
Quick Answer: The California Consumer Privacy Act (CCPA) grants California residents the right to opt out of the sale or sharing of their personal information. As of January 1, 2026, amended regulations now require businesses to honor opt-out preference signals (such as Global Privacy Control), visibly confirm that those signals have been processed, and ensure opt-out flows are no more complex than opt-in flows. Non-compliance can result in civil penalties of up to $7,500 per intentional violation.
Key Takeaways
- The CCPA applies to for-profit businesses meeting specific revenue, data volume, or data-selling thresholds, not every company operating in California.
- As of January 1, 2026, businesses must display visible confirmation when an opt-out preference signal (such as Global Privacy Control) has been recognized and honored. [3]
- Opt-out mechanisms must be as easy to use as opt-in flows; dark patterns that discourage opt-outs are explicitly prohibited under the 2026 amendments. [7]
- Businesses have 15 business days to honor a consumer opt-out request after receipt. [2]
- "Personal information" under the CCPA is broad: it includes IP addresses, browsing history, geolocation data, inferences drawn from consumer behavior, and more.
- The CCPA and GDPR operate on fundamentally different consent models, opt-out vs. opt-in, and many businesses must comply with both simultaneously.
- Failing to update your privacy policy to reflect CCPA rights is itself a compliance gap, separate from technical opt-out failures.
- A consent management platform such as Biscotti CMP can automate signal detection, opt-out confirmation display, and preference record-keeping.
What Is the CCPA and Why Does It Matter for Your Business
The California Consumer Privacy Act is a state-level privacy law that gives California residents specific rights over how businesses collect, use, and sell their personal data. It matters because California is the world's fifth-largest economy, and any business that touches California consumers, regardless of where the business is headquartered, may be legally required to comply.
The CCPA was originally enacted in 2018, strengthened by the California Privacy Rights Act (CPRA) in 2020, and materially updated again with regulations approved by the California Office of Administrative Law on September 22, 2025, effective January 1, 2026. [1][5] These 2026 amendments added new duties around automated decisionmaking technology (ADMT), risk assessments, and, critically for most businesses, opt-out mechanism design and confirmation requirements. [1][7]
Understanding CCPA explained: how to manage opt-outs for California consumers is no longer optional for covered businesses. The regulatory floor has risen, and enforcement has followed.
How Do I Know If the CCPA Applies to My Company
The CCPA applies to for-profit businesses that do business in California and meet at least one of the following thresholds:
- Annual gross revenues exceeding $25 million
- Annually buying, selling, receiving, or sharing the personal information of 100,000 or more California consumers or households
- Deriving 50% or more of annual revenues from selling or sharing California consumers' personal information [4][6]
Does CCPA apply to small businesses under a certain revenue? Generally, no. If a business falls below all three thresholds, it is not a covered business under the CCPA. However, service providers and contractors that process data on behalf of covered businesses are subject to contractual CCPA obligations even if they wouldn't otherwise qualify independently. [2]
Edge case: A small SaaS company with under $25 million in revenue but a large free-tier user base could easily cross the 100,000-consumer data threshold without realizing it.
What Counts as Personal Information Under the CCPA
Personal information under the CCPA is defined broadly as any information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household. This goes well beyond names and email addresses.
Covered categories include:
| Category | Examples |
|---|---|
| Identifiers | Name, email, IP address, device ID |
| Commercial information | Purchase history, browsing behavior |
| Biometric data | Fingerprints, facial recognition data |
| Internet activity | Cookies, search history, site interactions |
| Geolocation | Precise location from mobile devices |
| Inferences | Profiles built from behavioral data |
| Sensitive personal information | Social Security numbers, health data, precise geolocation |
Inferences drawn from consumer data to create profiles about preferences, characteristics, or behavior are explicitly included. [4] This matters for ad-tech, analytics, and personalization pipelines.
What Is the Difference Between CCPA Opt-Out and Opt-In
The CCPA operates on an opt-out model: businesses may collect and use consumer data by default, but consumers have the right to demand that their data not be sold or shared. Opt-in consent is only required in specific circumstances, such as when handling the personal information of consumers under age 16. [4][6]
This is the fundamental structural difference from the GDPR, which operates on an opt-in model requiring affirmative consent before most data processing begins. Under the CCPA, silence is not consent, but it is also not a bar to processing. Under the GDPR, silence is not consent and processing cannot begin without it.
Choose opt-in logic if: you are handling data from minors (under 16) or processing sensitive personal information categories that require explicit consent under California law.
Choose opt-out logic if: you are handling standard consumer data from adults and are a covered business under the CCPA.
How Do I Set Up a "Do Not Sell or Share My Personal Information" Link
Every covered business that sells or shares personal information must provide a clear and conspicuous link titled "Do Not Sell or Share My Personal Information" on its homepage and in its privacy policy. [4][6]
Step-by-step setup:
- Audit your data flows to determine whether your business sells or shares personal information as defined by the CCPA.
- Add the required link to your website footer and mobile app settings menu.
- Configure your consent management platform to capture and timestamp opt-out requests.
- Ensure the opt-out flow requires no more steps than the opt-in flow, the 2026 regulations explicitly prohibit asymmetric friction. [7]
- Honor Global Privacy Control (GPC) signals automatically if your business processes browser-based data.
- Display visible confirmation that the opt-out has been recognized, for example, a banner or toggle state showing "Opt-Out Preference Signal Honored." [3]
A platform like Biscotti CMP can automate steps 3 through 6, including GPC signal detection and compliant confirmation display.
How Long Do I Have to Respond to a Consumer Opt-Out Request
Businesses must honor a consumer's opt-out request within 15 business days of receiving it. [2] This is distinct from the 45-day response window that applies to other consumer rights requests (such as access or deletion).
Once honored, the business must also notify any third parties to whom it sold or shared the consumer's data within the preceding 90 days, directing them to stop using that data. [6] This downstream notification obligation is frequently overlooked and represents a common compliance gap.
Can I Still Use Data After a Customer Opts Out
After a consumer opts out of sale or sharing, the business may not sell or share that consumer's personal information going forward. However, the business may still use the data for internal purposes that are consistent with the consumer's relationship with the business. [4]
Specifically prohibited after opt-out:
- Selling or sharing the data with third parties for cross-context behavioral advertising
- Using the data in ways that are incompatible with the context in which it was collected
Still permitted after opt-out:
- Fulfilling the transaction or service the consumer requested
- Internal analytics and fraud prevention
- Compliance with legal obligations
Common mistake: Assuming opt-out means full data deletion. It does not. Consumers must submit a separate deletion request to trigger that right.
CCPA vs. GDPR: Which One Do I Need to Follow
If your business serves both California residents and European Union residents, you likely need to comply with both. The CCPA and GDPR are not mutually exclusive, and the compliance requirements differ enough that a single policy rarely satisfies both.
| Factor | CCPA | GDPR |
|---|---|---|
| Consent model | Opt-out (default processing allowed) | Opt-in (consent required first) |
| Geographic scope | California residents | EU/EEA residents |
| Who it covers | For-profit businesses meeting thresholds | Any entity processing EU resident data |
| Penalties | Up to $7,500 per intentional violation | Up to 4% of global annual turnover |
| Right to deletion | Yes | Yes (Right to Erasure) |
| Data portability | Yes | Yes |
The practical implication: GDPR-compliant consent banners are not automatically CCPA-compliant, because the CCPA requires a specific opt-out mechanism rather than a consent gate.
What Happens If I Don't Comply With CCPA Requirements
Non-compliance exposes businesses to civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation, enforced by the California Privacy Protection Agency (CPPA). [4][6] Violations involving minors' data are treated as intentional by default.
Consumers also have a private right of action for data breaches resulting from a business's failure to implement reasonable security measures, with statutory damages ranging from $100 to $750 per consumer per incident. [4]
The 2026 amendments expanded the CPPA's audit authority, meaning businesses subject to risk assessment requirements may face proactive regulatory scrutiny, not just reactive enforcement. [1][7]
Do I Need to Update My Privacy Policy for CCPA
Yes. Covered businesses must maintain a privacy policy that discloses, at minimum:
- The categories of personal information collected and the purposes for collection
- Whether personal information is sold or shared, and the categories of third parties involved
- The consumer rights available under the CCPA (opt-out, deletion, access, correction, portability)
- How consumers can submit requests to exercise those rights
- The retention period for each category of personal information [4][6]
Privacy policies must be updated at least once every 12 months. Failing to update the policy after a material change in data practices, such as adding a new analytics vendor, is itself a compliance violation.
How Do I Verify a Consumer's Opt-Out Request Is Legitimate
For opt-out requests specifically, the CCPA does not require businesses to verify the identity of the consumer making the request. [2] This is intentional: requiring identity verification for opt-outs would create friction that undermines the right.
However, businesses may use reasonable means to confirm that a request is not fraudulent, such as confirming the email address associated with the account. The standard for opt-out verification is deliberately lower than for deletion or access requests, where identity verification is appropriate because those requests involve disclosing or destroying data.
Edge case: If an opt-out request arrives via an automated signal (GPC), no additional verification step is required or permitted, the signal itself constitutes a valid request. [3][7]
How Do Opt-Out Mechanisms Work on Mobile Apps vs. Websites
On websites, opt-out mechanisms must include the "Do Not Sell or Share My Personal Information" link in the footer and must honor browser-level GPC signals. [3][7] On mobile apps, the requirements are functionally equivalent but the implementation differs:
- Mobile apps must include the opt-out option in the app's settings menu or privacy preferences section.
- Apps distributed through app stores must comply with any additional platform-level privacy requirements (such as App Tracking Transparency on iOS), but those platform requirements do not substitute for CCPA compliance.
- Automated signals from mobile operating systems must be honored in the same way as browser-based GPC signals if the business processes that data.
The 2026 regulations make clear that the channel (web vs. app) does not change the underlying obligation, only the technical implementation differs.
What Are Common Mistakes Businesses Make With CCPA Compliance
Even well-intentioned businesses frequently make the following errors:
- Treating opt-out as opt-in: Requiring consumers to affirmatively confirm their opt-out through multiple steps, which violates the symmetry requirement in the 2026 amendments. [7]
- Ignoring GPC signals: Not configuring their tech stack to detect and honor Global Privacy Control browser signals, which are now treated as valid opt-out requests. [3]
- Failing to display opt-out confirmation: The 2026 rules require visible confirmation that a signal has been processed, a backend log entry is not sufficient. [3]
- Overlooking downstream vendors: Not notifying third-party data recipients after an opt-out is received.
- Static privacy policies: Failing to update the policy annually or after material changes to data practices.
- Conflating service providers with third parties: Service providers processing data under contract have different obligations than third parties receiving data for their own purposes.
FAQ
Does the CCPA apply to nonprofits? No. The CCPA applies only to for-profit businesses. Nonprofits are not covered businesses, though they may be subject to other California privacy statutes.
What is Global Privacy Control (GPC) and must I honor it? GPC is a browser-level signal that communicates a consumer's opt-out preference automatically. As of January 1, 2026, covered businesses that process browser data must honor GPC signals as valid opt-out requests and display confirmation that the signal was processed. [3][7]
Can a business charge a different price to consumers who opt out? Generally no. The CCPA prohibits businesses from discriminating against consumers who exercise their privacy rights, including by charging different prices, unless the difference is reasonably related to the value of the consumer's data. [4]
How long must opt-out records be retained? The CCPA does not specify a universal retention period for opt-out records, but businesses should retain records long enough to demonstrate compliance in the event of an audit or enforcement action, typically at least 24 months is considered a reasonable baseline. [6]
Does a cookie banner satisfy CCPA opt-out requirements? A cookie banner alone is not sufficient. The CCPA requires a dedicated "Do Not Sell or Share My Personal Information" link, and the 2026 amendments require businesses to honor and confirm GPC signals independently of any cookie consent interaction. [3][7]
What is the difference between a "sale" and "sharing" under the CCPA? "Sale" involves exchanging personal information for monetary consideration. "Sharing" covers disclosing personal information for cross-context behavioral advertising, even without payment. Both trigger opt-out rights. [4]
Do I need separate opt-out mechanisms for each category of data? No. A single opt-out mechanism covering sale and sharing is sufficient, though businesses must clearly describe in their privacy policy what categories of data are covered.
What is a risk assessment under the 2026 CCPA amendments? Businesses that process personal information in ways that present significant privacy risks, including use of automated decisionmaking technology, must conduct and document risk assessments before beginning that processing. [1][7]
Conclusion
CCPA explained: how to manage opt-outs for California consumers is a moving target, and the 2026 amendments have raised the bar considerably. The core obligations, providing a clear opt-out mechanism, honoring consumer requests within 15 business days, and updating your privacy policy, remain foundational. But the new requirements around GPC signal confirmation, dark-pattern prohibition, and ADMT risk assessments demand a more systematic approach than a static footer link can provide.
Actionable next steps for covered businesses:
- Audit your current opt-out flow against the 2026 symmetry requirement: count the steps to opt out and compare them to the steps to opt in.
- Verify that your website and mobile app detect and honor Global Privacy Control signals, and that a visible confirmation message is displayed when a signal is received.
- Review your third-party vendor list and confirm that downstream notification procedures are in place for post-opt-out data flows.
- Update your privacy policy to reflect current data practices, retention periods, and the full list of consumer rights.
- Evaluate a consent management platform such as Biscotti CMP to automate signal detection, opt-out confirmation, and preference record-keeping across web and mobile channels.
Compliance is not a one-time project. The CPPA has demonstrated willingness to issue guidance and pursue enforcement, and the regulatory environment will continue to evolve. Building repeatable, auditable processes now is the most defensible position a covered business can take.
References
[1] Navigating New Obligations Under The CCPA Updated Regulations - https://www.lw.com/en/insights/navigating-new-obligations-under-the-ccpa-updated-regulations
[2] Navigating California Consumer Privacy Act 30 Essential FAQs Covered Businesses Including Clarifying Regulations Effective 1/1/26 - https://www.jacksonlewis.com/insights/navigating-california-consumer-privacy-act-30-essential-faqs-covered-businesses-including-clarifying-regulations-effective-1126
[3] Show Me That You've Opted Me Out: New CCPA Rules Require Businesses To Prove Compliance - https://www.nelsonmullins.com/insights/alerts/fcc-download/all/show-me-that-you-ve-opted-me-out-new-ccpa-rules-require-businesses-to-prove-compliance
[4] CCPA Statute Effective 2026-01-01 - https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf
[5] CCPA Updates - https://cppa.ca.gov/regulations/ccpa_updates.html
[6] CCPA Requirements 2026: Complete Compliance Guide - https://secureprivacy.ai/blog/ccpa-requirements-2026-complete-compliance-guide
[7] CCPA 2026: Navigating The Expanded Consumer Privacy Compliance Requirements For Businesses - https://www.lathropgpm.com/insights/ccpa-2026-navigating-the-expanded-consumer-privacy-compliance-requirements-for-businesses/
[8] CCPA in 2026: What's Changing in Consent, Consumer Rights, and AI Governance - https://www.onetrust.com/blog/ccpa-in-2026-whats-changing-in-consent-consumer-rights-and-ai-governance/
[9] New CCPA 2026 Regulations: Your Complete Compliance Action Guide - https://captaincompliance.com/education/new-ccpa-2026-regulations-your-complete-compliance-action-guide/
[10] CPPA Regulations - https://cppa.ca.gov/regulations/