Who must comply with CCPA: Understanding business eligibility and requirements

With growing concerns over data misuse, lack of transparency, and unauthorized sharing of personal information, businesses face mounting pressure to comply with stricter privacy regulations.

In this light, the California Consumer Privacy Act (CCPA) is a state-wide data privacy law that grants Californian consumers greater control over their data, while requiring businesses to implement transparency and security measures.

However, as of 2023, only 11% of companies are fully CCPA-compliant, exposing them to legal risks and reputational damage.

In this blog, we'll break down who needs to comply with CCPA, key compliance requirements, and how businesses can navigate these regulations to avoid legal risks and protect consumer data.

Is CCPA mandatory?

Yes, CCPA compliance is mandatory for for-profit businesses that meet specific thresholds. Non-compliance can result in fines and legal penalties.

CCPA penalties in 2025 have risen—up to $2,663 per unintentional violation and $7,988 per intentional violation and automatic fines for violations involving minors’ data (which previously required proof of harm). Additionally, consumers can file private lawsuits for data breaches caused by negligence, with statutory damages ranging from $100 to $750 per affected consumer, or actual damage, whichever is greater. .

In view of this, businesses across these industries must prioritize CCPA compliance to avoid legal risks​ while maintaining customer trust.

Who needs to comply with CCPA?

The California Privacy Rights Act (CPRA), effective January 1, 2023, amended and expanded CCPA’s scope by introducing stricter compliance requirements and additional consumer rights, further strengthening data protection obligations for businesses.

The CCPA applies to for-profit businesses that collect, share, or sell personal data of California residents and meet at least one of the following criteria:

• Annual gross revenue exceeds $25 million.
• Buys, sells, or shares personal information of 100,000 or more consumers,  households, or devices per year.
• Derives at least 50% of its annual revenue from selling or sharing personal information of California residents.

Industries that require CCPA compliance

Several industries are particularly affected by CCPA (as amended by CPRA) due to the nature of their data collection and business operations:

1. Technology and social media –These businesses collect and process large volumes of user data for targeted advertising, content personalization, and analytics. Compliance is essential to meet transparency, opt-out, and data minimization requirements.
   
2. E-commerce and retail – Online retailers collect payment details, purchasing behavior, and personal preferences, requiring strong data security and privacy disclosures to ensure consumer trust and avoid non-compliance penalties.
   
3. Healthcare and life sciences – While HIPAA governs protected health information (PHI), CCPA applies to businesses handling health-related data outside HIPAA’s scope, such as fitness apps and direct-to-consumer genetic testing companies.
   
4. Financial services and insurance – These companies handle sensitive financial and personal data and must comply with GLBA for financial data. However, CCPA/CPRA may still apply to other personal information they collect, such as employee or marketing data. Ensuring compliance with both frameworks is essential for broader privacy protection.

5. Marketing and advertising – CCPA restricts the sale and sharing of consumer data for targeted ads. Advertisers must provide opt-out mechanisms and ensure transparency in third-party data-sharing agreements.
   
6. Hospitality and travel – Hotels, airlines, and travel agencies collect detailed consumer profiles, including payment details and geolocation data, making compliance crucial to protect consumer privacy and prevent unauthorized data use.
   
7. Education and EdTech – Educational platforms collecting student and parent data must comply with CCPA’s stricter rules for minors, particularly regarding parental consent and data-sharing restrictions.

What are the CCPA compliance requirements?

The CCPA (amended by the California Privacy Rights Act (CPRA)) imposes several compliance requirements on businesses that collect personal information from California residents.

Here are the key obligations:

1. Privacy notices and right to disclosure

• Businesses must inform consumers about what data is collected (whether online or offline) and how it will be used at or before the point of data collection.
• A Privacy Policy must be accessible and updated annually, detailing the categories of data collected, sources, purpose, third-party sharing, and consumer rights and how to exercise them.

2. Right to access

• Consumers can request to know what personal information a business has collected about them.
• They can request a copy of their personal data held by a business
• This includes details about sources, third parties it was shared with, and the purpose of processing.

3. Right to deletion

Consumers can request the deletion of their personal data, unless an exemption applies, such as:

• Legal compliance requirements
• Contractual obligations
• Security purposes (e.g., fraud prevention)

4. Right to opt-out of sale or sharing

If a business sells or shares personal data, it must:

• Provide a “Do Not Sell or Share My Personal Information” link on its website
• Honor opt-out requests
• Pass opt-out requests downstream to third parties unless an exception applies

5. Right to correct information

• Consumers can request corrections to inaccurate personal information held by a business.

6. Right to limit the use of sensitive personal information

• If a business collects sensitive personal data (e.g., Social Security numbers, biometric data, precise geolocation), consumers must have an option to limit its use to only necessary purposes.

7. Non-discrimination

• Businesses cannot deny services, charge different prices, or provide lower-quality service based on a consumer exercising their CCPA rights. However, businesses can offer financial incentives for data collection if they disclose how consumer data affects pricing.

8. Data protection and security measures

• Businesses must implement reasonable security procedures to protect personal data.
• Data breach liability: Consumers can sue if a breach occurs due to inadequate security, with statutory damages between $100 and $750 per incident.

9. Mandatory contractual agreements

• Businesses that share data with service providers or third parties must have contracts in place ensuring compliance with CCPA and CPRA regulations.

10. Employee and B2B data protections (as of CPRA, 2023)

Extended privacy rights to employees, contractors, and business contacts require:

• Privacy disclosures similar to consumer protections
• Opt-out options for the sale or sharing of employee or business contact data

Who needs to document CCPA compliance?

Any business subject to CCPA—especially those handling large volumes of California consumer data—may need to maintain compliance documentation to demonstrate adherence to privacy requirements. This could include internal assessments, data processing records, or third-party compliance reviews.

How often is a CCPA compliance review required?

CCPA does not mandate regular audits, but businesses should review compliance at least annually or whenever there are significant changes in data processing practices.

Simplify CCPA compliance with Scrut

Navigating CCPA compliance can be complex, but Scrut makes it effortless. With automated data mapping, real-time monitoring, and pre-mapped privacy controls, you can ensure continuous compliance without the manual overhead.

Scrut helps businesses streamline data access requests (DSARs), risk assessments, and vendor privacy reviews—all in one centralized platform.

Stay audit-ready, avoid hefty fines, and build consumer trust with a proactive privacy compliance approach. Let Scrut handle the complexities, so you can focus on growing your business. Get started today!

What’s more, Scrut’s Compliance Framework Finder helps businesses identify the right framework, ensuring they stay on the best path to achieving compliance.

FAQs

Does CCPA apply to small businesses?

CCPA applies to businesses that meet specific revenue, data-processing, or data-selling thresholds, regardless of size. However, small businesses that act as service providers—processing personal data on behalf of CCPA-covered entities—must comply with contractual obligations related to consumer data protection.

How does CCPA impact businesses outside California?

The CCPA applies to any business, regardless of location, that collects, processes, or sells personal information of California residents and meets the compliance thresholds. This means out-of-state and even international businesses may need to comply if they handle data from California consumers.

What are the key differences between CCPA and CPRA?

The CPRA (California Privacy Rights Act) amended and strengthened the CCPA by introducing new consumer rights, expanding the definition of sensitive personal information, and establishing the California Privacy Protection Agency (CPPA) to enforce compliance. It also eliminated the 30-day cure period for violations, making penalties more immediate.

Why is CCPA compliance important?

CCPA compliance is crucial for protecting consumer privacy and ensuring transparency in data collection, sharing, and sales. It grants California residents control over their personal information, including the right to access, delete, and opt out of data sales. For businesses, compliance helps build trust, prevent legal risks, and enhance data security, reducing the likelihood of costly penalties and reputational damage.