What the CCPA is and why it matters for your business
This is a practical CCPA guide and FAQ for businesses, particularly marketing and RevOps teams managing data-driven GTM programs. The California Consumer Privacy Act has been in effect since January 1, 2020, with CPRA amendments taking effect January 1, 2023. If your business collects, uses, or shares personal data about California residents, this guide covers what the law requires, how it has evolved, and what your compliance program needs to reflect today.
Data-driven marketing and RevOps teams are navigating these requirements much like they prepared for the GDPR ahead of May 2018. Several states, including Virginia, Colorado, and Connecticut, have since enacted their own consumer privacy laws modeled in part on the CCPA framework. Understanding the CCPA is the foundation for understanding the broader state privacy landscape.
This ccpa guide faq covers the law's scope, the rights it grants consumers, how CCPA and CPRA relate to each other, and the practical steps your team needs to take to stay compliant.
DISCLAIMER: The purpose of this article is to provide additional information and resources of a general nature about the CCPA. ZoomInfo does not intend for it to serve as legal or business advice or recommendations about handling consumer privacy within your unique business, and you should not construe it as such.
What the CCPA protects and who it covers
The CCPA was created to protect the privacy and personal data of consumers who live within the state of California. This privacy law gives consumers the right to request that a business disclose details about the personal information it collects about them.
According to the official CCPA website, the act provides California residents with the following six rights:
The right to know about the personal information a business collects about them and how it is used and shared
The right to delete personal information collected from them (with some exceptions)
The right to opt-out of the sale or sharing of their personal information
The right to non-discrimination for exercising their CCPA rights
The right to correct inaccurate personal information that a business holds about them (added by CPRA)
The right to limit the use and disclosure of sensitive personal information (added by CPRA)
Ownership of personal information
The CCPA grants consumers the right to know what information businesses are collecting about them. The act also gives consumers the right to tell businesses they cannot use their personal information.
Consumers may request that a business discloses the types of personal information it collects, the purpose of collecting that information, and who the information is being sold to. They may exercise these requests twice per year, free of charge.
Protection for those who do not provide businesses with access to their personal information
The CCPA prevents discrimination against residents who do not allow a business to sell their personal data. If a consumer tells a business not to share their data, that business cannot charge the consumer more for services, deny them services, or offer services of lesser quality.
Corporations must include a clickable link within their privacy policy that reads "Do not sell or share my data." This option must be displayed on any page where a business collects personal information. Businesses cannot hide this option or make it difficult to find.
More security and protection against data breaches
The CCPA requires businesses to implement "reasonable security measures" to protect California residents' personal information from potential data breaches. Businesses are subject to increased fines and penalties if they do not take adequate measures to safeguard the personal information they have collected from sales prospects and customers.
CCPA vs. CPRA: what changed in 2023
The CPRA amended the CCPA, it did not create a separate new law. The California Privacy Protection Agency (CPPA) typically refers to the combined law simply as "CCPA" or "CCPA, as amended." The CPRA amendments took effect January 1, 2023. Understanding the ccpa vs cpra distinction matters for compliance programs because the amended version carries materially different obligations than the original 2018 law.
Dimension | CCPA 2018 | CCPA as amended by CPRA 2023 |
|---|---|---|
Consumer rights | 4 rights | 6 rights (added: right to correct, right to limit sensitive PI use) |
Business thresholds | 50,000 consumers or households | 100,000 consumers or households |
Enforcement body | California Attorney General | California Privacy Protection Agency (CPPA) |
New obligations | None beyond original rights | Data minimization, purpose limitation, sensitive PI restrictions |
Effective date | January 1, 2020 | January 1, 2023 |
All CPRA obligations are technically CCPA obligations, the CPRA did not create a parallel law. Compliance programs should reference the current amended version of the CCPA rather than the original 2018 text. If your privacy notices, vendor agreements, or internal policies were last updated before January 2023, they almost certainly need revision.
Does CCPA apply to your business? Three thresholds to check
The CCPA applies to any for-profit organization that does business in California, collects California residents' personal data, and meets at least one of the following three thresholds:
Annual gross revenue over $25 million
Buys, sells, receives, or shares the personal information of 100,000 or more consumers or households per year
Derives 50% or more of annual revenues from selling or sharing consumers' personal information
Meeting any single threshold triggers ccpa compliance obligations, you do not need to meet all three.
What if your business is a service provider? Service providers that process data on behalf of a covered business have their own CCPA obligations under service provider agreements, even if they do not independently meet the thresholds. If your business processes personal data under contract for a covered business, review your agreements to confirm they include the required CCPA contractual provisions.
Impact checklist
To help your team discuss the implications for your business, here are questions to ask:
Do we meet any of the three CCPA applicability thresholds?
What does our business need to do to be compliant?
How can our customers opt out directly from the website?
What other information should be on our website?
Should we add language to our contracts (existing and new ones)?
Is there anything we need to address in terms of data and security breaches?
Do we need any certifications or third-party audits?
How CCPA defines personal information (and what it excludes)
The CCPA defines "personal information" as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
CCPA documentation provides specific examples of personal data. The list includes, but is not limited to, the following:
Identifiers such as a real name, alias, address, email address, Social Security number, license number, passport number, or similar identifiers
Commercial information including property records, product purchases, and other consumer histories and tendencies
Biometric data such as fingerprints and facial recognition data
Internet or network activity data, such as IP addresses, browsing history, search history, and interactions with online sites or advertisements
"Personal information" does not include publicly available information. As it pertains to CCPA, publicly available information refers to data that is lawfully made available by federal, state, or local government records. Public data is not considered personal information.
The following are examples of publicly available information, which is not subject to CCPA regulations:
Government real estate records and security interest filings
Widely distributed media sources, such as a telephone book, television or radio, online or print publications
Mortgage information included on public records
The CPRA added a new category: sensitive personal information. This includes Social Security numbers, precise geolocation, racial or ethnic origin, health data, financial account credentials, and sexual orientation. Sensitive personal information carries additional restrictions under the amended CCPA, including the consumer's right to limit its use and disclosure.
CCPA vs. GDPR: key differences for data-driven businesses
The CCPA and GDPR have many similarities in terms of how they protect personal data, but there are several key differences between the two regulations.
The GDPR applies to data controllers and data processors. The CCPA only applies to for-profit businesses that meet one of the three applicability thresholds. The GDPR also provides consumers the right to correct inaccurate personal data and restrict or object to data processing. The original CCPA did not include these rights, though the CPRA added the right to correct in 2023.
For a detailed breakdown of GDPR requirements, see our GDPR compliance guide.
The CCPA includes requirements the GDPR does not. These include adding a "Do Not Sell or Share My Personal Information" option on business websites, disclosing personal information sale or collection to the consumer, and nondiscriminatory treatment of consumers who exercise their CCPA rights. GDPR-compliant businesses should not assume CCPA compliance, the two laws differ in meaningful ways on opt-out mechanics, threshold criteria, and specific consumer rights.
How to make your business CCPA compliant: a step-by-step roadmap
Building a ccpa compliance program requires cross-functional coordination. The steps below reflect the current amended version of the law and are organized with role ownership to help your team assign accountability. Use this as a practical ccpa guide for operationalizing your compliance program.
Step 1: Data mapping and inventory (Legal / IT)
Identify every category of personal information your business collects, where it comes from, how it is used, where it is stored, and who it is shared with. A complete data map is the foundation for every other compliance step, without it, you cannot accurately update your privacy notices, respond to consumer requests, or assess vendor risk.
Step 2: Privacy notice update (Legal / Marketing)
Update your privacy notices to reflect all six current consumer rights under the amended CCPA. If your notices were last updated before January 2023, they almost certainly omit the right to correct and the right to limit sensitive PI use. Notices must also describe the categories of personal information collected, the purposes for collection, and how consumers can submit requests.
Step 3: Consumer request intake build (IT / Legal)
Provide at least two methods for consumers to submit requests about their personal information. At a minimum, these must include a toll-free telephone number and at least one additional method such as a designated email address or online form. Establish protocols to respond to consumer requests within 45 days of receiving them.
Step 4: Vendor and service provider agreements (Legal / Procurement)
Review all data-sharing agreements with third parties to confirm they include CCPA-required contractual provisions. Service providers, contractors, and third parties that receive personal information must be bound by written agreements that restrict how they can use that data. This step is frequently overlooked and is a common source of enforcement exposure.
Step 5: Staff training (HR / Legal / Marketing)
Educate your entire staff on the key requirements of CCPA compliance, including how to handle consumer requests, what constitutes personal information, and what the consequences of non-compliance are. Training should be documented and repeated when the law changes or your data practices change.
Step 6: Ongoing monitoring and audit (Legal / RevOps)
Assess and document your data security practices to ensure your business takes the necessary steps to avoid data theft and security breaches. Establish a cadence for reviewing your compliance program, at minimum annually, and whenever your data collection or sharing practices change materially.
Step 7: Data broker registration if applicable (Legal / Compliance)
If your business sells personal information about California consumers to third parties, you may qualify as a data broker and must register annually with the California Privacy Protection Agency. Failure to register can result in penalties of $100 per day of non-registration. Assess whether your data-sharing practices meet the data broker definition and consult legal counsel.
Verifying customer privacy requests
Once a consumer submits an opt-out request, your business must honor that decision for at least 12 months before asking the consumer to reconsider. Any business subject to CCPA needs to have a "Do Not Sell or Share My Personal Information" link displayed conspicuously on the website homepage and on any page where personal information is collected.
Under the CPRA amendments, businesses must also honor Global Privacy Control (GPC) signals as an automatic opt-out mechanism. GPC is a browser-level signal that communicates a consumer's opt-out preference, treating it as optional is a CPPA enforcement priority. Configure your website to recognize and honor GPC signals automatically.
Businesses must also provide a toll-free phone number for California residents to exercise their rights under CCPA.
Common CCPA compliance mistakes and how to avoid them
Even well-intentioned ccpa compliance programs have gaps. These are the most common mistakes and how to address them.
Not updating privacy notices after CPRA amendments. The CPRA added two new consumer rights and introduced sensitive personal information restrictions, both of which require disclosure in your privacy notice. Businesses that have not updated their notices since before January 2023 are likely out of compliance. Audit your privacy notice against all six current consumer rights and update accordingly.
Ignoring Global Privacy Control (GPC) signals. Some businesses treat GPC as an optional or aspirational requirement. The CPPA has made clear that honoring GPC as an automatic opt-out is an enforcement priority, not a best practice. Configure your website to recognize GPC signals and process them as opt-out requests without requiring additional consumer action.
Inadequate vendor and service provider agreements. Sharing personal information with a vendor without a compliant service provider agreement exposes your business to liability for how that vendor uses the data downstream. Review all data-sharing agreements to confirm they include the CCPA-required contractual restrictions on data use.
Missing data broker registration. If your business sells personal information about California consumers to third parties, you may be required to register annually with the California Privacy Protection Agency. Penalties for non-registration are $100 per day. Assess whether your data-sharing practices meet the data broker definition and register if required.
Insufficient identity verification for consumer requests. Responding to a consumer request without adequate identity verification risks disclosing personal information to an unauthorized requester. Implement a documented verification process that is proportionate to the sensitivity of the data being requested, stricter verification for financial or health data, lighter verification for general contact information.
What CCPA means for marketing and RevOps teams
CCPA directly governs how marketing teams collect, use, and share personal data. Audience building, form data collection, website visitor identification, and intent signal activation all involve personal information about California residents. If your GTM programs touch any of these activities, and most do, your marketing data practices fall within the scope of the law.
This is not just a legal department concern. Marketing and RevOps teams are often the primary owners of the systems and workflows that collect and activate personal data: marketing automation platforms, CRMs, ad targeting tools, and website analytics. Understanding what the CCPA requires is a prerequisite for building GTM programs that can operate at scale without compliance exposure.
ZoomInfo, an all-in-one AI GTM Platform, is certified under ISO 27001, ISO 27701, SOC 2 Type II, and TRUSTe CCPA Practices Validation. These certifications reflect a compliance posture built for enterprise marketing and RevOps teams that need a verified data foundation they can activate without building their own compliance infrastructure from scratch. For teams operating in regulated industries or running multi-state campaigns, third-party certification provides a meaningful trust signal for both internal stakeholders and enterprise procurement reviews.
The verified data foundation underpinning the platform spans 500M contacts and 200M+ verified business emails, processed across 1.5B+ data points daily. That scale matters for ccpa compliance because it reflects a multi-source verification model, rather than relying on raw personal data collection from individual consumer touchpoints, the platform fuses verified B2B data with behavioral signals through the GTM Context Graph, the intelligence layer that surfaces in-market accounts based on aggregated buying signals rather than individual consumer tracking. Marketing teams can build and target high-intent audiences without the compliance overhead of building their own data collection and verification infrastructure. GTM Studio extends that capability to the execution layer, letting marketing and RevOps teams build and activate consent-aware audiences without engineering tickets, so the gap between insight and campaign launch shrinks from weeks to hours.
See how ZoomInfo helps marketing and RevOps teams build compliant, high-performance GTM programs, request a demo.
The future of state-level data privacy
California was the first state to implement consumer privacy regulations in the U.S., but it is not the last. Virginia, Colorado, Connecticut, Texas, Montana, and more than a dozen other states have enacted their own consumer privacy laws since 2020, many modeled on the CCPA framework.
The compliance requirements across GDPR, CCPA, and emerging state laws differ in meaningful ways, particularly around opt-out mechanisms, data subject request timelines, and the definition of personal information. Marketing and RevOps teams managing multi-state or international campaigns need to map each regulation's requirements to their specific data collection and activation workflows.
As the world of data and GTM intelligence continues to evolve, these protection acts are a step in the right direction when it comes to data security and responsibility.
CCPA FAQ: frequently asked questions
This ccpa faq covers the top questions marketers, RevOps practitioners, and business leaders ask about the law. For questions specific to your business's circumstances, consult qualified legal counsel.
What is the difference between CCPA and CPRA?
The CPRA (Proposition 24) amended the CCPA, it did not create a separate new law. The CPPA refers to the combined law as "CCPA" or "CCPA, as amended." The CPRA amendments took effect January 1, 2023, adding two new consumer rights (right to correct inaccurate personal information, right to limit sensitive PI use), raising the data volume threshold from 50,000 to 100,000 consumers, creating the California Privacy Protection Agency as the dedicated enforcement body, and introducing data minimization and purpose limitation obligations. Compliance programs should ensure they are referencing the current amended version of the law, not the original 2018 text.
Does CCPA apply to B2B data?
CCPA applies to personal information of California residents, which can include business contact information when it identifies or is reasonably linked to an individual, for example, a named employee's work email address or direct phone number. B2B data vendors, lead generation companies, and marketing technology providers that collect, sell, or share such information about California residents may be subject to CCPA obligations, including data broker registration requirements. Businesses should assess whether their B2B data practices meet the CCPA's applicability thresholds and consult legal counsel for their specific situation.
What are the penalties for violating CCPA?
Under California Civil Code, businesses face civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation, enforced by the California Privacy Protection Agency. Consumers also have a private right of action for data breaches involving certain categories of personal information, with statutory damages between $100 and $750 per consumer per incident, or actual damages if greater. For context: a breach affecting 10,000 California residents could expose a business to up to $7.5 million in statutory damages under the private right of action alone.
How does CCPA differ from GDPR?
GDPR applies to data controllers and processors handling EU residents' data regardless of where the business is located; CCPA applies to for-profit businesses meeting specific revenue or data volume thresholds that do business in California. GDPR gives consumers the right to correct inaccurate data and restrict processing; the original CCPA did not include these rights (the CPRA added the right to correct in 2023). CCPA adds requirements GDPR does not have: a "Do Not Sell or Share My Personal Information" link, nondiscriminatory treatment for consumers who exercise rights, and data broker registration. GDPR compliance does not guarantee CCPA compliance. For a deeper breakdown of GDPR requirements, see our GDPR compliance guide.
Does my business need to register as a data broker under CCPA?
Businesses that sell personal information about California consumers to third parties may qualify as data brokers under CCPA and must register annually with the California Privacy Protection Agency. This includes B2B data vendors, lead generation companies, and marketing technology providers that share contact data. Registration exposes the business's contact details and opt-out procedures to consumers through the California Data Broker Registry. Failure to register can result in penalties of $100 per day of non-registration. Businesses should assess whether their data-sharing practices meet the data broker definition and consult legal counsel.
Is this article legal advice?
No. This article is intended to provide general information and resources about the CCPA. It does not constitute legal advice, regulatory guidance, or recommendations about handling consumer privacy within your specific business. The CCPA's requirements vary based on your business's specific circumstances, data practices, and applicable regulations. Consult qualified legal counsel for advice tailored to your situation. ZoomInfo's compliance certifications (ISO 27001, ISO 27701, SOC 2 Type II, TRUSTe CCPA Practices Validation) reflect our own compliance posture and are not a substitute for your organization's independent compliance assessment.
