Simplify CCPA Compliance — From Opt-Outs to Evidence

The CCPA (California Consumer Privacy Act) was the original 2018 framework that gave Californians the right to know what data is collected, delete it, and opt out of its sale. The CPRA (California Privacy Rights Act) amended the original act, establishing the CPPA (California Privacy Protection Agency) — nicknamed CalPrivacy —  to strictly enforce the law. It also expanded the legal protections Californians have over their data.

The CPPA/CalPrivacy, acting as an independent state agency, has full rulemaking and enforcement authority. In 2025, it announced a $1.35 million settlement with Tractor Supply Company for failures related to opt-out notifications and other issues. The California Attorney General has concurrent enforcement authority and, in 2025, announced a $1.55 million settlement with Healthline for misuse of online tracking tools and the disclosure of sensitive health information.

Penalties are assessed per violation, per consumer, and can quickly reach six or seven figures: up to $2,500 per non-intentional violation; up to $7,500 per intentional violation; up to $7,500 per violation involving a minor’s data. The CCPA also allows a private right of action for certain data violations, with statutory damages of $100–$750 per affected consumer per incident, or actual damages, if higher.

• Selling, by definition, means that either money or something else of value was paid by a third party in exchange for the receipt of or access to personal information.  
• Sharing was added by CPRA specifically to cover the disclosure of personal information for cross-context behavioral advertising, irrespective of the exchange of something of value. Violations include sending identifiers such as cookies, device IDs, or emails to ad networks and enabling retargeting across websites or apps.

Yes. Covered businesses must honor valid GPC signals under California law. A GPC signal sent by a browser or device must be treated as a legally binding opt-out request of the sale or sharing of personal information, and businesses are not permitted to require that users click a separate “Do Not Sell or Share” link if a valid GPC signal is detected.

Some of the most common overlooked compliance gaps include:

• Retaining data without defining a time limit for how long it will be retained, which is a CCPA requirement.
• Mismanaging Sensitive Personal Information (SPI) by collecting precise geolocation, financial data, or account credentials without a required “Limit the Use of My Sensitive Personal Information” mechanism.
• Incomplete vendor contract updates to legacy vendor agreements that may not contain CCPA-mandated provisions restricting data use, audit rights, and downstream compliance obligations.
• GPC detection failures, in which websites display a compliant opt-out link but fail to properly detect and honor Global Privacy Control (GPC) signals at the technical level.
• DSAR workflow weaknesses include a lack of clear identity verification standards, internal routing procedures, or service-provider coordination, which can lead to missed deadlines or incomplete responses.

Vault scans all cookies, tags, pixels, scripts, and network calls to identify which third parties receive users’ personal identifiers (device IDs, cookies, IP-linked IDs, etc.) and categorizes them accordingly. If those data flows correspond to scenarios regulators interpret as data being provided for value, such as targeted advertising or value-exchange tracking, the engine flags them as potential “sells” or “shares”.

Yes. Vault can simulate a consumer opt-out to test whether your site properly enforces compliance. Vault can trigger a “Do Not Sell or Share” scenario or GPC signal, and then monitor whether tracking stops, tags are suppressed, vendor calls change behavior, and downstream data flows cease. This allows you to verify that opt-out logic works both technically and operationally.

A mounting series of consequences can occur. The CPPA (California Privacy Protection Agency, aka CalPrivacy) or the California Attorney General can investigate, require documents, and order you to rectify compliance failures. They can also institute ongoing audits and monitoring. Public disclosure of privacy failures can damage your brand and business relationships. Civil penalties ranging from $ 2,500 to $7,500 per violation per consumer can add up quickly. Under limited circumstances, consumers can file suit privately.

Yes, but, at least for the moment, the private right of action is limited to certain data breaches, not general violations such as failure to honor opt-outs or improper disclosures. Consumers can sue if their non-encrypted, non-redacted personal information is subject to unauthorized access, theft, or disclosure due to a business’s failure to implement reasonable security measures.

However, a substantial expansion of the private right of action under CCPA may be on the horizon in light of several recent decisions in the Northern District of California allowing two class-action suits to proceed.   

Not specifically. California is an opt-out, not opt-in, state, but there are rules. If using analytics cookies, you must disclose the data collection in your privacy notice, honor opt-out requests if the analytics setup qualifies as a “sale” or “sharing”, and ensure vendor contracts meet service provider requirements. For advertising or targeting cookies, prior consent is not required, but consumers must be given a clear ability to opt out of “sale” or “sharing”, recognition of Global Privacy Control (GPC) signals, and proper notice at collection.

Employee and B2B contact data were largely exempt under the original CCPA. Under the CPRA amendment, employees, contractors, officers, directors, and job applicants now have full consumer rights, including the right to access, delete, correct, know the categories and purposes, and the right to limit the use of personal information. Businesses must also provide a “Notice at Collection” to employees and maintain reasonable security. In addition, personal information collected in a business-to-business context, such as vendor contacts, corporate emails, and sales leads, is now fully covered, giving B2B contacts the same opt-out rights as consumers.

Yes. Vault JS helps identify privacy risks relevant to multiple privacy laws, not just California’s. Vault identifies consent and tracking violations across multiple regions and flags data-collection patterns that could trigger requirements under other comprehensive privacy statutes. Vault also audits digital tracking technologies (DTT) for compliance with the GDPR (General Data Protection Regulation), other state laws, MHMD, Law 25, COPPA and numerous other privacy laws.