100 Overlook Center, 2nd floor, Princeton, New Jersey, 08540, USA
+15853042450
Service order
Blog / GDPR ❘ CCPA ❘ Privacy Policy /

Сalifornia Consumer Privacy Act (ССPA) Does This Apply to Your IT Business in 2025?

Discussing details
Post date: 26.08.2023
Author: Valeriy Stalirov
Views: 2455
Time to read: 9 minutes

By understanding and adhering to CCPA requirements, IT businesses can build trust with clients, respect their privacy choices, and mitigate legal and reputational risks. By reading this article from a privacy rights attorney you will learn how the CCPA rules can affect your business and how to become CCPA compliant.

What is the California Consumer Privacy Act (ССPA)? Where and when does it apply?

The CCPA is a state-level privacy law that applies to businesses that operate in California and collect personal information from California residents. The CCPA was amended by the California Privacy Rights Act (CPRA), which came into effect on January 1st, 2023. These two acts caused chaos online as it is hard to determine which act is relevant to your business and what steps you need to take to be in compliance. In this article, we will describe renewed rules and advice on updating privacy documents following CPRA’s amendments to the CCPA.

It is crucial to understand that the CCPA relates to businesses anywhere in the world if they collect and process personal data of  California residents. Also, the CCPA works even when California residents temporarily travel outside of the state.

For example, if your company is based in Delaware, but provides advertising services to people from California, it needs to adhere to CCPA requirements. Or, another example, is a Game Dev studio from Kyiv, which publishes mobile games for California users in the App Store or Google Play. Because the Game Dev studio monetizes products through advertising in apps, it needs to collect personal data, so the CCPA requirements must be satisfied. 

 

Location is not the only criteria you need to take into consideration. There are 3 additional thresholds, which you can find below. If at least one of them characterizes your business, you need to follow CCPA (as amended by the CPRA).

  1. Your company’s gross annual revenues is in excess of $25 million.
  2. Your business buys, sells, or shares the personal information of 100,000 or more consumers or households every year. When a website collects IP addresses or utilizes cookies, which track a consumer’s activity, the threshold of 100,000 is reached quickly, and as a result, most businesses need to follow the CCPA. 
  3. Every year your business derives more than 50% of its revenue from selling consumers' personal data. This includes any revenue connected to interest-based advertising, such as when a customer makes a purchase after clicking on a targeted ad.

 

Under the CCPA, the term “sell” means any transfer or disclosure of personal data to a third party in exchange for consideration, regardless of whether money is exchanged. For example, transferring information to Customer Match in Google Ads is considered a sale. 

 

For example, in February 2024, DoorDash Inc, a major U.S.-based technology company operating a popular food delivery platform, faced enforcement action under CCPA. The company connects consumers with local restaurants and other merchants through its website and mobile app, facilitating millions of deliveries across North America every day.

The case centered on DoorDash’s participation in a marketing cooperative, through which the company shared consumers’ personal information—such as names, contact details, purchase behavior, and location data—with other businesses for advertising purposes. This activity fell under the CCPA’s definition of a "sale" of personal information.

However, DoorDash did not disclose this data-sharing activity in its Privacy Policy, nor did it provide consumers with the required “Do Not Sell My Personal Information” link on its website or mobile application. These omissions constituted violations of both the CCPA and California’s Online Privacy Protection Act (CalOPPA). As a result of the enforcement action, DoorDash agreed to pay $375,000 in penalties.

Do you need to comply with the CCPA (California Consumer Privacy Act)?

Businesses subject to the CCPA must comply with its requirements face fines, litigation, and other penalties. In 2022 cosmetics giant Sephora received $1.2 million in penalties, because the company failed to disclose to consumers that their personal data would be sold to third parties. Information about the products customers bought or added to a shopping cart was sold for targeted advertising purposes. Moreover, the company disclosed the customer’s location and the brand of device they were using.

 

Our privacy law attorneys described what steps every company must undertake to avoid fines and reputational risks.

 

What do you need to do to comply with the CCPA?

To comply with the CCPA, businesses must develop Privacy Policies and ensure a prompt response to requests for access and deletion of personal data. Moreover, companies must implement data management policies and provide employee training.

What are the key considerations for writing a Privacy Policy?

Here are some key clauses to include in the Privacy Policy for CCPA Compliance.

  • Identify categories of personal information your company collects. Personal data is any information that can be used to identify a consumer or household. CCPA requires you to notify users about the types of personal data you collect and the purposes of that collection. 
  • Explain how you use and share personal data. The CCPA requires companies to disclose third parties with whom they share personal data, as well as the purposes for which the data is shared. For example, disclosing information to Google Analytics, Facebook Tag manager, Paypal, and others. You should explain any additional uses of personal data, such as targeted advertising or data analytics.
  • Codify the rights of California residents. You should explain these rights and how consumers can exercise them. The list of rights must include the right to request access, make a correction, or deletion, and the right to opt out of the sale of their personal data. To guarantee the last one, you must place on your website a button that states “Do not sell my personal information”. Using that button, customers can prohibit any selling of their data. 
  • Provide information about the term of data retention. Usually, the retention period can be as long as is necessary to fulfill the purposes for which information was collected. 
  • Describe your data cybersecurity measures. The CCPA requires businesses to implement and maintain reasonable security measures to protect personal data from unauthorized access or use, destruction, or alteration. Privacy Policies must include a clause where you describe the security measures, such as encryption and secure authentication protocols.
  • Provide contact information. The CCPA requires companies to provide a clear and conspicuous link to a webpage that allows consumers to exercise their rights. You should also place on your website a telephone number and an email address to provide consumers the ability to contact you. Here is how we used our experience to do it for our client Insurance Hunter.

Moreover, you need to state in your Privacy Policy, if you use data for automated decision-making. This is a new rule set by CPRA, so it is important to guarantee the customers' right to opt out of certain types of automated decision-making.

What are the fines for violations of the CCPA?

The fines for non-compliance are classified as follows:

  • Accidental breach: up to $2,500 per violation
  • Deliberate breach: up to $7,500 per violation

Moreover, the company will face additional financial penalties of up to $7,500 per violation of minors’ rights.

Violations can lead to immediate enforcement by the CPPA, the new independent agency overseeing privacy compliance.

 

In 2025, one of the world’s most recognized automotive brands, American Honda Motor Co., found itself at the center of California’s growing push for stronger consumer privacy enforcement. The CPPA investigation uncovered that Honda's data practices were creating unnecessary barriers for consumers attempting to exercise their rights.

Customers who tried to opt out of having their personal information shared were met with friction: lengthy forms, excessive data requirements, and a confusing opt-out process. Meanwhile, the company’s cookie management tools were designed in a way that made it far easier to accept tracking than to reject it—an imbalance known in user experience as "dark patterns."

On top of that, Honda was found to be sharing personal data with advertising vendors without securing proper contractual protections, a direct violation of the CCPA’s third-party obligations.

The result? A $632,500 enforcement settlement.

As part of the agreement, Honda committed to:

  • Streamlining its privacy request process.
  • Consulting with user experience experts to remove friction.
  • Updating contracts with service providers, and
  • Providing internal staff training to reinforce compliance across departments.

 

This case illustrates a clear principle: privacy rights must be accessible, functional, and fair. Businesses that create obstacles—intentional or not—risk not only regulatory scrutiny, but also consumer trust.

Compared with GDPR fines, the CCPA policy is quite mild, even so, it is better to fulfill regulatory requirements before facing fines and reputational risks.

 

Is the updated CCPA the same as the General Data Protection Regulation (GDPR)?

Many of the CCPA (CPRA) rules were borrowed from GDPR, but the acts are still different.

GDPR and CCPA laws: what’s the difference?

Data Privacy & Cybersecurity Lawyers

Our team helps businesses navigate complex data privacy laws like the CCPA and GDPR, offering clear guidance on compliance, cybersecurity, and risk management.

21% of companies worldwide need to comply with both CCPA and GDPR. If at the same time you collect and process data of California residents and citizens of the EU, your Privacy Policy must follow CCPA and GDPR together. Usually that means that the Privacy Policy is written under GDPR, but separate clauses will cover CCPA aspects. Our team created a Privacy Policy for Hypelitix following that approach.

As of December 31, 2022, 92% of companies across the world are still unprepared for CCPA (CPRA), and 91% are unprepared for GDPR. If businesses want to avoid fines and build trust with customers,  it is time to change that approach. We advise you to begin by developing an effective Privacy Policy to implement privacy values and establish strong data protection practices to protect your customers’ rights.

Article navigation

Cases on the topic of the article

All cases

Services on the topic of the article

All services
Contact IT lawyer will contact you
to discuss details
Call me back IT lawyer will contact you
to discuss details
Service order IT lawyer will contact you
to discuss details
Thanks for reaching out!

An IT lawyer will contact you with legal solutions

OK
Thank you for your request!

An IT lawyer will call you back to discuss details

OK
Thank you for your feedback!

We would love it if you tell your friends and colleagues about us

OK
Thank you for your inquiry!

The IT legal team will contact you with options solutions

OK
Thank you for your inquiry!

An IT lawyer will contact you with a few more questions

OK
Thank you for your interest!

Await advice from IT lawyers

OK
Thank you for your inquiry!

The IT legal team will prepare a solution for you

OK
Thank you for contacting us!

An IT lawyer will analyze your situation and offer a solution

OK