CCPA and CPRA: A Practical US Website Compliance Guide

The California Consumer Privacy Act and the California Privacy Rights Act that amended it remain the most consequential US state privacy laws, and they have become a template that other states have followed with variations. By 2026, fifteen states have enacted comprehensive privacy laws, and the practical question for any US business that sells online is not whether privacy law applies but which laws apply and what the website must do.

What CCPA and CPRA actually require

CCPA, effective January 1, 2020, gave California residents four rights: the right to know what personal information is collected, the right to delete it, the right to opt out of its sale, and the right to non-discrimination for exercising these rights. CPRA, effective January 1, 2023, added three more: the right to correct inaccurate information, the right to limit the use of sensitive personal information, and the right to data portability.

The thresholds are worth knowing. CCPA applies to a business that meets one of three tests: annual gross revenue above $25 million, buying or selling the personal information of 100,000 California residents or households, or deriving 50 percent or more of annual revenue from selling personal information. CPRA expanded the threshold to include sharing personal information for cross-context behavioral advertising. Most small businesses fall outside these thresholds by revenue, but many cross the threshold through online advertising and analytics.

If your business serves customers in California and uses third-party advertising, remarketing, or analytics that share data with partners, you are likely covered. The pragmatic response is to treat the highest standard as the floor and implement it across the board.

The privacy notice on your website

Every covered business must post a privacy notice that discloses, in clear language, what categories of personal information are collected, the purposes for which it is used, whether it is sold or shared, and the categories of third parties that receive it. The notice must describe the rights and the mechanisms for exercising them.

The California Privacy Protection Agency publishes detailed regulations on format and content. The notice must be accessible from a link titled “Privacy Policy” or “Your Privacy Choices” in the website footer, must be available in formats accessible to people with disabilities, and must be updated within twelve months of any material change.

For most small businesses, the operative sections are: the categories of information collected (identifiers, commercial information, geolocation, internet activity, professional information), the sources (directly from the user, from devices, from third parties), the business purposes (providing the service, processing payments, marketing, security), the categories of recipients (service providers, advertising partners, analytics providers), and the rights available with the methods to exercise them.

Opt-out signals and the Global Privacy Control

In 2023 California finalized regulations recognizing the Global Privacy Control as a valid opt-out signal. The GPC is a header or browser setting that signals a consumer’s intent to opt out of the sale or sharing of their personal information across every site they visit. If your website receives a GPC signal, you must treat it as a valid opt-out request for that visitor.

Browser-level signals are not optional. A website that ignores GPC, or that claims to honor it but continues to share data with advertising partners, is out of compliance. The implementation is straightforward: detect the Sec-GPC header, do not load advertising tags or scripts that perform cross-context behavioral targeting for that request, and document the opt-out in your records.

For larger businesses, the regulations also require a one-stop opt-out mechanism, frequently called the “Share or Sale of Personal Information” link, that lets a visitor opt out without creating an account or sending an email. Many privacy compliance platforms offer this as a small embeddable component.

Data subject rights requests

A consumer’s request to know, delete, correct, or limit must be honored within 45 days of receipt, with one 45-day extension when reasonably necessary. Verification is required before disclosure but must not be excessive. Two factors are usually enough for most consumer accounts. Authorized agents can submit requests on behalf of consumers.

For a small business, a privacy inbox, often privacy at your domain, monitored daily, is the minimum viable infrastructure. A spreadsheet logging the request, the verification method, the response, and the date is sufficient for low volume. As volume grows, dedicated request-handling tools reduce manual effort and produce defensible audit trails.

Sensitive personal information

CPRA introduced a separate right to limit the use of sensitive personal information, which includes government identifiers, precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometrics, and health information. A covered business must provide a clear “Limit the Use of My Sensitive Personal Information” link, often implemented as part of the privacy choices page. The use case that triggers this most often is precise geolocation in retail apps and travel sites.

Enforcement and penalties

The California Privacy Protection Agency, the Attorney General, and the California courts enforce compliance. Statutory penalties for civil violations are $2,500 per violation and $7,500 per intentional violation or violation involving the personal information of a minor, with each affected record treated separately. The Colorado, Virginia, and Connecticut privacy laws share the same general architecture, so a privacy program designed for California is portable to most other US states with modest adjustments.

A working checklist

A practical privacy program for a US small business website in 2026 includes: a clear privacy notice naming categories collected, sources, purposes, recipients, and rights; a working privacy inbox monitored daily; a mechanism that honors the GPC signal; a “Do Not Sell or Share” link in the footer that leads to a working opt-out; a “Limit the Use of Sensitive Personal Information” link if sensitive categories are collected; a documented request-handling process with verification and a 45-day clock; an inventory of every third-party tag, pixel, and analytics script; and an annual review.

Privacy compliance has become a routine operational discipline. The cost of getting it right is modest. The cost of getting it wrong has grown with each year of enforcement.