--- title: "CCPA | DeltaV Digital Glossary" description: "CCPA is California's data privacy law giving consumers control over their personal information. Learn its marketing implications and compliance." canonical: "https://www.deltavdigital.com/resources/glossary/ccpa/" type: glossary slug: ccpa published: "2026-04-24T14:00:00-06:00" modified: "2026-04-07T22:30:58-06:00" author: Brandon Kidd --- CCPA (California Consumer Privacy Act) is a state privacy law that grants California residents the right to know what personal information businesses collect about them, to delete that information, to opt out of its sale or sharing, and to not be discriminated against for exercising those rights. ## What CCPA Means in Practice CCPA, which took effect on January 1, 2020, was the first major US data privacy law to give consumers enforceable rights over their personal information. It was later amended and expanded by the California Privacy Rights Act (CPRA), which took effect on January 1, 2023, and is now enforced by the California Privacy Protection Agency (CPPA). When people reference "CCPA" in practice, they're typically referring to the combined CCPA/CPRA framework that currently governs data privacy in California. The law applies to for-profit businesses that meet any of three thresholds: annual gross revenue exceeding $25 million, buying or selling the personal information of 100,000 or more California residents or households annually, or deriving 50% or more of annual revenue from selling or sharing personal information. That second threshold is the one that catches many mid-sized businesses off guard. If your website gets meaningful California traffic and you run [remarketing](https://www.deltavdigital.com/resources/glossary/remarketing-retargeting/) campaigns, use advertising pixels, or share data with third-party [analytics](https://www.deltavdigital.com/resources/glossary/analytics/) platforms, you may be "sharing" personal information with enough California consumers to trigger compliance obligations. The distinction between "selling" and "sharing" personal information is critical and often misunderstood. Under the original CCPA, the opt-out right applied to the "sale" of personal information, which many businesses interpreted narrowly as literally exchanging data for money. CPRA closed that loophole by adding "sharing," defined as making personal information available to third parties for cross-context behavioral advertising. This means that if your website loads a Meta Pixel, a Google Ads tag, or any other advertising script that transmits user data to a third party for ad targeting purposes, you're "sharing" personal information under CCPA/CPRA, even though no money changes hands. For healthcare organizations, the intersection of CCPA and HIPAA creates a layered compliance challenge. HIPAA covers protected health information (PHI) within the clinical context, but consumer health data collected through marketing channels, such as website visit patterns to specific condition pages, form submissions requesting information about treatments, or ad click data, may fall under CCPA's broader definition of personal information. A dermatology group running Google Ads campaigns for acne treatments is collecting data that HIPAA may not cover but CCPA does. The operational reality of CCPA compliance for marketing teams centers on three mechanisms: a "Do Not Sell or Share My Personal Information" link on your website, a privacy policy that discloses your data collection and sharing practices in specific detail, and a technical infrastructure that actually honors opt-out requests across your entire marketing technology stack. That last element is where most businesses fall short. Having the link on your website is the easy part. Ensuring that clicking it actually suppresses data sharing across your [tag management](https://www.deltavdigital.com/resources/glossary/tag-management/) system, advertising platforms, analytics tools, and CRM requires deliberate technical integration. CPRA also introduced the concept of "sensitive personal information," which includes precise geolocation, racial or ethnic origin, health data, and financial information. Consumers can limit how businesses use and disclose sensitive personal information, which has direct implications for location-based advertising, healthcare marketing, and financial services campaigns that rely on granular audience data. ## Why CCPA Matters for Your Marketing CCPA matters for your marketing because California represents roughly 12% of the US population and an outsized share of digital commerce. If you run digital advertising campaigns with national reach, California residents are in your audience, which means CCPA applies to how you collect, use, and share their data. Ignoring CCPA doesn't just create legal risk. It creates data quality issues: when consumers opt out and your systems don't properly suppress their data, you end up with polluted audiences, inaccurate attribution, and wasted ad spend on users who've explicitly asked not to be tracked. The enforcement landscape is real and growing. The California Attorney General's office and the CPPA have pursued enforcement actions against businesses of all sizes. According to the [IAPP's US State Privacy Legislation Tracker](https://iapp.org/resources/article/us-state-privacy-legislation-tracker/), California's law has directly inspired comprehensive privacy legislation in 19+ additional states, with more bills advancing each legislative session. Building CCPA-compliant infrastructure now prepares your marketing operations for the patchwork of state laws that are creating a de facto national privacy standard. For multi-location businesses, CCPA compliance complexity scales with operational footprint. Each location may have its own website, its own advertising campaigns, and its own data collection forms, all of which need to honor consumer opt-out requests consistently. We see this challenge frequently with healthcare networks and franchise organizations where marketing is partially centralized and partially managed at the local level. A single noncompliant location can create liability for the entire organization. ## How CCPA Works CCPA grants California consumers four core rights, each with specific operational requirements for businesses. **The right to know** requires that you disclose, upon request, the categories and specific pieces of personal information you've collected, the sources of that information, the business purposes for collecting it, and the third parties with whom you've shared it. You must respond to verified consumer requests within 45 days. **The right to delete** requires that you erase a consumer's personal information upon request, with limited exceptions (completing a transaction, detecting security incidents, exercising free speech, complying with legal obligations). The challenge for marketing teams is that personal data often exists across multiple systems: your website analytics, your CRM, your email marketing platform, your advertising audiences, your call tracking system, and your customer data platform. A deletion request means locating and removing the consumer's data from every system, not just your primary database. **The right to opt out of sale or sharing** is the most operationally significant right for digital marketing. When a consumer clicks your "Do Not Sell or Share" link, your systems must stop transmitting their data to third parties for advertising purposes. Technically, this means your consent management platform must suppress advertising pixels, retargeting scripts, and data broker integrations for that user. Global Privacy Control (GPC), a browser-level signal that automatically communicates opt-out preferences, must be honored under CPRA. If a visitor's browser sends a GPC signal, you must treat it as a valid opt-out request without requiring any additional action from the user. **Common compliance failures** include treating the opt-out link as a standalone feature rather than connecting it to your actual data sharing infrastructure, failing to recognize GPC signals, not including all categories of personal information in your privacy policy disclosures, and overlooking data sharing that occurs through advertising pixels and analytics tools. The businesses that handle CCPA well treat it as a data governance exercise that spans their entire marketing technology stack, not a checkbox on a legal compliance list. They audit every tracking script, map every data flow to a third party, and build consent management into their [tag management](https://www.deltavdigital.com/resources/glossary/tag-management/) architecture so that opt-out preferences propagate automatically across all marketing tools. ## External Resources - [California Consumer Privacy Act (CCPA) Full Text](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5) -- The authoritative legal text of the CCPA as codified in California Civil Code - [California Privacy Protection Agency (CPPA)](https://cppa.ca.gov/) -- The state agency responsible for implementing and enforcing CCPA/CPRA, including rulemaking and enforcement actions - [IAPP US State Privacy Legislation Tracker](https://iapp.org/resources/article/us-state-privacy-legislation-tracker/) -- Comprehensive tracker of state privacy laws across the US, showing how CCPA has influenced legislation nationwide - [Google Privacy Sandbox and Compliance Resources](https://privacysandbox.com/) -- Google's evolving approach to privacy-preserving advertising technologies that intersect with CCPA compliance requirements - [IAB CCPA Compliance Framework](https://iabtechlab.com/standards/ccpa/) -- The Interactive Advertising Bureau's technical framework for implementing CCPA opt-out signals across the digital advertising ecosystem ## Frequently Asked Questions ### What is CCPA in simple terms? CCPA is a California law that gives residents the right to know what personal data businesses collect about them, to have that data deleted, and to opt out of having their data sold or shared with third parties for advertising purposes. It applies to for-profit businesses that meet certain size or data processing thresholds. Think of it as California's version of Europe's GDPR, though the two laws differ in important ways, particularly around consent models and enforcement mechanisms. ### How does CCPA differ from GDPR? The biggest structural difference is the consent model. GDPR requires opt-in consent before you can process personal data for marketing purposes. CCPA uses an opt-out model, meaning you can collect and share data by default, but must provide consumers with a clear mechanism to stop that sharing. CCPA also has specific revenue and data volume thresholds that determine which businesses must comply, while GDPR applies to any organization processing EU residents' data regardless of size. CPRA narrowed some of these differences by adding sensitive personal information protections and a dedicated enforcement agency, making the laws more similar than they were originally. ### Does CCPA apply to my business if I'm not in California? Yes, if your business meets the applicability thresholds and collects personal information from California residents. CCPA applies based on where the consumer is located, not where the business operates. If you run digital advertising campaigns that reach California residents, collect form submissions from California visitors, or use analytics and advertising tools that process data from California users, the law likely applies. The practical question isn't whether CCPA applies but whether your California data exposure is large enough to warrant formal compliance infrastructure. ### How does CCPA compliance connect to SEO and digital marketing strategy? CCPA compliance affects the tracking and measurement infrastructure that both paid and [organic SEO](https://www.deltavdigital.com/services/organic/seo/) strategies depend on. When consumers opt out of data sharing, you lose remarketing audiences, attribution data, and conversion tracking signals for those users. This makes first-party data strategies, consent-aware analytics, and server-side tracking more important for maintaining marketing performance within compliance boundaries. DeltaV builds privacy-compliant tracking architectures that preserve data quality while honoring consumer rights across all marketing channels. ### What happens if my business doesn't comply with CCPA? The California Attorney General and the CPPA can bring enforcement actions with fines up to $2,500 per unintentional violation and $7,500 per intentional violation. Because violations are calculated per consumer per incident, penalties can scale rapidly. CCPA also includes a private right of action for data breaches, allowing consumers to sue for $100-750 per incident in statutory damages. Beyond legal penalties, noncompliance creates practical marketing problems: inconsistent data handling degrades audience quality, breaks attribution models, and creates trust issues with increasingly privacy-aware consumers. ### What is CPRA and how does it change CCPA? CPRA (California Privacy Rights Act) is a 2020 ballot initiative that amended and expanded CCPA, taking effect January 1, 2023. Key changes include the addition of "sharing" to the opt-out right (closing the advertising pixel loophole), creation of the sensitive personal information category with a separate right to limit its use, establishment of the California Privacy Protection Agency as a dedicated enforcement body, and new requirements around data minimization and purpose limitation. For marketing teams, the most impactful change is that CPRA explicitly classified cross-context behavioral advertising as "sharing," meaning advertising pixels and retargeting scripts now trigger opt-out obligations even though no data is technically "sold." ## Related Resources - [The Ultimate SEO Checklist: A Complete Guide for 2026](https://www.deltavdigital.com/resources/guides/seo-checklist/) -- Covers the technical infrastructure including tracking setup and analytics configuration that CCPA compliance directly affects - [Zero-Click Marketing: How to Win Customers When Google Doesn't Send the Click](https://www.deltavdigital.com/resources/blog/zero-click-marketing/) -- Explores first-party data strategies and owned channel approaches that become more important as privacy regulations restrict third-party data sharing - [SEO Metrics That Actually Matter in 2026](https://www.deltavdigital.com/resources/blog/seo-metrics/) -- Covers measurement frameworks that must account for consent-driven data gaps created by CCPA opt-out behavior ## Related Glossary Terms - **GDPR:** The European Union's comprehensive data privacy regulation. CCPA and GDPR share core principles around consumer data rights but differ in consent models, applicability thresholds, and enforcement mechanisms. - **Cookie Consent:** The mechanism for obtaining user permission before setting non-essential cookies. CCPA requires an opt-out mechanism for data sharing rather than GDPR's opt-in consent model, but both depend on consent management infrastructure. - **[Remarketing / Retargeting](https://www.deltavdigital.com/resources/glossary/remarketing-retargeting/):** Advertising to users who have previously visited your website. CCPA/CPRA classifies the data sharing that powers remarketing as subject to consumer opt-out rights. - **[Analytics](https://www.deltavdigital.com/resources/glossary/analytics/):** The collection and analysis of digital marketing data. CCPA opt-out behavior directly impacts analytics completeness, making privacy-aware measurement strategies essential for accurate reporting.