CCPA Compliance Guide

Who must comply?

CCPA applies to for-profit businesses that meet any of three thresholds: annual revenue over $25 million, processing data of 100,000+ California consumers or households per year, or deriving 50%+ of revenue from selling consumer data. Most tech startups and SaaS businesses with California users should assess whether they meet threshold two — particularly if they track user behaviour, run advertising, or use analytics.

Five key CCPA obligations

1. Privacy notice at collection. Tell consumers what categories of data you collect and why at the point of collection.
2. Privacy policy. Publish a compliant privacy policy covering all CCPA-required disclosures, updated at least annually.
3. Opt-out of sale/sharing. Provide a "Do Not Sell or Share My Personal Information" link if you sell or share data for advertising.
4. Consumer request process. Build a verifiable consumer request mechanism for access, deletion, and correction requests.
5. Data inventory. Maintain a record of categories of personal information collected, purposes, and third parties with whom data is shared.

CCPA vs GDPR: key differences

GDPR requires a lawful basis before any processing begins and applies globally to EU data subjects. CCPA operates on an opt-out model — data processing is generally permitted unless a consumer opts out of sale or sharing. For businesses with both EU and California users, you typically build GDPR compliance first, then layer CCPA obligations on top. GeraCompliance provides sprint guides for both.