors’ PI without consent: Businesses are explicitly forbidden from selling or sharing the PI of consumers under 16 unless they have consent in the form of an explicit opt-in by a teen consumer (for ages 13-15) or a parent (for those under age 13).

On that last point, it’s important to understand that consent means far more than what’s generally understood as permission. It can’t be inferred from silence, pre-checked boxes or the closing of a consent manager. Affirmative consent must be:

• Explicit action: The person must take a deliberate, positive step to give consent. That could be clicking an « Accept » button, checking an unchecked box or signing a document.
• Unambiguous: There can be no doubt at all about what the person is agreeing to, so the request for consent must be clear and very specific.
• Informed: The person must grasp fully what it is that they’re consenting to. That includes knowing why the data is being collected and how it’ll be used. It also includes knowing about any third parties involved.
• Freely given: Consent must be voluntary. It can’t be bundled in with other terms and conditions. It can’t be obtained via dark patterns.
• Revocable: The person must be able to withdraw their consent as easily as they gave it.

Enforcement authorities, mechanisms, actions and penalties

Enforcement of the CCPA is handled by the California Attorney General (AG) and the CPPA.

Both are able to take consumer reports about potential CPPA violations and take action against non-compliant businesses. The difference is that the AG handles cases via the legal system, and the CPPA does it through their own internal administrative proceedings.

Since the CPPA operates within its own system, it can enforce the law faster. However, the AG has authority over the CPPA, and the AG can pause a case or take it over.

The AG can also enforce additional laws if violations are found, as they did in Feb. 2026 by fining Disney $2.75m USD for both CCPA and Unfair Competition Law violations.

CPPA also has its own additional powers beyond enforcement that the AG doesn’t. It’s responsible for spreading awareness of consumer rights, updating the CCPA with new regulations and taking input from consumers and businesses about proposed updates.

The CPPA outlines the following penalty amounts as of a January 2025 update:

• Monetary damages of $107–$799 USD per consumer per either incident or actual damages (Civil Code § 1798.140(d)(1)(A))
• Administrative fine amounts of at least $2,663 USD for each unintentional violation of adult consumers’ rights (Civil Code § 1798.155(a))
• Administrative fine amounts of at least $7,988 USD for each intentional violation of adult rights or violation (intentional or unintentional) of those of minors (Civil Code § 1798.155(a))
• Civil penalty amounts that mirror the administrative fines outlined above (Civil Code § 1798.199.90(a))

These amounts are set to be adjusted in January of every odd year, meaning they will be adjusted next in 2027.

Prior to the CPRA, businesses were allowed a 30-day window to fix violations, but this was removed in 2023.

A 2025 update to the CCPA mandates annual cybersecurity audits and audit reports from all businesses whose processing of PI presents a significant risk to consumers’ privacy or security.

Businesses must comply with security audits by these dates if they make the specified amount of revenue in the year provided:

• By 1st Apr., 2028, if the business made $100m USD annual gross revenue in 2026
• By 1st Apr., 2029, if the business made between $50m and $100m USD annual gross revenue in 2027
• By 1st Apr., 2030, if the business made less than $50m USD annual gross revenue in 2028

Another new requirement (effective 1st Jan. 2026) is the risk assessment, which applies to businesses processing PI that present a significant risk to a consumer’s privacy. This covers (but isn’t limited to) selling or sharing PI, processing SPI or using Automated Decisionmaking Technology (ADMT) for important decisions about the consumer.

Risk assessments must examine the concrete benefits the business, consumer and other parties will get from this specific processing use case, possible negative impacts, the safeguards the business will employ and more.

The last major update is a set of rules regarding the use of ADMT in making significant decisions about a consumer. This will go into effect on 1st Jan. 2027.

Businesses must inform consumers of their rights regarding the use of ADMT, including but not limited to their use of ADMT, the consumer’s right to opt out of it and the right of the consumer to non-discrimination for opting out.

There are some stipulations where a business doesn’t need to provide an opt-out, like for certain hiring decisions.

The Delete Act and DROP

While not technically part of the CCPA itself, the Delete Act is an amendment to a 2019 data broker law that similarly protects Californian consumer rights. It’s also enforced and managed by the CPPA.

As of 1st Jan. 2026, residents can use the Delete Request and Opt-Out Platform (DROP) to submit requests for brokers to delete their PI. On 1st Aug. 2026, data brokers must comply with DROP and adhere to requests within 45 days or 90 days (with an extension). They will then need to delete any newly collected information every 45 days.

Non-compliance will result in penalties and fines.

California data privacy law compliance strategies for businesses

Organisations that need to follow the CCPA must look beyond just avoiding penalties. Here are some compliance areas that companies can get started with.

Data mapping and inventory

While the CCPA doesn’t demand data mapping by name, implementing it makes compliance simpler, as it helps you know which third parties have access to PI, what has happened to the data, etc. Most importantly, it helps companies quickly and efficiently respond to consumer requests.

Updating privacy policies

The CCPA mandates that organisations must update their privacy policies at least once a year.

Privacy policies must inform consumers about their rights, like the right to know and the right to correction. The policy should also detail the categories of PI collected, the sources and the business purpose for collecting it.

Consumer request systems

The California data privacy law specifies that businesses must establish a clear process for consumers to submit requests to exercise their rights. Typical systems should involve at least two ways requests can be submitted, such as a toll-free number and a website form.

The formal term the CCPA uses is Data Subject Access Requests (DSARs), and the law gives organisations 45 days to respond to DSARs. Failure to do so, or to request a 45-day extension from the consumer, can result in significant fines.

Employee training

Ignorance is no defence. The CCPA clearly states that employees who handle consumer inquiries or are responsible for compliance must be adequately trained.

Training must cover all the requirements of the law and consumer rights, as well as how to deal with DSARs. It should also emphasise the importance of data security and privacy.

Technical safeguards

The law also mandates protection against data breaches by requiring businesses to implement “reasonable” security measures to protect the personal data in their care.

This usually includes measures like encryption, access controls and regular security assessments.

And while the term “reasonable” isn’t strictly defined in legislation, it’s often benchmarked against industry standards like the Centre for Internet Security (CIS) Controls.

Data management tools

Implicit in all of these strategies is the need for effective data management tools that’ll support efforts to achieve and maintain compliance. As a baseline, the tools that organisations deploy should help them with data anonymisation, pseudonymisation, consent management and fulfil DSARs.

For a more hands-on walkthrough for privacy-focused web analytics, read our CCPA compliance guide.

Protecting your business with Matomo

Achieving and maintaining that compliance can seem daunting. But there are tools that make the job easier and are helpful in satisfying the technically challenging demands of data privacy. Matomo is one of these.

It empowers businesses with full data ownership and control of their analytics data, not allowing it to be shared with third parties.

Matomo is a privacy-first web analytics platform that primarily uses first-party cookies. That’s something that ticks one of the boxes of almost all privacy regulations worldwide.

Matomo protects consumer rights with consent management features, support for Consent Mode v2 and integration with external Consent Management Platforms. Its design supports data minimisation and retention policies as well as anonymisation and pseudonymisation.

More importantly for compliance with the CCPA, Matomo assists with accountability by providing clear records of data processing.

And for businesses seeking maximum control, the platform is available as a self-hosted, on-premise option that keeps data entirely within your infrastructure.

Data privacy laws are here to stay

California’s journey with the CCPA is a major step for data privacy in the US. The “California Effect” is already happening as other states follow suit by developing their own privacy legislation.  

One thing is certain: privacy laws are increasingly becoming the norm, as evidenced by the CCPA and GDPR. Trying to exploit the gaps by following each country’s laws individually is an expensive exercise in futility. A more sensible approach is to use tools that are built with these laws in mind.

A privacy-centric web analytics tool like Matomo that can easily be configured for compliance is a great place to start. Download Matomo On-Premise completely free or start your 21-day free trial of Matomo Cloud (no credit card required).

Frequently asked questions

What is the new data privacy law in California?

In terms of ballot-level legislation, the newest data privacy law in California is CPRA, an amendment to the existing CCPA. However, the CPPA is continuously updating the CCPA and introduced three new articles in 2025 dealing with security audits, risk assessment and ADMT.

What is the difference between CCPA and CPRA?

CCPA is the original California data privacy law. CPRA is an amendment that expanded consumer rights, enacted harsher penalties for non-compliance and introduced an enforcement agency.

Which state has the strictest data privacy laws?

The states with the strictest data privacy laws are California, with the CCPA, and Maryland, with the Maryland Online Data Privacy Act (MODPA):

• California’s laws (including the Delete Act) could be considered the strictest in terms of enforcement (with a dedicated agency), handling AI-related consumer rights (the new ADMT regulations) and deletion (the Delete Request and Opt-Out Platform).
• Maryland’s law would be considered strictest in its prohibition on the sale of sensitive data, its harsher punishments for the data of minors (defined as under 18) and its tighter thresholds for the use of its equivalent of PI and SPI.