CCPA & CPRA compliance: California privacy laws for app builders

Sephora paid $1.2 million in 2022 to settle CCPA violations. The issue? They failed to disclose that customer data was being sold to third parties and didn't process opt-out requests through Global Privacy Control (GPC) signals. The California AG's office called it a test case - and it was. More enforcement actions have followed every year since.

Since then, the California AG has secured seven settlements under CCPA, including a $2.75 million settlement with Disney in February 2026 and $1.55 million with Healthline Media in 2025. According to a 2022 compliance study cited by the IAPP, only 11% of companies were fully compliant with CCPA requirements at the time. That gap is exactly what regulators are targeting.

If your app has California users and your business meets the CCPA thresholds, these rules apply to you. The California Privacy Protection Agency (CPPA) is now fully operational, and they're not waiting for complaints to start investigations.

Who ccpa/cpra applies to

Your business is covered if you're a for-profit entity doing business in California that collects California residents' personal information AND meets any one of these thresholds:

1. $25 million+ in annual gross revenue - this is your total revenue, not just California revenue
2. 100,000+ California consumers or households annually - CPRA raised this from 50,000. Note that it counts households, not just individuals. A family of four at one address is one household.
3. 50%+ of revenue from selling or sharing personal information - data brokers, ad tech companies, and businesses that monetize user data

Common misconceptions:

• "We're not based in California" - doesn't matter. If you do business with California residents, the law applies.

• "We don't sell data" - CCPA's definition of "sell" includes sharing data for valuable consideration, not just cash transactions. Sharing data with ad networks for retargeting counts.

• "We're a small business" - if you hit any one of the three thresholds, size doesn't exempt you.

Service providers vs. third parties

CCPA distinguishes between service providers (companies that process data on your behalf, under your instructions) and third parties (companies that receive data for their own purposes). This distinction matters because:

• Sharing data with service providers under a written contract isn't a "sale"

• Sharing data with third parties for their own purposes is a "sale" or "sharing" that triggers opt-out rights

Your contracts with vendors should clearly establish them as service providers with limitations on how they can use the data.

What counts as personal information

CCPA defines personal information broadly - even more broadly than GDPR in some respects.

Standard personal information:

• Name, email, phone, address

• SSN, driver's license, passport number

• Purchase history, browsing history

• Geolocation data

• Audio, visual, thermal, olfactory information

• Professional or employment information

• Education information

• Inferences drawn from any of the above to create a consumer profile

Sensitive personal information (CPRA addition):

• SSN, driver's license, state ID, or passport numbers

• Account login credentials (username + password/security question)

• Financial account numbers with access codes

• Precise geolocation (within 1,850 feet)

• Racial or ethnic origin

• Religious or philosophical beliefs

• Union membership

• Mail, email, or text message content (unless the business is the intended recipient)

• Genetic data

• Biometric data for identification

• Health information

• Sex life or sexual orientation information

Sensitive personal information triggers additional obligations. Consumers can limit your use of sensitive data to what's necessary to provide the service they requested.

The household-level data: CCPA uniquely covers household-level data, not just individual data. Data about a household (address, purchasing patterns, internet activity associated with a shared device) is personal information even if it doesn't identify a specific individual within the household.

What ccpa/cpra requires

Consumer rights

Your app must support these consumer rights:

Right to know - Consumers can request what personal information you've collected, where you got it, why you collect it, who you've shared it with, and what categories of data you sell. You must respond within 45 days.

Right to delete - Consumers can request deletion of their personal information. You must delete it and direct your service providers to do the same. You can decline deletion requests in limited circumstances (completing a transaction, security, legal obligations, internal uses compatible with expectations).

Right to opt out of sale/sharing - Consumers can opt out of having their personal information sold or shared for cross-context behavioral advertising. Once they opt out, you can't sell/share their data unless they opt back in.

Right to correct - CPRA added this. Consumers can request corrections to inaccurate personal information.

Right to limit sensitive data use - CPRA added this. Consumers can limit your use of sensitive personal information to what's necessary to perform the service.

Right to non-discrimination - You can't deny services, charge different prices, or provide a different quality of service to consumers who exercise their CCPA rights. Financial incentives (loyalty programs, discounts for data sharing) are allowed if clearly disclosed and opt-in.

Required disclosures

Your app and website need:

Privacy policy - Must be updated at least every 12 months and disclose: categories of personal information collected, purposes, categories sold/shared, categories of third parties, consumer rights and how to exercise them.

"Do Not Sell or Share My Personal Information" link - Required on your homepage if you sell or share personal information. Must be clear, conspicuous, and functional.

"Limit the Use of My Sensitive Personal Information" link - Required if you process sensitive data beyond what's necessary for the service.

Notice at collection - Before or at the point of collection, tell consumers what categories of personal information you're collecting and the purposes. This includes notice for offline collection (in-store, over the phone).

"GPC is the enforcement tripwire that most teams miss. It's not a preference center on your website - it's a browser signal that fires on every request. If you're not detecting it server-side and blocking data sales accordingly, you're non-compliant even if your 'Do Not Sell' link works perfectly." - RaftLabs Engineering Team

Global privacy control (GPC)

This caught Sephora. CCPA requires businesses to treat GPC browser signals as valid opt-out requests. GPC is a browser setting that sends a signal with every web request indicating the user opts out of data sales/sharing.

Your website and app must detect and honor GPC signals. If a user has GPC enabled, your system must stop selling/sharing that user's data - even if they haven't clicked your "Do Not Sell" link.

Data minimization and retention

CPRA added GDPR-like data minimization requirements:

• Only collect personal information that's reasonably necessary for the disclosed purpose

• Don't retain personal information longer than reasonably necessary for the disclosed purpose

• Inform consumers of your retention period or the criteria used to determine retention

This means your app needs documented data retention policies with automated enforcement. If you told consumers you keep purchase data for 3 years, your system must delete it after 3 years.

How ccpa/cpra affects your app architecture

The technical difference from GDPR

If you've already built GDPR consent management, CCPA compliance requires different logic:

GDPR: Block data collection until the user opts in. Default state = no data. CCPA: Collect data by default. Provide opt-out mechanism for sales/sharing. Default state = data collected.

This means your app potentially needs two different consent flows: one for EU users (opt-in) and one for California users (opt-out with notice). If your app serves both markets, your consent management system needs geography-aware logic.

Verifiable consumer requests

CCPA requires you to verify the identity of consumers who submit requests (know, delete, correct). You must verify to a "reasonable degree of certainty" for access requests and a "reasonably high degree of certainty" for deletion requests.

Your app needs a verification process that:

• Matches at least 2-3 data points the consumer provides against your records

• Uses a higher verification standard for deletion requests

• Handles requests from authorized agents (consumers can designate someone to act on their behalf)

• Doesn't require the consumer to create an account just to submit a request

"The private right of action is what keeps our clients up at night, not the AG's office. A breach affecting 50,000 California consumers at $750 per person is a $37.5 million class action exposure. We treat California breach prevention as a standalone risk calculation, separate from the regulatory fine structure." - Ashit Vora, Captain at RaftLabs

What CCPA compliance costs

For a typical app build:

Total: 10-20% of a standard app build. Similar to GDPR, but the technical requirements are different because of the opt-out model.

If your app also needs GDPR compliance, the overlap is significant. Consent management, deletion workflows, and data inventory serve both laws. Budget 15-25% for dual compliance rather than doubling the cost.

Questions to ask your development partner

1. "How do you handle the CCPA opt-out model vs. GDPR's opt-in model?" - If your app serves both EU and California users, the partner should explain geography-aware consent logic that applies the right rules to the right users.

2. "How do you detect and honor Global Privacy Control signals?" - The Sephora case made this a top enforcement priority. Your partner should know about GPC and have a plan for detecting and enforcing it.

3. "How do you handle verified consumer requests?" - Look for identity verification that scales (not manual email exchanges), respects the different verification thresholds for access vs. deletion, and handles authorized agents.

4. "What's your approach to data inventory?" - CCPA requires you to know what data you have, where it lives, and who you share it with. Your partner should describe a systematic approach to mapping data flows, not an ad-hoc spreadsheet.

5. "How do you prevent discrimination against opt-out consumers?" - Your app's pricing, feature access, and service quality can't change based on whether a user has opted out. This needs to be tested, not assumed.

Your ccpa/cpra compliance checklist

Before development starts:

• Confirm CCPA applies (one of three thresholds met)

• Map all categories of personal information your app will collect

• Identify all third parties and service providers receiving personal information

• Determine which data transfers constitute "sales" or "sharing"

• Engage legal counsel for privacy policy drafting

During development:

• Build "Do Not Sell or Share" opt-out mechanism

• Build "Limit Sensitive Data Use" mechanism (if applicable)

• Build GPC signal detection and enforcement

• Build verified consumer request handling (know, delete, correct)

• Build data inventory tracking across all systems

• Build automated data retention and deletion

• Build geography-aware consent logic (if also serving GDPR markets)

• Add service provider contract requirements to vendor management

Before launch:

• Publish CCPA-compliant privacy policy with all required disclosures

• Add "Do Not Sell or Share" link to homepage and privacy policy

• Add "Limit Sensitive Data" link if processing sensitive information

• Test opt-out mechanism end to end (including GPC)

• Test consumer request handling (access, deletion, correction)

• Verify non-discrimination for opt-out consumers

• Train customer-facing staff on CCPA request handling

• Document data processing activities and retention schedules

California's privacy laws keep evolving. The CPPA has rulemaking authority and regularly issues new regulations. Build a flexible compliance architecture that can adapt to new requirements without a full rebuild.