Is your website compliant with the CCPA and CPRA? A legal guide for eCommerce

California has set a new standard in data privacy with two key laws: the CCPA and its expansion, the CPRA. If you operate a website or online store that reaches users in the U.S., this guide is for you.

What are the CCPA and CPRA?

The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. The California Privacy Rights Act (CPRA) expands and amends it and has been applicable since January 1, 2023, with retroactive scope from January 2022.

Who does it apply to?

The CCPA/CPRA applies to any for-profit business that meets one or more of the following thresholds:

• Has annual gross revenue over $25 million
• Buys, sells, or shares personal data of 100,000 or more consumers, households, or devices
• Derives 50% or more of annual revenue from selling or sharing personal data

Legal reference: §1798.140(d) CCPA

What rights do consumers have under CCPA/CPRA?

• Right to know what personal information is collected (§1798.110)
• Right to delete personal information (§1798.105)
• Right to correct inaccurate data (new under CPRA) (§1798.106)
• Right to limit the use of sensitive personal information (§1798.121)
• Right to opt-out of the sale or sharing of personal data (§1798.120, §1798.135)
• Right to non-discrimination for exercising privacy rights (§1798.125)

Key business obligations under CCPA/CPRA

1. Privacy Policy
You must publish a clear, updated privacy policy that explains what data you collect, how it’s used, and how consumers can exercise their rights.

Reference: §1798.130(a)(5)

2. “Do Not Sell or Share My Personal Information” Notice
You must provide a visible mechanism (link or banner) allowing users to opt out of the sale or sharing of their personal information.

Reference: §1798.135

3. Handle Consumer Requests
You are required to offer at least two communication channels (e.g. web form and email) so users can submit data access, correction, or deletion requests.

Reference: §1798.130(a)

4. Consent for Sensitive Personal Information
Under the CPRA, you must obtain specific consent to use data like precise geolocation, health info, biometric data, etc.

Reference: §1798.121

5. Third-Party Data Processing Agreements
You must have compliant contracts with all vendors who process personal data on your behalf to ensure they meet CCPA/CPRA requirements.

Reference: §1798.140(ag)

How does this affect websites and eCommerce?

If your website:

• Uses tracking cookies for advertising or analytics
• Collects user data via forms (e.g. email, name, phone)
• Shares data with platforms like Google Ads, Meta, Mailchimp, etc.
• Targets or sells to users located in California

Then you are required to comply with CCPA and CPRA regulations.

What happens if you don't comply?

• Fines of up to $2,500 per unintentional violation
• Up to $7,500 per intentional violation
• Risk of class action lawsuits if consumer data is leaked due to negligence

Reference: §1798.155

How to make your website compliant

• ☑️Review and update your privacy policy
• ☑️Display a cookie banner with opt-out options
• ☑️Add a visible “Do Not Sell or Share” link
• ☑️ Implement forms for access, deletion, and correction requests
• ☑️ Review contracts with your service providers
• ☑️ Audit cookies, tracking technologies, and data flows