US CCPA Requirements

Start by deciding whether the issue affects business-threshold status, notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure. The useful answer should name the exact trigger, affected product or process, required action, owner, evidence, and escalation point.

In practice, CCPA requirements cover whether a business is in scope, what it must disclose, how it must respond to consumer requests, how it must handle opt-out and GPC requests, and what records it should keep to show it followed the rule. Keep the California source, threshold calculation, notice text, consumer-right workflow, opt-out/GPC evidence, and service-provider contract record together so the CCPA decision can be reviewed later.

Ownership should sit with the team that can change notices, request intake, ad-tech settings, vendor contracts, data retention, or consumer-facing controls, with privacy/legal review for ambiguous cases.

Evidence should show threshold calculations, notice-at-collection placement, privacy-policy disclosures, rights request logs, opt-out/GPC handling, vendor restrictions, and enforcement-response readiness.

Most CCPA mistakes happen at the boundary between a business, service provider, contractor and third party, or between selling, sharing, financial incentives, minors, GPC, and data-broker obligations.

Apply this section before launching a collection point, ad-tech flow, rights workflow, vendor onboarding, financial incentive, minor-focused journey, or data-broker process.

Use a CCPA workflow that captures threshold status, data category, collection point, consumer right, opt-out or GPC trigger, vendor role, evidence, owner, and review date.

The output should be a threshold note, notice update, DSAR decision, opt-out/GPC record, vendor clause map, dark-pattern review, or enforcement evidence pack.