The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), are among the most comprehensive privacy laws in the United States. While focused on California residents, these laws have national reach and are often seen as a blueprint for other state privacy laws and future federal regulation.
For marketing teams, understanding and complying with the CCPA isn’t just about meeting current legal obligations; it’s about building sustainable, privacy-first practices that prepare your business for the next wave of data privacy laws.
This guide breaks down what marketers need to know to align with today’s rules and anticipate what’s coming next.
The California Consumer Privacy Act (CCPA) is a state privacy law enacted in 2018 and enforced since January 1, 2020. It gives California residents more control over their personal data and requires businesses to handle that data transparently. Though California-specific, the law impacts companies across the U.S. if they collect data from California residents.
The CCPA was passed to address growing concerns about consumer data privacy. As digital marketing and data collection expanded, lawmakers called for more transparency in how companies collect, share, and use data.
2. Who Does the CCPA Apply To?
Your business must comply if it:
Does business in California
Collects personal data from California residents
Meets one or more of these thresholds:
Annual gross revenue over $25 million
Buys, sells, or shares personal data of 100,000+ consumers, households, or devices annually
Earns 50% or more of annual revenue from selling or sharing personal information
Some data already regulated by laws like HIPAA or GLBA may be exempt, but these exemptions are narrow.
Marketers must assess compliance if using third-party platforms, CRM systems, retargeting tools, or purchased leads involving California users.
3. Key CCPA Terms Marketers Must Know
Personal Information: Includes both direct (name, email) and indirect (IP address, location, browsing behavior) identifiers.
Sale of Data: Any exchange of personal data for money or something valuable. This includes:
Paid data sales
Free services in exchange for user data
Monetization via third-party platforms
Sharing: Specifically includes cross-context behavioral advertising.
Consumer Rights:
Right to know
Right to delete
Right to opt out
Right to non-discrimination
Right to correct inaccurate data (added by CPRA)
Right to limit use of sensitive personal information (added by CPRA)
4. CCPA Compliance Requirements for Marketing
Privacy Notices
Must appear at or before data collection
Must state categories of personal data collected and their purpose
Must be updated annually
Opt-Out Mechanism
Display “Do Not Sell or Share My Personal Information” link on homepage
Honor Global Privacy Control (GPC) signals
Offer at least two opt-out submission methods
Consumer Requests
Respond within 45 days (extendable by another 45 with notice)
Verify the user’s identity based on data sensitivity
Cannot require users to create an account
Vendor Contracts
Include clear data use restrictions
Require vendors to assist with consumer requests
Recordkeeping
Maintain logs of consumer requests for 24 months
Track metrics if managing data for over 10 million consumers
5. Implications for Lead Generation and Digital Advertising
Lead Generation
Disclose how user data will be used when collecting it
Purchased leads must come with documented consumer consent
Lead scoring and profiling tools must allow deletion or correction of data
Advertising
Retargeting and behavioral ads may be considered “sharing”
Cookie consent banners are required
Platforms (Google, Meta) must offer CCPA-compliant settings
Technical Setup
Use consent managers that honor opt-out preferences and GPC
Use tag managers to suppress non-compliant tracking
Track opt-out preferences in your CRM or marketing tools
6. CCPA vs. CPRA: What Changed?
Key CPRA Additions
New category: Sensitive Personal Information (biometrics, race, precise geolocation, etc.)
New rights: correction and limitation of sensitive data use
Required data minimization and risk assessments
Created the California Privacy Protection Agency (CPPA)
Removed the 30-day cure period
Increased penalties for violations involving children’s data
Ended B2B and employee data exemptions (as of Jan 1, 2023)
7. How to Update Your Marketing Practices
Audit Data Collection
Review web forms, cookies, CRM, and lead vendors
Map data flows and purposes
Identify and classify sensitive data
Update Consent Mechanisms
Provide sale/sharing opt-outs
Include sensitive data control options
Log and store proof of consent
Technical Configuration
Configure CMS to integrate with consent tools
Automate deletion and access workflows in CRM
Set up internal request-handling systems
Training & Templates
Train teams on compliant messaging and data handling
Standardize consumer response protocols
Vendor Management
Update contracts to reflect new requirements
Evaluate privacy practices of marketing tools and partners
Privacy Policy Maintenance
Review and update annually
Keep archived copies for reference and legal proof
8. CCPA & CPRA Marketing Compliance Checklist
Applicability
Does your business collect personal data from California residents?
Annual gross revenue exceeds $25 million
Processes data from 100,000+ consumers/households/devices annually
50% or more of revenue is derived from selling or sharing personal information
Consumer Rights & Disclosures
Display a clear privacy notice at or before data collection
Disclose data categories, purpose, sharing details, and retention policies
List all consumer rights including access, deletion, correction, opt-out, and non-discrimination
Opt-Out Requirements
Include a “Do Not Sell or Share My Personal Information” link on your homepage
Honor Global Privacy Control (GPC) signals
Offer at least two methods for submitting opt-out requests
Respond to consumer requests within 45 days (extendable by 45 more with notice)
Lead Generation & Advertising
Disclose lead usage intent at point of collection
Ensure purchased leads include documented consumer consent
Allow deletion/correction in lead databases and scoring systems
Review behavioral and retargeting ads under CPRA “sharing” requirements
Internal Compliance & Recordkeeping
Verify identity before fulfilling consumer data requests
Maintain logs of requests and responses for at least 24 months
Train staff (marketing, sales, compliance) on obligations under CCPA and CPRA
Review vendor agreements for proper data compliance language
9. Implementation Timeline
0–30 Days
Audit current data collection
Update privacy policy
Add required homepage links
1–3 Months
Train internal teams
Build workflows for consumer requests
Update vendor contracts
3–6 Months
Implement deletion/access systems
Ensure CRM and marketing tools support compliance
Ongoing
Conduct privacy reviews quarterly
Monitor legal updates in other states and federally
10. Frequently Asked Questions
Q: Does the CCPA apply to B2B marketing?
Yes. CPRA removed the B2B exemption in 2023.
Q: Are cookies considered personal information?
Yes. Cookie IDs, IP addresses, and browsing behavior are covered.
Q: What happens if I ignore compliance?
You risk fines of $2,500–$7,500 per violation. Consumers can sue after data breaches. Both the CPPA and Attorney General can enforce the law.
Q: How should I handle data subject requests?
You must respond within 45 days. Users must complete identity verification, but no one can force them to create an account.
Q: Do I have to comply if I don’t target California residents?
Yes, if California residents use your service and you meet the business thresholds.
This blog post is for general informational purposes only and does not constitute legal advice. Consult your legal counsel to ensure compliance with CCPA, CPRA, and all applicable privacy laws.
