CCPA and privacy laws: state and region-specific compliance

Home / Everything About / Everything About Forms / CCPA and privacy laws: state and region-specific compliance

CCPA is the privacy law for the United States. If your business operates anywhere in the US, you likely have visitors from California. If you collect their data through forms, CCPA applies. But CCPA is not the only privacy law. More than a dozen US states now have similar privacy regulations, and new ones are coming.

CCPA and other state privacy laws are the US equivalents of Europe's GDPR. Understanding which privacy laws apply to your forms and what each one requires is essential for staying compliant across different US regions.

What you'll learn: What CCPA is and how it differs from GDPR, which other US states have privacy laws, what these laws require of forms, how to know which laws apply to your business, and how to build forms that comply with multiple regulations at once.

What is CCPA?

CCPA (California Consumer Privacy Act) is a privacy law that applies to for-profit companies that collect personal information from California residents. It became effective January 1, 2020 and has since been strengthened by additional regulations.

CCPA applies to your forms if:

  • Your business collects data from people in California
  • You generate annual revenue above 25 million dollars, or
  • You collect data from 100,000 or more residents (or households), or
  • You sell consumer data as a business practice

Even small businesses often meet these thresholds without realizing it. If you have a contact form and you have collected information from a few hundred California residents, you are likely covered.

Key CCPA requirements for forms

Disclosure in a privacy notice

You must provide a privacy notice that tells California visitors about:

  • What categories of personal information you collect (name, email, purchase history, etc.)
  • Why you collect it (to respond to inquiries, to provide services, for marketing)
  • Where the data comes from (directly from the consumer on a form, from third parties, from analytics)
  • How long you keep it
  • Who you share it with (service providers, other businesses, etc.)

The privacy notice must be easy to find. A link in the footer or a buried policy page is not sufficient. Put it where visitors will see it before filling out your form.

The right to know

California residents can request to know what personal information you have collected about them. You must be able to provide this information within 45 days. This means you need systems to track what data you have about each person and a process to respond to these requests.

The right to delete

California residents can ask you to delete their personal information. You must comply unless you have a legal reason to keep it (like tax records or fraud prevention). This applies to all the form submissions and customer data you have about them.

The right to opt out of sales

If you sell personal data to other companies (even if you do not think of it as "selling"), California residents can opt out. Under CCPA, "selling" includes sharing data with third parties for money, services, or other valuable benefits. You must provide a "Do Not Sell My Personal Information" link on your website.

The right to correct

Consumers can request that you correct inaccurate personal information about them. You are not required to change everything they ask, but you must have a process to review and respond to these requests.

No discrimination

You cannot discriminate against someone for exercising their CCPA rights. If someone asks for their data to be deleted, you cannot refuse to serve them or charge them more for your services.

CCPA vs. GDPR: key differences

CCPA and GDPR both protect personal data, but they have important differences:

| Feature | GDPR | CCPA | |---------|------|------| | Applies to | Data of EU residents, from any company | Data of California residents, from larger companies | | Consent | Explicit opt-in required (except for essential data) | Opt-out model (data is collected unless you ask not to) | | Right to be forgotten | Yes | Yes, but with more exceptions | | Fines | Up to 20 million euros or 4% of revenue | Up to 7,500 per violation, up to 2,500 per unintentional violation | | Data sale | Not permitted without consent | Allowed unless consumer opts out |

The key difference is that GDPR requires you to ask permission before collecting data. CCPA requires you to tell people they can opt out.

Other US state privacy laws

More than a dozen other states have passed privacy laws similar to CCPA. Here are the major ones:

Virginia (VCDPA)

The Virginia Consumer Data Protection Act applies to for-profit companies processing personal data of Virginia residents. It requires consumer rights for data access, deletion, correction, and opt-out of sales.

Colorado (CPA)

Colorado Privacy Act covers companies processing data of Colorado residents. Similar to CCPA but with some differences in scope and enforcement.

Connecticut (CTDPA)

Connecticut Data Privacy Act, effective July 2024. Similar consumer rights to CCPA and VCDPA.

Utah (UCPA)

Utah Consumer Privacy Act is notably less stringent than others but still requires consumer opt-out rights.

Montana, Delaware, Iowa, and others

Additional states have passed or are considering privacy laws. Most follow the CCPA model of consumer opt-out rights with some variation in requirements.

How to know which laws apply to your forms

To figure out which privacy laws you need to comply with:

  1. Identify where your visitors come from. Use analytics to see which states and regions are represented.
  2. Look up the law for each region. For US states, check the state attorney general website. For other countries, research their privacy laws.
  3. Check the threshold requirements. Does your company meet the size thresholds? Do you have enough customers in that region?
  4. Consult with legal counsel if you are unsure. Privacy law is complex and varies by region. If your business collects significant amounts of data, talk to a lawyer.

Building forms that comply with multiple privacy laws

If your visitors come from different states and countries, you need to follow the strictest rules that apply.

Assume GDPR rules for everyone

If you have any EU visitors, follow GDPR rules. GDPR is among the strictest privacy laws, so compliance with GDPR often means you are compliant with other laws too.

Use explicit consent for sensitive data

Instead of trying to follow different rules for different visitors, use explicit consent (the GDPR standard) for everything. This is cleaner and more protective. Make consent choices clear, specific, and separate for different uses of data.

Provide privacy notice on the form

Include a clear, readable summary of your data practices on the form page. Link to your full privacy policy. This satisfies the disclosure requirements of multiple laws at once.

Make opt-out easy

Provide a way for people to unsubscribe from marketing emails or request deletion of their data. Include this in every marketing email you send (legally required) and on your website (good practice).

Keep good records

Document what data you collect, why you collect it, how long you keep it, and who has access to it. This helps you respond to data requests quickly and proves you are compliant if a regulator asks.

Privacy law fines and penalties

CCPA and state privacy laws carry financial penalties:

  • CCPA (California): Up to 2,500 dollars per intentional violation, 7,500 dollars per unintentional violation. The state attorney general enforces this, plus consumers can sue in certain cases.
  • Virginia, Colorado, Connecticut, etc.: Fines range from 2,500 to 10,000 dollars per violation, plus some allow consumers to sue.

While these fines are lower than GDPR fines, they add up quickly when you have multiple violations or a data breach affects thousands of people.

What WEMASY does for privacy law compliance

WEMASY forms include tools to help you comply with state and federal privacy laws. You can add privacy disclosures to your forms, track which version of your consent terms each visitor accepted, and provide your team with processes to handle data access and deletion requests. WEMASY also logs which data is stored and when it was submitted, helping you maintain the records you need for compliance audits.

See what privacy compliance features are available in your plan on the pricing page.

Frequently asked questions

If I comply with GDPR, am I automatically compliant with CCPA?

With WEMASY's <a href="/website-builder" target="_blank">website builder</a>, you can set this up directly on your website.

What counts as selling data under CCPA?

How long do I have to respond to a data request?

Do I need separate privacy policies for different states?

What should I do if I do not know whether I am subject to CCPA?