CCPA and U.S. Privacy Laws

Home / Everything About / Everything About Analytics / CCPA and U.S. Privacy Laws

The US has no comprehensive federal privacy law, but multiple state laws now require privacy-compliant analytics. CCPA in California (and its successor, CPRA) set the precedent. Similar laws now exist in Virginia, Colorado, Connecticut, Utah, Montana, and Delaware. For US websites, assuming you have visitors across multiple states, you likely need to comply with several of these laws simultaneously.

How CCPA/CPRA Works

CCPA (California Consumer Privacy Act) applies to for-profit companies collecting California resident data. It requires notice of data collection, disclosure of what data is collected and why, and user rights to access, delete, and opt out of data sales. CPRA (California Privacy Rights Act), which amended CCPA, adds stricter consent requirements and consumer rights to correct inaccurate data.

What Triggers CCPA

CCPA applies if your company meets any of these: $25M+ annual revenue, buys/sells/shares data from 100k+ people or households, or derives 50%+ revenue from selling consumer data. Many mid-market companies trigger this without realizing it.

CCPA applies to "personal information"—data that identifies, relates to, or could be linked to a specific person. This is broader than GDPR. It includes inferences about preferences, location, commercial behavior, and more. For analytics, most tracking qualifies.

The CCPA Rights You Must Honor

Right to know: Users can request what personal information you've collected and how you've used it. You must respond within 45 days (extendable to 90). The disclosure must be comprehensive.

Right to delete: Users can request deletion of their personal information. You must comply within 45 days. However, you can keep data for legitimate business purposes (e.g., fraud detection) or legal compliance.

Right to opt-out of sales: Users can request you stop selling their data. You must honor this within 15 business days. Note: "sale" in CCPA includes sharing for anything of value, not just money.

Right to correct: Under CPRA, users can request you correct inaccurate data. This is new and straightforward: if data is wrong, fix it.

Opt-In vs. Opt-Out

CCPA uses opt-out for data sales: users can sell their data unless they opt out. CPRA and newer state laws use opt-in for sensitive data: you need explicit permission before collecting sensitive information (precise location, social security numbers, financial data, etc.). For analytics, assume you need opt-in consent under newer laws.

Other State Privacy Laws

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Montana (MTDPA), and Delaware (DPDPA) all passed comprehensive privacy laws. They follow the CCPA/CPRA model: they give users rights to know, delete, and opt out. The details vary by state, but the overall pattern is consistent.

Should You Comply with All of Them?

It depends on your audience. If you primarily serve California, focus on CCPA/CPRA. If you serve multiple states, most companies use a GDPR-level privacy standard (which exceeds most US state law requirements) and apply it to all visitors. This is simpler than state-by-state compliance.

The Multi-State Reality

Most websites have visitors from multiple states. Some serve all 50 states. Rather than maintain different analytics practices per state, most companies adopt the strictest standard they're subject to and apply it universally. This reduces complexity and ensures you're never out of compliance.

CCPA/CPRA Compliance in Practice

Compliance requires: a privacy policy explaining what data you collect and why; clear opt-out mechanisms for data sales (if applicable); the ability to respond to data access requests within 45 days; systems to delete user data on request; and honest marketing about your data practices (no lying about what you collect or how you use it).

CCPA Penalties and Enforcement

California Attorney General can fine up to $2,500 per violation (or $7,500 per intentional violation). Consumers can file private actions for data breaches (statutory damages of $100-$750 per person per incident). Class actions are common. The practical impact: a CCPA violation can easily cost $1-10M if it affects many users.

GDPR vs. CCPA vs. State Laws

GDPR is stricter on consent. CCPA is broader on what counts as personal data. State laws follow the CCPA model with variations. If you comply with GDPR (consent-based, transparency-first), you're mostly compliant with CCPA and state laws. The reverse isn't always true: CCPA compliance may not be sufficient for GDPR.

Do I actually trigger CCPA? How do I know if I meet the $25M threshold?

What counts as personal data under CCPA vs. GDPR? Why is CCPA broader?

When a user requests deletion, what legitimate purposes let me keep data?

Why is the opt-out deadline 15 days but the access deadline 45 days?

The private right of action is $100-$750 per person—how is this calculated?

For multi-state compliance, should I implement state-specific rules or use GDPR standard?