USD 25 Million Revenue
Businesses with annual gross revenue exceeding USD 25 million are in scope. This threshold alone is sufficient.
CCPA/CPRA • US STATE LAWS
A Complete Guide to CCPA/CPRA and Privacy Laws
For businesses entering the US market: California's CCPA/CPRA and the consumer privacy laws of more than 20 states, covering scope thresholds, consumer rights, the Do Not Sell or Share obligation and universal opt-out (GPC). This content is not legal advice; working with a qualified legal advisor is recommended.
What Are CCPA and CPRA?
The California Consumer Privacy Act (CCPA) is the most comprehensive state-level privacy regulation in the US and took effect on January 1, 2020. It grants California residents rights over their personal information and imposes transparency obligations on businesses.
CCPA was significantly expanded by the California Privacy Rights Act (CPRA), approved by ballot measure in 2020. The CPRA provisions took effect on January 1, 2023, with enforcement beginning July 1, 2023. The CPRA also established an independent regulator, the California Privacy Protection Agency (CPPA). Today, CCPA usually refers to the version as amended by the CPRA.
What this means for businesses entering the US: California is the largest consumer market in the US, and most state laws follow the California model. Aligning with CCPA/CPRA provides a strong foundation for compliance with other state laws. This page complements our GDPR guide: GDPR applies for the EU, the CCPA/CPRA framework applies for the US.
Scope
Who Falls Under CCPA/CPRA?
CCPA/CPRA applies to for-profit businesses that do business in California and meet at least one of the following three thresholds.
100,000+ Consumers
Businesses that buy, sell or share the personal information of 100,000 or more California consumers or households per year are in scope.
50% of Revenue
Businesses that derive 50% or more of their annual revenue from selling or sharing consumers' personal information are in scope.
Important: These three thresholds are joined by or; meeting any one is enough to fall in scope. Threshold values and their interpretation can change over time; for the current position, rely on the official sources of the CPPA (cppa.ca.gov) and the California Attorney General (oag.ca.gov).
CCPA/CPRA Rights
Consumer Rights
CCPA/CPRA grants California consumers six core rights over their personal information.
Right to Know
Consumers can learn what personal information is collected, the purposes it is used for and who it is shared with.
Right to Delete
Consumers can request deletion of the personal information a business has collected (certain exceptions apply).
Right to Correct
Consumers can request correction of inaccurate personal information about them (a right introduced by the CPRA).
Right to Opt Out of Sale or Sharing
Consumers can object to the sale or sharing of their personal information.
Right to Limit Use of Sensitive Information
Consumers can request that the use and disclosure of their sensitive personal information be limited (a right introduced by the CPRA).
Right to Non-Discrimination
A business may not discriminate against consumers, through different prices or service, for exercising their rights.
Do Not Sell or Share and Limiting Sensitive Data
The most visible obligation under CCPA/CPRA is to offer consumers a way to object to the sale or sharing of their personal information. Businesses that sell or share personal information must provide a clearly visible link on their homepage.
Do Not Sell or Share My Personal Information
This link lets a consumer stop the sale of their personal information or its sharing with third parties for targeted advertising. It must appear in a visible position on the homepage and direct the consumer to the opt-out mechanism.
- Legal basis: CCPA/CPRA
- Placement: Visible on the homepage
- Function: Opt-out of sale/sharing
Limit the Use of My Sensitive Personal Information
Businesses that collect sensitive personal information (for example precise geolocation, racial or ethnic origin, health, sexual orientation, exact financial details) must provide a second link offering consumers the option to limit the use of that information.
- Legal basis: CPRA
- Placement: Visible on the homepage
- Function: Limit on sensitive data use
The two links may be combined into a single Your Privacy Choices link. What matters is that the opt-out path is easy to access and understandable for the consumer.
Universal Opt-Out and Global Privacy Control (GPC)
California requires businesses not only to provide an on-site link, but also to recognize browser-based opt-out preference signals. The most common implementation of this is the Global Privacy Control (GPC) signal.
GPC is an automatic signal, sent through a consumer's browser or extension, that means do not sell or share my personal information. Under California's regulations, businesses must treat this signal as a valid opt-out request for sale or sharing. The consumer does not need to click a separate link on every site; the signal is set once at the browser level and applies across all sites.
GPC already works in cerez.io: The platform automatically detects when a visitor's browser sends the GPC signal. If GPC is enabled in your domain settings and the visitor has no existing decision, non-essential cookies are rejected without showing the banner, and Google Consent Mode signals are updated to denied. This behavior helps to address the universal opt-out expectation in technical terms.
20+ states
The Landscape of US State Privacy Laws
As of 2025-2026, more than 20 US states have passed comprehensive consumer privacy laws. Most include an opt-out of sale/targeted advertising and recognition of a universal opt-out (GPC). The table below summarizes the main states; rely on official state sources for the current and complete list.
| State | Law | Status | Notable Rule |
|---|---|---|---|
| California | CCPA/CPRA | In effect | Most comprehensive; enforced by the CPPA, GPC required |
| Virginia | VCDPA | In effect | First post-California model law |
| Colorado | CPA | In effect | Universal opt-out mechanism required |
| Connecticut | CTDPA | In effect | Recognizes opt-out preference signals |
| Utah | UCPA | In effect | Business-friendly, more flexible model |
| Texas | TDPSA | In effect | Broad scope, no revenue threshold |
| Oregon | OCPA | In effect | List of third parties on request |
| Montana | MCDPA | In effect | Low population threshold |
| Iowa | ICDPA | In effect | More limited set of consumer rights |
| Delaware | DPDPA | In effect | Also covers nonprofits |
| New Jersey | NJDPA | In effect | Recognizes universal opt-out |
| Nebraska | NDPA | In effect | Also targets smaller businesses |
| New Hampshire | NHDPA | In effect | Opt-out preference signals |
| Minnesota | MCDPA | In effect | Expanded right to object to profiling |
| Tennessee | TIPA | In effect | NIST-based program defense |
| Florida | FDBR | In effect | Only very large businesses in scope |
| Maryland | MODPA | Upcoming | Stricter on data minimization |
| Indiana | INCDPA | Upcoming | Close to the Virginia model |
| Kentucky | KCDPA | Upcoming | Close to the Virginia model |
| Rhode Island | RIDTPPA | Upcoming | Transparency-focused |
The list keeps expanding; further states have either passed laws or have bills in progress. Authoritative sources: for California, cppa.ca.gov and oag.ca.gov; for general tracking, official state attorney general websites.
cerez.io
US State Compliance with cerez.io
Which steps does our platform automate today, and which are on the roadmap or your responsibility? cerez.io does not guarantee US state compliance; it measures, manages and helps document your compliance process.
Honoring the GPC Signal
When a visitor's browser sends the GPC opt-out signal, the platform detects it automatically and rejects non-essential cookies without showing the banner. This helps to address California's universal opt-out expectation in technical terms.
AvailableTimestamped Consent Log
Every consent decision is recorded with a timestamp and a visitor identifier. This supports the accountability and documentation needs anticipated by state laws.
AvailableMultilingual Banner and Automatic Scanning
With automatic cookie scanning, categorization and a multilingual banner (TR/EN/DE), the data processing on your site is shown transparently. This supports the technical foundation of the right to know.
AvailableA CCPA-Specific Do Not Sell Mode
A California-specific Do Not Sell or Share link and mode are currently on the roadmap. Today, multi-jurisdiction compliance is supported through GPC signal honoring and a general opt-out foundation.
On the roadmapUS State Geo-Targeting
Geo-targeting that automatically adapts banner behavior based on the visitor's state is currently on the roadmap. Today, banner and GPC behavior work consistently for all visitors.
On the roadmapLegal Texts and Privacy Policy
Legal approval of a CCPA/CPRA-aligned privacy policy and Your Privacy Choices texts is the responsibility of you and your legal advisor. cerez.io provides templates and technical infrastructure but does not guarantee legal sufficiency.
Partially supportedcerez.io provides a multi-jurisdiction compliance foundation (GDPR, KVKK and US state laws) and honors the GPC signal today. That said, no software alone can guarantee legal compliance. Full compliance with CCPA/CPRA and other state laws is achieved together with legal advice and process design.
Frequently Asked Questions
Short answer: Not by your location, but by whether you process the data of California residents. CCPA/CPRA applies to for-profit businesses that do business in California and meet at least one of three thresholds (USD 25M revenue, 100,000+ consumers, or 50% of revenue from data sales). A Turkey-based company selling into the US market falls in scope if it meets these thresholds.
Short answer: CCPA is the base law (effective January 1, 2020). CPRA is the measure that expands and amends it (effective January 1, 2023, enforcement from July 1, 2023). CPRA added the rights to correct and to limit sensitive data, and established the independent regulator, the CPPA. Today CCPA usually refers to the version as amended by the CPRA.
Short answer: Yes for businesses that sell or share personal information. The link must appear in a visible position on the homepage. Businesses that use sensitive personal information must also provide a Limit the Use of My Sensitive Personal Information link. The two links may be combined under a Your Privacy Choices heading.
Short answer: GPC is an automatic opt-out signal sent through a consumer's browser that means do not sell or share my data. Under California's regulations, businesses must treat this signal as a valid opt-out request for sale or sharing. cerez.io honors this signal automatically today.
Short answer: Up to USD 2,500 per violation, and up to USD 7,500 for intentional violations or those involving the data of minors. Enforcement is carried out by the CPPA and the California Attorney General. Rely on official sources for amounts and enforcement details.
Short answer: cerez.io does not guarantee CCPA compliance; it measures, manages and helps document your compliance process. Available today: GPC signal honoring, a timestamped consent log, a multilingual banner and automatic scanning. A CCPA-specific Do Not Sell mode and US state geo-targeting are on the roadmap. The sufficiency of legal texts is established with your legal advisor.
US + EU + Turkey =
GPC honoring, a multi-jurisdiction consent foundation, Google Consent Mode v2 and automatic cookie scanning. Set up in 5 minutes.