CCPA Compliance Services for Websites: The CPRA Reality

The California law most businesses call "CCPA" is no longer really CCPA. The 2020 California Privacy Rights Act (CPRA) amended and expanded the original statute, created the California Privacy Protection Agency, and started full enforcement in 2023. Any CCPA compliance services for websites that still describes the rules the way they looked in 2020 is working from an outdated playbook. The California Attorney General and the new agency have both begun issuing public enforcement actions, including six- and seven-figure settlements. The rules are real, the thresholds are low, and the quiet assumption that enforcement only targets Big Tech is wrong.

Who Actually Has to Comply

The coverage thresholds catch far more businesses than most people expect. A company has to comply if it does business in California (not is based in California) and meets any one of three tests: annual gross revenue over $25 million, buys or sells the personal information of 100,000 or more California residents or households per year, or derives 50 percent or more of annual revenue from selling or sharing personal information.

The 100,000-resident threshold is where most businesses get surprised. An ad-supported site with a million monthly visitors, 15 percent of whom are Californian, clears it easily. Any ecommerce brand with a meaningful US customer base clears it. "Sharing" under CPRA covers cross-context behavioral advertising — so if you run Meta pixels or Google Ads retargeting, you are almost certainly sharing by the statute's definition, whether or not money changes hands.

The Rights You Have to Honor

California residents have seven operational rights under the current law. The right to know what categories and specific pieces of personal information you have collected about them. The right to delete. The right to correct inaccurate information. The right to opt out of the sale or sharing of their data. The right to limit use of sensitive personal information. The right to data portability. The right to non-discrimination for exercising any of the above.

The key operational detail is timing. Consumer requests have to be confirmed within 10 business days and substantively answered within 45 calendar days, with a one-time 45-day extension if needed. Many businesses that installed a "Do Not Sell" link two years ago never built the workflow to actually process the requests that come through it. When the agency audits, it asks to see a log of requests received, confirmed, and fulfilled — and that log is where undisciplined programs fall apart.

Global Privacy Control: The Signal Nobody Expected to Matter

Global Privacy Control (GPC) is a browser-level signal that tells websites the user has opted out of data sale and sharing. California regulators have explicitly confirmed that honoring GPC is required for CCPA compliance — a site cannot argue that only clicking the "Do Not Sell" link counts. Sephora's $1.2 million settlement in 2022 was the public marker on this: one of the cited violations was failure to honor GPC.

Technically, the fix is the opposite of hard. The consent management platform reads the Sec-GPC request header or the navigator.globalPrivacyControl property, treats that signal as an opt-out, and suppresses downstream advertising scripts and sale-related cookies. The implementation failure is usually that the banner was installed for a different regime — often European — and never configured to respect GPC at all. A cookie compliance partner worth hiring will test for GPC response as a baseline deliverable, not an optional extra.

Sensitive Personal Information: The New Category

CPRA introduced a separate "sensitive personal information" tier that most businesses still process like ordinary data. It includes government IDs, precise geolocation (more precise than roughly 1,850 meters), race or ethnicity, religious beliefs, union membership, contents of messages not directed at the business, genetic data, biometric identifiers, health information, and sexual orientation or activity.

The rule is not just about consent at collection. Consumers have the right to limit your use of sensitive personal information to purposes necessary to provide the requested service. A fitness app collecting health data for workouts cannot, without a specific extra consent, use that same data to build an advertising segment. A "Limit the Use of My Sensitive Personal Information" link has to appear on the homepage alongside "Do Not Sell or Share." Most privacy banners generated two years ago do not include it.

Vendor Contracts: Where Legal Exposure Actually Lives

The part of CCPA compliance that gets ignored most often is the vendor contract layer. When you share personal information with a service provider, processor, or contractor — an analytics platform, an email marketing tool, a chat widget, a third-party pixel — the law requires a written contract that includes specific language prohibiting their further use of the data, requiring cooperation with consumer requests, and imposing subprocessor controls.

Most marketing stacks run on whatever terms the vendor's standard click-through accepted at signup. Those terms sometimes meet CCPA requirements and sometimes do not. A compliance engagement includes an inventory of every place personal information flows out of your site, a classification of each recipient as service provider, contractor, or third party, and verified contractual language for each. Without that paper trail, you cannot honestly answer a consumer who asks "who have you shared my data with" — which is itself a statutory right.

Where CCPA and GDPR Diverge

One of the most common and costly assumptions is that a GDPR-compliant site is automatically CCPA-compliant. The two regimes have different philosophies and different operational requirements. GDPR is opt-in by default — you cannot process most categories of data without an explicit affirmative consent. CCPA is opt-out by default for most contexts — you can process, but you have to offer a clear way to stop. A banner that asks "accept cookies" works in the EU and fails the CCPA "Do Not Sell or Share" requirement because it offers the wrong choice architecture.

The two regimes also define personal information differently, apply different timelines to consumer requests, and require different disclosures in the privacy policy. A well-designed program treats them as overlapping but distinct layers, with a consent management platform that reads location and serves the right experience per jurisdiction. For any business already running a GDPR compliance program, adding CCPA is usually faster than starting fresh — but it is not free, and "we already did GDPR" is not a defense.

Penalties and Enforcement Patterns

Statutory penalties are $2,500 per violation and $7,500 per intentional violation. Those numbers sound small until you understand that each affected California resident counts as a separate violation. A misconfigured data-sharing pixel on a site with 80,000 California visitors is not a $7,500 problem — it is potentially a $600 million exposure, even if settlements land at a fraction of that.

The enforcement pattern so far has focused on three areas: failure to honor opt-out signals including GPC, misleading privacy policies that describe one thing while tracking does another, and incomplete handling of consumer requests. The agency publishes its enforcement priorities, and those priorities have been consistent: it is pursuing operational failures, not esoteric statutory corner cases.

What Good Compliance Actually Looks Like

A working CCPA program has six pieces that hold together. A privacy policy that specifies exact categories of information collected, sold, shared, and retained — updated every twelve months. A consent management platform that respects Global Privacy Control and regional variation. A published consumer request workflow with documented SLAs and a logged history of requests. An inventory of vendor relationships with verified contractual language. A separate process for sensitive personal information with its own limit-of-use control. An annual review that re-tests everything, because tags get added, policies drift, and the rules keep updating.

For teams building or rebuilding sites, the time to install this is during the redesign, not after. A web design partner who treats privacy compliance as a phase-two afterthought tends to hand over a site that needs CCPA compliance services for websites bolted on six months later, at higher cost and with worse UX than if the flow had been designed in from day one.