ccpa

CCPA

California Consumer Privacy Act (2018, amended by CPRA 2020)

California, USA | Enforced by CPPA since July 2023

The CCPA grants California residents rights over their personal information and imposes obligations on businesses that collect it. Enforced by the California Privacy Protection Agency (CPPA), it covers the right to know, delete, correct, and opt out of data sale or sharing. RAIL Score checks content against 9 CCPA requirements.

Official Resources

oag.ca.gov/privacy/ccpa — California Attorney General CCPA page
cppa.ca.gov — California Privacy Protection Agency
leginfo.legislature.ca.gov — Full CCPA text

Maximum Penalties

Violation Type	Fine per Violation
Unintentional violation	Up to $2,500
Intentional violation	Up to $7,500
Violations involving minors' data	Up to $7,500 (auto-intentional)

Each consumer whose rights are violated counts as one violation. A data breach affecting 10,000 users could result in up to $75 million in intentional penalties.

Businesses Subject to CCPA

A business is subject to CCPA if it operates in California and meets any one of:

Annual gross revenue exceeding $25 million
Buys, sells, or shares personal data of 100,000+ consumers or households per year
Derives 50% or more of annual revenue from selling or sharing consumers' personal data

Requirements Checked by RAIL Score

ID	Section	Requirement	What RAIL Evaluates
CCPA-001	1798.100	Right to know	Can consumers request what data is collected and why?
CCPA-002	1798.105	Right to delete	Is data deletion on request described?
CCPA-003	1798.110	Right to correct	Can consumers correct inaccurate personal information?
CCPA-004	1798.120	Right to opt-out of sale/sharing	Is opt-out of data sale or sharing described?
CCPA-005	1798.121	Sensitive personal information	Is sensitive data (health, finance, location) handled appropriately?
CCPA-006	1798.130	Privacy notice	Is a comprehensive privacy notice provided or referenced?
CCPA-007	1798.135	Do Not Sell/Share link	Is a clear opt-out mechanism mentioned?
CCPA-008	1798.140	Business threshold applicability	Does the business meet CCPA thresholds?
CCPA-009	1798.150	Data security	Are reasonable security practices described?

2025–2026 CPPA Enforcement

The CPPA became fully operational in 2023 and has been escalating enforcement. Current focus areas:

Automated decision-making transparency — CPPA published draft rules on automated decision-making technology (ADMT) requiring opt-out rights when AI makes consequential decisions (employment, credit, housing, education, healthcare)
Targeted advertising opt-outs — enforcement of "Do Not Sell/Share" requirements
Dark patterns — consent flows that manipulate or coerce users into accepting data practices
Sensitive personal information handling — heightened scrutiny on health, financial, and location data

California residents may gain the right to opt out of AI systems that make decisions significantly affecting them, under the proposed ADMT rules.

API Example

See the Compliance API reference for full endpoint documentation, parameters, and response schema.

Python — CCPA compliance check

from rail_score_sdk import RailScoreClient

client = RailScoreClient(api_key="YOUR_RAIL_API_KEY")

result = client.compliance_check(
    content="""
    Our recommendation engine collects California users' browsing history,
    purchase patterns, and inferred interests to serve personalized ads.
    We share user segments with third-party advertisers.
    """,
    framework="ccpa",
    context={
        "domain": "general",
        "jurisdiction": "US",
        "processes_personal_data": True
    }
)

print(f"CCPA Score: {result.compliance_score.score}/10 ({result.compliance_score.label})")
print(f"Passed: {result.requirements_passed}/{result.requirements_checked}")

for issue in result.issues:
    print(f"[{issue.severity.upper()}] {issue.description}")

Sources: CA AG CCPA · CPPA