CCPA Compliance in 2026: What Your Startup Must Know
An early-stage SaaS founder told us that CCPA didn't apply to him. An IT consultant he had worked with at the seed stage had told him so. He was wrong, and he'd been wrong for more than a year. With eleven people, nowhere near the revenue figure he'd seen quoted, and a product built to be privacy-friendly from day one, he believed California privacy law was Meta and Google's problem.
Then we looked at how his product actually worked. His analytics setup was quietly sharing data with a stack of third-party ad and attribution tools, and once you added up the visitors flowing through those integrations across a year, he was comfortably past 100,000 California consumers. The revenue threshold was never the one that mattered for him. He was in scope; he just didn't know it.
That gap, between what people assume CCPA covers and what it actually covers, is where most of the compliance pain lives, and the law got meaningfully bigger in 2026. This post covers the three things a founder or operator actually needs: what the California Consumer Privacy Act is in its current form, whether it applies to your company, and what you have to do about it. It's current as of the 2026 rules, and it gets right the one thing most CCPA explainers get wrong.
What CCPA is now (and why CPRA isn't a separate law)
The California Consumer Privacy Act gives California residents real, enforceable control over the personal information businesses collect about them. It gives them the right to know what's been collected, the right to delete it, the right to opt out of its sale or sharing, the right to correct it, and the right to not be discriminated against for exercising any of those rights.
Here's the part that trips people up. You'll see "CCPA" and "CPRA" used like they're two competing laws. They're not. The CPRA is not a separate statute. It's Proposition 24, a ballot initiative California voters passed in November 2020 that amended the original CCPA. It added the new rights around correction and sensitive personal information, raised the consumer threshold, and created the California Privacy Protection Agency (the CPPA) as a dedicated regulator with its own rulemaking and enforcement power.
So when someone asks whether they need to comply with CCPA or CPRA, the honest answer is that there is only one law (the CCPA as amended by the CPRA) and one agency enforcing it. I find it helps to think of it the way you'd think about a codebase. CPRA wasn't a rewrite that replaced the old system. It was a major version bump that added features, tightened the rules, and shipped a team to maintain it. Getting this right matters, because a lot of the compliance content out there still treats them as rivals, and that confusion leads people to follow outdated checklists.
Does CCPA apply to your company?
CCPA applies to for-profit businesses that do business in California, collect California residents' personal information, and meet at least one of three thresholds. You only need to hit one.
Revenue. Annual gross revenue above $26,625,000. This number is adjusted for inflation every odd-numbered year, so it's no longer the $25 million figure you'll still see quoted on older posts.
Data volume. Buying, selling, sharing, or otherwise processing the personal information of 100,000 or more California consumers or households in a year.
Data as a business model. Earning 50% or more of annual revenue from selling or sharing consumers' personal information.
That second threshold is the one that catches startups off guard, and it's exactly what caught our founder. You don't have to be a data broker to cross it. A consumer-facing app with steady traffic, a marketing site loaded with third-party tracking pixels, or a product with embedded analytics can move the personal information of 100,000 Californians without anyone on the team thinking of it as "selling data."
And under CCPA, "selling" and "sharing" are broad. Sharing personal information with third-party advertising and analytics tools for cross-context behavioral advertising counts, even when no money changes hands. If your site fires tracking cookies that pass data to ad platforms, you're very likely sharing under the law's definition. That's why the revenue threshold is often a red herring for smaller companies. The data-volume and data-business tests are the ones that decide it.
CCPA also reaches data brokers directly, businesses that collect and sell personal information about consumers they have no direct relationship with. California now runs a data broker registry and a deletion platform for exactly this category, so if data brokerage is any part of your model, your obligations go further than the baseline.
And the cost of getting it wrong is concrete. Consumers can bring a private right of action in certain cases, with statutory damages of not less than $107 and not more than $799 per consumer per incident. Multiply that across a breach involving even a modest user base and the number gets large fast. On top of that, the CPPA can levy administrative fines up to $2,663 per violation, or $7,988 for intentional violations and those involving the data of consumers under 16. The agency has been active, with recent settlements and multi-state enforcement sweeps. So the question of whether you're in scope isn't purely academic.
What the 2026 rules added to CCPA
The 2026 CCPA rules added mandatory opt-out confirmation, formal risk assessments, cybersecurity audits, and obligations around automated decision-making technology. On September 23, 2025, California's Office of Administrative Law approved a wide-ranging package of new CCPA regulations with an effective date of January 1, 2026. There's no delayed-enforcement grace period for the public-facing pieces, so several of these became live obligations the moment the calendar page turned, meaning an old CCPA checklist will leave you exposed.
Public-facing changes that took effect January 1, 2026
These are the ones regulators can check from the outside, just by visiting your site. Which is why they're the ones to fix first.
You have to confirm honored opt-outs, including GPC signals. Showing a consumer that their opt-out was processed used to be optional. It's now mandatory, including for opt-out preference signals like Global Privacy Control (GPC) sent by browsers and extensions. The CPPA's own example is displaying something like an "Opt-Out Request Honored" notice or a toggle in privacy settings. This one has teeth: the agency announced a joint investigative sweep with the Colorado and Connecticut attorneys general specifically targeting GPC compliance.
Closing a cookie banner is not consent. The rules now state plainly that a consumer closing or navigating away from a consent pop-up, without affirmatively clicking the equivalent of "I accept," does not count as consent. Inferring agreement from someone dismissing a banner is treated as a dark pattern.
Opt-out has to be as easy as opt-in. Opting out of the sale or sharing of personal information must take the same number of steps or fewer than opting in. A more prominent "yes" button than "no," or a financial-incentive program selected by default, is now explicitly out of bounds.
Requests to know can reach back to January 1, 2022. If you keep personal information longer than 12 months, your request mechanism has to let consumers ask for data collected before the prior 12-month window. You can no longer cap every access request at 12 months by default if you actually hold the data longer.
Privacy policies have to live inside mobile apps. If you have a mobile app, the privacy policy needs to be directly accessible from within it, for example through a settings-menu link.
Bigger obligations phasing in after 2026
Three larger requirements are now on the books, with compliance deadlines that arrive on a schedule rather than all at once. They take real lead time, so the work starts now even though the deadlines land later.
Risk assessments. Before processing personal information in ways that pose a significant risk to consumers, including selling or sharing it, using it to train certain automated systems, or processing sensitive information, you have to conduct a formal risk assessment. Businesses also have to submit an annual summary report to the CPPA, signed by an executive under penalty of perjury. If you've been through a SOC 2 or HIPAA risk assessment, the muscle memory transfers, but the trigger and the reporting are specific to CCPA.
Cybersecurity audits. Businesses whose processing presents significant risk will need annual cybersecurity audits, phased in by company size over the following years.
Automated decision-making technology (ADMT). Where you use automated systems, AI, or machine learning to make significant decisions about people, you'll owe consumers notice and the ability to opt out. ADMT notice and opt-out obligations begin January 1, 2027, which makes this the thing to start scoping now if AI sits anywhere in your decisioning.
What compliance actually requires, practically
CCPA compliance requires four things in practice: mapping your personal data, building consumer-rights workflows, fixing public-facing website and app surfaces, and building risk-assessment and documentation processes. Knowing you're in scope is the easy part. This is the work, and almost all of it depends on one thing you have to do first.
1. Start with a data map
You can't honor a deletion request for data you didn't know you had, and you can't opt a consumer out of sharing that you can't see. So before anything else, map your data. What personal information you collect, where it comes from, where it lives, which third parties it flows to, and how long you keep it.
This is the step companies most want to skip, and it's the one that determines whether everything downstream works. It's also where most of the surprises surface: the analytics tool nobody remembered was sharing data, the spreadsheet of leads sitting in someone's drive, the old database holding records well past their useful life. The map is the foundation. Build it carefully.
2. Build the consumer-rights workflows
Once you can see your data, you need reliable ways for consumers to exercise their rights, and reliable internal processes to fulfill them. At minimum:
Right to know and access, now reaching back to January 1, 2022, if you retain data that long.
Right to delete, with the limited exceptions the law allows.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information, with confirmation that the request was honored, including GPC signals.
Right to limit the use and disclosure of sensitive personal information.
Each of these needs a way in for the consumer and a documented process behind it, so a request doesn't sit in an inbox until it becomes a violation.
We have seen this go sideways for a company that thought it had deletion handled. A consumer submitted a delete request, the support team dutifully wiped the account from the main app, and everyone considered it closed. Four months later, the same person started getting marketing emails again. Their record had been deleted from the product database but not from the email platform, the data warehouse, or the CRM, three systems that had each pulled a copy long before the request came in. The intake worked perfectly. The fulfillment only touched one of the four places the data lived. That's the difference a data map makes, and it's why "we can delete a user" and "we can honor a deletion request" are not the same claim.
3. Fix the website and app surfaces
Work through the public-facing 2026 changes above as a punch list. Honor and confirm opt-outs and GPC signals, fix any cookie banner that infers consent from dismissal, make opt-out as frictionless as opt-in, drop any defaulted financial-incentive enrollment, and put your privacy policy inside your mobile app. These are visible; they're being actively swept by multiple state AGs, and they're among the cheapest to fix relative to the risk they carry.
4. Build your risk-assessment and documentation processes
For the phased obligations, start scoping now. Identify whether your processing triggers a risk assessment, figure out where ADMT might apply before the 2027 opt-out deadline, and get ahead of the cybersecurity audit cadence for your company size. The attestation requirement means an executive is signing off under penalty of perjury, so this isn't paperwork you want to assemble in a panic the week it's due.
Your near-term CCPA checklist
If you want a place to start this week, work through this list:
Confirm whether any of the three thresholds applies to you. The 100,000-consumer data-volume test catches more startups than the revenue one, so check it carefully.
Map your personal information: what you collect, where it lives, and which third parties it flows to.
Audit your site and app against the January 1, 2026 public-facing rules, starting with opt-out confirmation and GPC handling.
Make sure your consumer-rights requests (know, delete, correct, opt out, limit) have a real intake and a documented fulfillment process.
Extend access-request mechanisms to reach data back to January 1, 2022 if you retain it that long.
Determine whether your processing triggers a risk assessment, and start the documentation.
Scope where ADMT applies ahead of the January 1, 2027 notice and opt-out deadline.
Next Steps For You
Almost nobody gets caught by CCPA because they read the law and chose to ignore it. They get caught because they assumed it didn't apply, the way our founder did, and found out during an audit, an acquisition, or a customer's security questionnaire, at the exact moment they had the least room to fix it cleanly. The assumption is the risk, not the law.
The work itself is sequential and knowable. Figure out if you're in scope, map your data, fix the visible surfaces, build the processes behind the rights. None of it requires guesswork, just follow-through, and the company that does it before it's forced to is the one that turns a security review into a closed deal instead of a fire drill.
If you'd rather not navigate this alone, this is exactly the kind of work we do. Our Cybersecurity and Compliance Management team helps companies figure out where they stand and close the gaps, and our Compliance Kickstarter Program is built for teams that need to get a compliance program off the ground quickly, without slowing the business down. Reach out to us, and we'll help you sort out what CCPA means for your company specifically.