CCPA (CPRA) Compliance for Startups

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 06 March 2023.

CCPA (CPRA) Compliance for Startups

If you're starting a business located in California or serving its residents, you may (and likely will) fall under the scope of the state's privacy laws. This includes the California Consumer Privacy Act (CCPA). Even if you don't fall under the law yet, you might eventually as your business expands, so it pays to plan ahead.

Here's what you need to know for making sure your startup complies with the CCPA.

(Please note that the CCPA was amended by the CPRA, which expanded the CCPA in a number of ways. The CPRA expansion took effect on Jan 1, 2023.)

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.

Who the CCPA (CPRA) Applies to

The CCPA (CPRA) applies if you meet any of the following three thresholds:

  • Your annual worldwide revenue exceeds $25 million
  • You buy, sell or disclose data about 100,000 or more consumers, households or devices in California in the same year
  • At least 50% of your annual revenue comes from selling or sharing data about Californian consumers

If the CCPA doesn't apply to you, you could still have to comply with some other data protection laws. We've covered these at the end of this article.

CCPA (CPRA) Consumer Rights

The purpose of the CCPA (CPRA) is to establish and uphold consumer privacy rights. That means regulators and judges will refer back to these rights when settling any ambiguity about specific measures in the law. The rights are as follows:

  • To know what personal information you collect about them
  • To be able to access, review and correct the information you collect
  • To know if you sell or share their information and, if so, with whom
  • To stop you selling their personal information
  • To get equal access to your services (with no price increase) even if they exercise these rights
  • To limit the use of sensitive personal information
  • To request you and anyone you've shared personal information with both delete the information
  • To opt out of automated decision-making
  • To know what personal information you collect about them

Walt Disney details some of these rights in its Privacy Policy:

Walt Disney Privacy Policy: Your California Privacy Rights section

Make sure you let consumers know about their rights, and also make sure you're able to facilitate them when consumers wish to exert any of the rights.

Complying with the CCPA (CPRA)

Complying with the CCPA

The CCPA (CPRA) covers a wide range of measures that businesses need to take, though it really comes down to:

  • Keeping track of the data you handle
  • Letting customers know what you do with data (both specifically theirs and data in general)
  • Respecting their request not to sell their data

Let's break down what you need to do.

Organize Your Data

Most of your responsibilities under the CCPA (CPRA) involve detailing whether you take certain actions with data from a particular category. The law sets out the following 12 categories:

  1. Identifiers (names, addresses and ID numbers)
  2. Personal information as defined by section 1798.80 (e) of the California code. (This partly duplicates section A but also adds things like education, employment history and financial information)
  3. Information about characteristics protected by federal or California law (such as race, religion or gender)
  4. Commercial information (such as purchase history)
  5. Biometric information
  6. Internet information such as search history
  7. Geolocation information
  8. Audio, electronic, olfactory, thermal or visual information
  9. Employment information
  10. Education information that isn't publicly available
  11. Inferred information for profiling (such as a customer having a preference for a particular type of product)
  12. Sensitive personal information

As a startup company that serves California, it's well worth setting up your databases and records to organize or tag your records using these categories. This will make future compliance far simpler.

Give Information When Collecting Data

When you collect personal information from a consumer you must tell them:

  • Which category or categories the data falls into
  • The purpose (or purposes) for which you'll use the data
  • How long you plan to keep the data

Remember that this applies to the specific information which you are gathering from the consumer.

Give General Information

Under the CCPA (CPRA), you must list information about consumer rights and your overall use of data. You must list this information either in your Privacy Policy (if you have one) or in a dedicated section covering California privacy rights (if you have one). If you don't have either, you must list the information somewhere on your website.

For each of the categories you must list:

  • Whether you've collected any consumer data in the previous 12 months
  • Whether you've sold any consumer data in the previous 12 months
  • Whether you've disclosed any consumer data in the previous 12 months

You must review and update these lists at least once every 12 months.

Gannett gives examples of the data it may have collected in each category. This errs on the side of caution, though a more company-specific thus accurate list might be more useful for consumers:

Gannett Privacy Policy for California Residents: CCPA - Personal Information We Collect clause and chart excerpt

As well as these lists, you should list the rights that the CCPA (CPRA) gives consumers, plus details of how they can contact you to exercise these rights.

Aquatalia offers two ways to do this:

Aquatalia How to Exercise Your CCPA Rights: Form and phone number highlighted

Handle Data Access Requests

While your website lists your overall use of data in the previous 12 months, consumers also have the right to ask how you've used their personal data during that time. You must set up your records and procedures so that you can respond accurately to such requests, normally within 45 days. (You can take up to 90 days if it's necessary to do so, as long as you warn the user about the delay within the original 45-day deadline.)

When you respond to a data access request you must tell the consumer:

  • The categories covering their information that you've collected, sold or disclosed
  • The specific information you have
  • Where you got the information from
  • Why you used the information
  • Who you've shared the information with (if anyone)

Comply With 'Do Not Sell' Rules

The CCPA (CPRA) says you must create a dedicated opt-out web page where consumers can tell you not to sell their data. It's an opt-out decision so technically you can sell consumer data until they tell you to stop.

At the least, this page must have a toll-free number for making the opt-out request. It's best to offer an alternative method as well such as contact details for sending a request or, ideally, an online form.

You must link to this page using the specific text "Do Not Sell My Personal Information." This link must appear:

  • On your website
  • In your Privacy Policy
  • In a dedicated section on California privacy rights (if you have one)

The Atlantic includes the link in its footer menu so it appears on every page:

The Atlantic website footer with Do Not Sell My Personal Information link highlighted

When users click these links, they should be taken to an informative page with options for opting out of the sale of their personal information.

CCPA (CPRA) Penalties and Procedures

CCPA Penalties and Procedures

You could face three different types of penalties for violating the CCPA (CPRA):

  • The Attorney General can give you 30 days to fix a violation and then fine you up to $7,500 for each violation you don't fix.
  • Individuals can report a violation involving their personal data to the Attorney General. If the Attorney General doesn't take action, the individual can sue you in civil court.
  • If you suffer a data breach and hadn't adequately secured the data, individuals can sue you in civil court. If they win, the court can order you to pay damages of between $100 and $750 per consumer without the consumer having to prove actual financial damage. The court can order you to pay the actual financial damages for a consumer if they exceed $750.

How the CCPA Was Amended by the CPRA

In November 2020 Californians voted in favor of a ballot measure to introduce a new law, the California Privacy Rights Act (CPRA). This amends and builds on the measures of the CCPA. Most CPRA measures took effect from the start of 2023.

Eligibility changed as follows:

  • The "customer number" threshold doubled from 50,000 to 100,000 Californian people or households, with devices no longer counting.
  • The "business type" threshold expanded from 50% of revenue coming from selling personal information about Californians to 50% of revenue coming from passing on such information in any way (even without payment) or even simply making it available.
  • The $25 million annual revenue threshold remains the same.

Remember that the rules apply if you meet any of the three thresholds.

Other changes with the CPRA include the following:

  • Sensitive personal information has added protections. You must get opt-in consent before using or disclosing such information and people must have the right to withdraw this consent and opt out. You must only use this information for the specified purpose.
  • The right to opt out of you sharing personal information now specifically covers "cross-context behavioral advertising" even if you aren't being paid for the information.
  • A new organization, the California Privacy Protection Agency, took over enforcement from the state Attorney General. It will have the right to order businesses to audit or risk assess their data procedures.


  • To correct their data
  • To know if you use automated decision making such as profiling and to opt out.
  • To restrict the way you disclose sensitive information, for example to only use it for providing requested goods or services. (Businesses that use such information in other ways must add a "Limit The Use Of My Sensitive Personal Information" page that links to a dedicated page where people can exercise this right.)
  • To not only ask you to delete their data but to pass on the request to any third party to which you disclosed the data.
  • To ask you to pass on their data to a third party in a machine-readable format. (For example, to transfer their data to use on a competing service.)

Other Data Privacy Laws

Other Data Privacy Laws

Even if you don't meet the CCPA (CPRA) thresholds, your start-up business may come under several other state, national and international privacy laws. Key ones to watch out for include the following.

Children's Online Privacy Protection Act (COPPA)

COPPA is a U.S. federal law that applies if you run a website or online service (such as an app) and either you know you collect personal information about children aged under 13, or you aim your content at children aged under 13.

If COPPA applies you must post a privacy notice and get verifiable consent from parents or guardians before collecting personal information about children aged under 13.

General Data Protection Regulation (GDPR)

The GDPR applies if you are either based in a European Union country, or you process data about somebody in the EU.

The GDPR requires that you only process personal data if a specific legal basis applies, most commonly that the data subject has actively consented or that you have "legitimate interests" in processing the data that don't outweigh the data subject's rights.

New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD)

NY SHIELD is a state law that applies if you handle private information about New York state residents, even if you don't physically operate in the state.

The law says you must have a data security program; use technical, physical and organizational safeguards, and inform data subjects and state officials about any data breach.


Let's recap what you need to know about privacy laws when starting a business:

  • The CCPA (CPRA) applies if you meet annual thresholds on revenue (more than $25 million), data records (100,000 Californians) or business type (at least half from selling or sharing data about Californians).
  • If the CCPA (CPRA) applies you'll need to organize your records so you know how you use personal data in 12 specific categories.
  • When you collect personal data you must tell the consumer which categories cover the data and how you'll use it.
  • Your website must list whether you've collected, sold or disclosed data in each category in the past 12 months.
  • Customers have the right to ask what data you've collected about them, where you got it, why you used it and who you've shared it with.
  • Your website must have a page for consumers to opt out of you selling their data. You must link to this from your homepage with the link text "Do Not Sell My Personal Information.
  • The CPRA added a 12th category, sensitive personal information. You cannot collect this without getting prior consent, which can be withdrawn later. Consumers can insist you only use this information for a specific narrow purpose.
  • Other data laws may apply to your start-up business. These include COPPA, the GDPR and the NY SHIELD Act.