CCPA and CPRA: Data Privacy for Your U.S. Website

Imagine you run an online store in Mexico or a blog in Argentina, and one day you notice visits from California in your analytics. Without realizing it, you might be processing the personal data of Californians, and that can put you on the radar of the CCPA, the most influential data privacy law in the United States.

The good news: you don't have to be in California, or even in the United States, to grasp the essentials and reduce your risk. Most obligations boil down to concrete decisions about your site: an honest privacy notice, a visible link, a way to handle requests, and a technically secure site. In this guide, we explain what the CCPA and its reform, the CPRA, are, who they apply to, what rights they give consumers, and what you can review today.

Note: this is a practical guide, not legal advice. Thresholds, penalty amounts, and deadlines change over time. Whenever something is uncertain, we'll tell you to check the current text or consult an attorney who specializes in U.S. data privacy.

What the CCPA Is (and What Changed With the CPRA)

The CCPA (California Consumer Privacy Act) is California's privacy law, in effect since 2020. It was the first far-reaching state law in the United States on personal data, and it set the tone for many that followed.

In 2023, the CPRA (California Privacy Rights Act) took full effect. It doesn't replace the CCPA; instead, it expands and strengthens it. When people talk about the "CCPA" today, in practice they almost always mean the version already amended by the CPRA. Its main contributions:

• It creates a category of sensitive personal information (precise geolocation, health, data about minors, login credentials) with additional protections.
• It adds the right to correct inaccurate data.
• It expands the opt-out to cover not only the sale of data, but also its sharing for targeted advertising purposes.
• It creates a dedicated authority: the CPPA (California Privacy Protection Agency).

If you come from the European world, the logic will feel familiar: the CCPA pursues goals similar to the GDPR, just with different vocabulary.

Who It Applies To (and Why It Might Include You)

Here's the point that surprises many site owners: the CCPA is not limited to companies based in California. It applies to for-profit businesses that process the personal data of California residents and meet at least one of these thresholds (per the current text, which is worth verifying because the figures get updated):

• Annual gross revenue above a certain threshold (on the order of $25 million).
• Buying, selling, or processing the personal information of a large number of California consumers or households per year (the order of magnitude is in the tens of thousands).
• Deriving a substantial portion of revenue (around half or more) from the sale or sharing of personal data.

Two important nuances for your site:

1. You don't have to be physically in California. What matters is that you process the data of people who reside there. If your store or service accepts customers from California, you could fall within scope.
2. Most small sites don't reach the thresholds. If your business meets none of the three criteria, you're technically not obligated. But adopting good practices still pays off: you build trust, you prepare to grow, and you reduce friction if you sell to U.S. customers in the future.

Check the exact thresholds in the current text: the figures are adjusted periodically, and a privacy attorney can confirm whether your case applies.

Consumer Rights

The CCPA, strengthened by the CPRA, grants California residents a set of rights over their data. Get to know them, because they define which flows your site needs to offer:

• Right to know: the consumer can ask what personal information you collect, where you get it, what you use it for, and who you share it with.
• Right to delete: they can request that you delete the information you hold about them, with some legal exceptions.
• Right to correct: introduced by the CPRA, it lets them ask you to rectify inaccurate data.
• Right to opt out of sale or sharing: they can tell you not to sell or share their personal information with third parties (typically, for targeted advertising).
• Right to limit the use of sensitive information: they can restrict how you use sensitive categories of data.
• Right to non-discrimination: you can't deny them service, charge them more, or give them lower quality because they exercised their rights.

One key phrase: under the CCPA, "sell" and "share" have a broad meaning. It doesn't refer only to selling an email list for money. If you embed advertising pixels or third-party cookies that transfer your visitors' data to ad networks, that can count as "selling" or "sharing" even if you don't receive a direct payment. That's why the next point is central.

The "Do Not Sell or Share My Personal Information" Link

If your business sells or shares personal data, the law requires you to offer a clear and visible way for the consumer to object. In practice, this takes the form of a link on your site with text such as:

• "Do Not Sell or Share My Personal Information," or
• "Your Privacy Choices," sometimes accompanied by a standard icon.

This link usually goes in the footer, accessible from anywhere on the site, and it must lead to a real mechanism for exercising the opt-out, not to decorative text. In addition, the regulation recognizes automatic privacy preference signals such as the GPC (Global Privacy Control), which the browser sends and which your site should respect.

An honest point: if you do not sell or share data in the sense the law means, you don't need to invent the link. But then your privacy notice should clearly say that you don't. The important thing is that your site and your text tell the truth about what happens to the data.

The Role of the CPPA and the FTC

Two players keep watch over this terrain:

• The CPPA (California Privacy Protection Agency) is the state agency created by the CPRA. It has the power to issue regulations, investigate, and penalize noncompliance with the CCPA/CPRA. The state Attorney General can also take action.
• The FTC (Federal Trade Commission) is the federal consumer protection authority across the United States. It doesn't enforce the CCPA itself, but it pursues unfair or deceptive practices: if your privacy notice promises one thing and your site does another, the FTC can step in under its own authority.

The practical lesson: consistency between what you say and what you do isn't just a matter of California law. At the federal level, promising and not delivering is already a risk.

Beyond California: The State Map

California led the way, but today many states have their own data privacy law. Some of the most frequently cited:

• Virginia (VCDPA): Virginia Consumer Data Protection Act.
• Colorado (CPA): Colorado Privacy Act.
• Connecticut, Utah, Texas, Oregon, and a growing number of states with their own laws.

The good news is that they share a common foundation: transparent privacy notices, rights of access, correction, and deletion, and opt-out mechanisms. If you build your site to meet the most demanding standard (usually California's), you cover a large part of what the others require. Don't chase each law separately; adopt good practices and document what you do.

The Connection to Technical Security

Data privacy doesn't live only in a legal document: it lives in how your site is built. There are technical and observable signals that anyone (including a regulator, a customer, or an attacker) can check from the outside:

• Encryption in transit (TLS/HTTPS): if your site asks for data through a form without valid HTTPS, that data travels exposed. An expired certificate or a weak configuration contradicts any promise of "we protect your information."
• Third-party cookies and trackers: advertising pixels and marketing cookies are exactly what the CCPA considers "sharing." Knowing which trackers your site loads is the first step to disclosing them and, where appropriate, allowing an opt-out.
• Consent banners: a well-built banner informs and lets people choose; a poorly built one gives a false sense of compliance. The technical signal matters: are the trackers really blocked until the user accepts?
• Security headers: headers like Strict-Transport-Security or Content-Security-Policy reduce the risk of leaks and attacks that would end up compromising personal data.

This is where a tool like Pursecure helps you: you paste your site's URL and, in minutes, you get a score from 0 to 100 with issues ranked by severity and the details of how to fix each one, whether you do it yourself, your team does, or your AI does with the ready-made prompt. It doesn't replace a lawyer, but it shows you the technical half of compliance that almost no one reviews. You can scan your site for free at pursecure.app.

What to Review on Your Site Today

An actionable list you can run through without being a technician or a lawyer:

• Does the CCPA apply to your business? Check the three thresholds (revenue, data volume, revenue from selling data) against the current text.
• Do you have a privacy notice that explains what data you collect, what for, and who you share it with, and that is up to date?
• Does your notice tell the truth? If you don't sell data, say so. If you use advertising pixels, disclose them.
• Do you offer the "Do Not Sell or Share" link or "Your Privacy Choices" if you sell or share data, visible from the footer?
• Do you respect the GPC signal that some browsers send?
• Is there a clear way to exercise rights (to know, delete, correct): an email, a form, an address?
• Does your site load over HTTPS with a valid, current TLS certificate on all its pages?
• Do you know which third-party cookies and trackers your site loads? Does your consent banner really control when they activate?
• Have you inventoried your vendors (analytics, email, payment gateway) and what each one does with the data?

Conclusion

The CCPA and the CPRA turned data privacy in the United States into something every site owner needs to understand, even if they aren't in California. The essence isn't to memorize articles: it's to be honest about what data you collect, give people real control over it, and back that promise with a technically secure site.

A lawyer fine-tunes the legal part; the observable technical part is something you can start reviewing today. Scan your site for free at pursecure.app and find out in minutes whether your HTTPS, your cookies, and your headers live up to what your privacy notice promises.