California Privacy Law (CCPA/CPRA) Guide for Online Sellers

Understanding CCPA and CPRA

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive state-level privacy law in the United States. It gives California residents significant rights over their personal information and imposes obligations on businesses that collect it.

Even if your business is not based in California, if you sell to California residents (and virtually every online store does), you may be subject to these rules.

Does CCPA Apply to Your Business?

CCPA applies to for-profit businesses that collect California consumers' personal information AND meet at least one of these thresholds:

• Annual gross revenue exceeds $25 million, OR
• You buy, sell, or share personal information of 100,000+ consumers, households, or devices per year, OR
• You derive 50% or more of annual revenue from selling or sharing consumers' personal information

Most small dropshipping stores fall below these thresholds. However, understanding and proactively complying with CCPA is smart for several reasons: your business may grow past the thresholds, other states are adopting similar laws, and CCPA-compliant practices build customer trust.

What CCPA Considers Personal Information

CCPA defines personal information broadly:

• Identifiers: Name, email, address, phone number, IP address
• Commercial information: Purchase records, browsing history, shopping preferences
• Internet activity: Browsing history, search history, interaction with websites
• Geolocation data: Physical location inferred from IP address or device
• Inferences: Profiles created from collected data reflecting preferences or behavior

Essentially, any data that can be linked to a California resident or household is covered.

Consumer Rights Under CCPA

Right to Know

Consumers can request that you disclose what personal information you collect, where you got it, why you collect it, and who you share it with. You must respond within 45 days.

Right to Delete

Consumers can request deletion of their personal information. You must comply and direct any service providers to delete the data as well, with certain exceptions (such as data needed to complete a transaction or comply with legal obligations).

Right to Opt-Out of Sale or Sharing

If you sell or share personal information (including sharing data with advertising platforms for targeted advertising), consumers have the right to opt out. If this applies to your business, you must provide a "Do Not Sell or Share My Personal Information" link on your website.

Important for e-commerce: If you use Facebook Pixel, Google Analytics with advertising features, or similar tools that share customer data with third parties for targeted advertising, this may constitute "sharing" under CCPA.

Right to Correct

Consumers can request correction of inaccurate personal information you hold about them.

Right to Limit Use of Sensitive Information

Consumers can limit how you use sensitive information like precise geolocation, racial or ethnic origin, or financial account information.

Right to Non-Discrimination

You cannot discriminate against consumers who exercise their privacy rights. This means you cannot charge higher prices, provide lower quality service, or deny service because someone opted out of data sharing.

Compliance Steps

Step 1: Privacy Policy Updates

Your privacy policy must include CCPA-specific disclosures:

• Categories of personal information collected in the past 12 months
• Purposes for each category of information
• Categories of third parties with whom information is shared
• Consumer rights and how to exercise them
• Contact information for privacy requests

Step 2: Consumer Request Process

Create a mechanism for consumers to submit privacy requests. Options include:

• A dedicated email address (e.g., [email protected])
• A web form on your privacy page
• A toll-free phone number (if applicable)

You must verify the identity of the requester before fulfilling requests. For online stores, this typically means matching request details to order records.

Step 3: Opt-Out Mechanism

If you share personal information with third parties for advertising, add a "Do Not Sell or Share My Personal Information" link in your website footer. This link should lead to a simple opt-out process.

Step 4: Service Provider Agreements

Ensure your agreements with service providers (payment processors, analytics tools, marketing platforms) include CCPA-required language about data handling, use limitations, and compliance obligations.

Step 5: Employee Training

Anyone who handles consumer privacy requests must understand the process. For small businesses, this may just be you, but document the procedures regardless.

Practical Implementation for Small Stores

Even if you fall below the CCPA thresholds, implementing basic compliance demonstrates good faith and prepares you for growth:

1. Update your privacy policy to include CCPA-required disclosures
2. Create a privacy request email and monitor it
3. Add an opt-out link if you use advertising pixels
4. Document your data practices so you can respond to requests
5. Review quarterly as other states adopt similar laws

Total cost: Effectively zero for basic compliance. A privacy policy generator handles most of the documentation, and the process changes are minimal.

Penalties for Non-Compliance

The California Attorney General can impose penalties of:

• $2,500 per unintentional violation
• $7,500 per intentional violation

Additionally, the California Privacy Protection Agency (CPPA) has enforcement authority. Consumers also have a private right of action for data breaches resulting from failure to implement reasonable security measures, with statutory damages of $100-$750 per consumer per incident.

CCPA vs GDPR

While both are privacy laws, key differences affect how you implement compliance:

If you comply with GDPR, you are largely CCPA-compliant as well, since GDPR is more restrictive.

Other State Privacy Laws

Following California's lead, several states have enacted comprehensive privacy laws:

• Virginia (VCDPA) — Effective January 2023
• Colorado (CPA) — Effective July 2023
• Connecticut (CTDPA) — Effective July 2023
• Utah (UCPA) — Effective December 2023
• Texas (TDPSA) — Effective July 2024
• Oregon (OCPA) — Effective July 2024

More states are expected to follow. Building privacy-compliant practices now saves significant effort as the regulatory landscape expands.

Key Takeaways

• CCPA applies to businesses meeting specific thresholds but proactive compliance is smart for all online sellers
• Consumer rights include access, deletion, correction, and opt-out of data sales or sharing
• Advertising pixels may constitute data sharing under CCPA, triggering opt-out requirements
• Update your privacy policy with CCPA-specific disclosures regardless of current thresholds
• Other states are adopting similar laws making privacy compliance a growing necessity
• GDPR compliance largely covers CCPA so aim for the higher standard if you have international customers