Here’s the short version: if your business handles the personal information of California residents and you’re big enough to cross one of three thresholds, California’s privacy laws give those residents real, enforceable rights over their data — and ignoring them can get expensive fast. With Los Angeles being one of the largest markets in the country, this hits home for a huge number of local businesses. The good news is that CCPA and CPRA compliance is far more approachable than the legal language suggests once you understand who it covers, what consumers can demand, and what you actually have to do. Let’s break it down.
What the CCPA and CPRA actually are
The CCPA — California Consumer Privacy Act — is a state privacy law that gives California residents meaningful control over the personal information that businesses collect about them. It took effect in 2020 and was, at the time, the most significant consumer privacy law in the United States.
A few years later it got a major upgrade. The CPRA — California Privacy Rights Act — was passed by ballot initiative in 2020, and its provisions became enforceable in 2023. The CPRA didn’t replace the CCPA; it amended and strengthened it, adding new consumer rights, creating a dedicated enforcement agency, and tightening obligations on businesses. In everyday conversation, people often just say “CCPA” to mean the whole current framework — which is really the CCPA as amended by the CPRA. We’ll use the terms that way too, noting CPRA additions where they matter.
Why does this matter so much, especially around Los Angeles? Because California is an enormous market, and these laws apply based on whose data you handle, not where your office is. A business anywhere in the country that collects enough Californians’ data can fall under these rules. For LA-area businesses, California residents are very often your customers, so this is squarely your concern. The official source of truth is the California Attorney General’s office, which maintains detailed CCPA guidance.
Who actually has to comply
Not every business is covered — the law targets organizations of a certain size or data intensity. The CCPA applies to for-profit businesses that do business in California and meet at least one of these three thresholds:
| Threshold | Details |
|---|---|
| Revenue | Annual gross revenue over $25 million |
| Data volume | Buy, sell, or share the personal information of 100,000+ California consumers or households per year |
| Data-driven revenue | Derive 50% or more of annual revenue from selling or sharing consumers’ personal information |
Two things to underline. First, you only need to hit one of these, not all three. A data broker whose whole business is selling personal information could be covered by the third threshold even if it’s relatively small. Second, you don’t have to be based in California. A business in another state — or another country — that does business with Californians and crosses a threshold can be subject to the law. The trigger is handling Californians’ data at scale, not your physical address.
If you’re a smaller local business under all three thresholds, you may not be legally obligated today. But thresholds can be crossed as you grow, the broader trend is toward more privacy regulation rather than less, and honoring these rights is increasingly what customers expect regardless of legal obligation. Building good privacy habits early is rarely wasted effort.
The rights you have to honor
The heart of the law is a set of consumer rights that covered businesses must respect. If you’re subject to the CCPA, California residents can exercise these against you:
- The right to know. Consumers can ask what personal information you collect about them, where it came from, why you collect it, and who you share it with.
- The right to delete. Consumers can request that you delete the personal information you’ve collected about them (with some exceptions, like data you need to complete a transaction or comply with law).
- The right to correct. Added by the CPRA, consumers can request that you fix inaccurate personal information you hold about them.
- The right to opt out. Consumers can tell you to stop selling or sharing their personal information. This is why you see “Do Not Sell or Share My Personal Information” links on websites.
- The right to limit use of sensitive information. Also from the CPRA, consumers can restrict how you use sensitive categories of data, like precise geolocation, race, health, or financial details.
- The right to non-discrimination. You can’t punish consumers for exercising these rights — no denying service, charging different prices, or degrading their experience because they opted out or asked for deletion.
That last one is important and sometimes overlooked: exercising a privacy right can’t cost the consumer their access to your product or a fair price. The law is designed so that privacy isn’t a luxury only some customers can afford.
What businesses actually have to do
Honoring those rights translates into a concrete set of obligations. Here’s what compliance looks like in practice:
- Know your data. You can’t protect or disclose what you can’t see. Map what personal information you collect, where it comes from, where it’s stored, who has access, and who you share it with. This data inventory is the foundation of everything else.
- Update your privacy policy. Your public privacy notice must clearly disclose what you collect, why, how it’s used, who it’s shared with, and what rights consumers have — and it needs to stay current.
- Provide ways to exercise rights. Give consumers clear, accessible methods to make requests — typically a webform, an email address, and where applicable a “Do Not Sell or Share My Personal Information” link.
- Respond to requests on time. You generally must confirm receipt quickly and respond substantively within 45 days (extendable in some cases). You need a real internal process for this, not ad hoc scrambling.
- Verify requesters. Before handing over or deleting data, you must reasonably verify the person is who they claim to be, so you don’t accidentally disclose data to an imposter.
- Secure the data. The law expects “reasonable security.” If you suffer a breach of unencrypted personal information due to inadequate safeguards, you face heightened liability — more on that next.
- Train your people. Staff who handle consumer requests or personal data need to know the rules and the process.
None of these is exotic, but together they require deliberate setup. The businesses that struggle are the ones who wait until a consumer request — or a regulator’s letter — arrives before figuring out how to respond.
What non-compliance costs
The penalties give the CCPA real teeth. The California Privacy Protection Agency (created by the CPRA) and the Attorney General can impose fines of up to $2,500 per unintentional violation and up to $7,500 per intentional violation or one involving minors. The catch that makes this dangerous: each affected consumer can count as a separate violation. Multiply a per-consumer fine across thousands of customers and the totals become staggering very quickly.
On top of regulatory fines, the CCPA includes a private right of action for certain data breaches — specifically, breaches of non-encrypted, non-redacted personal information resulting from a failure to maintain reasonable security. Affected consumers can sue and recover statutory damages even without proving they suffered actual harm. That’s a significant exposure: a single breach can spawn class-action litigation on top of any regulatory penalty. It also ties privacy compliance tightly to security — encrypting personal data and maintaining reasonable safeguards isn’t just good practice, it directly limits your legal liability.
A tale of two businesses
Two LA-area companies each hold personal data on hundreds of thousands of California customers. The first never took privacy seriously. Their privacy policy is a copy-pasted relic, there’s no real way for customers to make requests, and nobody knows exactly what data lives where. When a customer’s deletion request goes ignored and they complain to the state, regulators take a look — and find systemic non-compliance. Then a breach exposes unencrypted customer records, triggering both regulatory penalties and a class-action lawsuit under the private right of action. The combined cost dwarfs anything compliance would have required, and the headlines do lasting damage.
The second company built privacy in deliberately. They mapped their data, published a clear and current privacy policy, added a simple request portal and a “Do Not Sell or Share” link, trained their staff, and encrypted personal information at rest. When customers make requests, they’re handled smoothly within the required window. When the same kind of breach attempt comes, the data is encrypted — sharply limiting both the damage and the legal exposure. Regulators see a business making a genuine good-faith effort. The incident is a manageable event, not a catastrophe.
Same data, same customer base, same threats — but one treated privacy as a checkbox to dodge and the other as an operational discipline. The difference showed up exactly when it counted.
How privacy and security work together
CCPA compliance and cybersecurity are deeply intertwined. The law’s “reasonable security” expectation and its breach-related liability mean you can’t separate privacy from protecting the data itself. Strong cybersecurity fundamentals — encryption, access controls, monitoring — directly reduce your CCPA exposure, because encrypted data is largely outside the private right of action and good safeguards prevent the breaches that trigger penalties. Knowing whether your customers’ data has already been exposed elsewhere, through dark web monitoring, is part of understanding your real risk. Privacy compliance done well rests on a foundation of solid security.
For most businesses, getting CCPA-ready means combining legal/policy work with technical and operational setup — and that’s a lot to coordinate. Working with a partner through compliance and security audit services lets you map your data, close the gaps, build the request-handling processes, and secure the underlying systems in one coordinated effort rather than a series of fire drills.
The bottom line
California’s privacy laws give residents real control over their personal data, and if your business is large enough to cross a threshold, those rights are enforceable against you — with fines that scale per consumer and a breach lawsuit provision that adds serious risk. But compliance is achievable: know your data, disclose clearly, honor consumer requests, secure what you hold, and train your team. For LA-area businesses especially, this isn’t a distant regulatory abstraction — your customers are exactly the people these laws protect.
If you’re not sure whether the CCPA applies to you, or whether you’d survive a consumer request or a breach, let’s find out together. Reach out for a free assessment and we’ll review the personal data you hold, where your gaps and exposure are, and how to get compliant and secure — in plain English, without the legal headache.
Frequently Asked Questions
