What Is CCPA/CPRA?

The California Consumer Privacy Act (CCPA) is the most extensive state-level privacy law in the US, as revised by the California Privacy Rights Act (CPRA). It was first passed in 2018 and went into effect on January 1, 2020 with the CPRA reinforcing it in 2023.

Together, the CCPA and CPRA provide citizens of California with broad control over their personal data and place strict requirements on companies that gather, sell, or distribute their data. This means that any conditions offered to California users for clickwrap agreements must respect opt-out rights and contain privacy disclosures.

Who Does CCPA/CPRA Apply To?

All for-profit companies that gather personal data from Californians and satisfy any of these requirements are subject to CCPA/CPRA:

  • Annual gross revenue exceeding $25 million.
  • Buy, sell, or share the personal information of 100,000 or more California residents annually.
  • Derive 50% or more of annual revenue from selling or sharing California residents' personal information.

The CCPA also applies to any company that controls or is controlled by a covered firm and has a shared brand. Even if your headquarters are not in California, you are still covered provided you meet the requirements and serve Californians.

CCPA/CPRA and Clickwrap Agreements

By enforcing requirements that go beyond terms acceptance sequences, CCPA/CPRA revolutionizes clickwrap design. The law requires specific opt-out mechanisms, notice at the point of collection, and separate consent pathways for sensitive data, rather than just asking users to "agree" to a privacy policy. A clickwrap that treats terms of service and privacy as a single checkbox is structurally illegal in California.

How CCPA/CPRA Affects Clickwrap Design

The right to opt out of the sale or sharing personal information is established by Section 1798.120, where clickwrap flows can't fulfill this entitlement; instead, a standalone mechanism that enables the customer to exercise the opt-out without accepting or rejecting any other conditions is needed. According to the laws of the California Privacy Protection Agency, this mechanism must be offered via a "Do Not Sell or Share My Personal Information" link that is visible and accessible on all pages where personal information is gathered.

Under Section 1798.125(b), businesses that offer financial incentives in exchange for personal information must obtain opt-in consent through a clearly described notice explaining the material terms of the program. This consent must be separate from the general clickwrap acceptance and cannot be a precondition of service.

The CPRA amendments introduced data minimization into the clickwrap scope, as by Section 1798.100(c), requiring that the collection and use of personal information be reasonably necessary and proportionate to the purpose disclosed at collection. A clickwrap that authorizes broad data collection can violate the minimization principle even if the consumer clicked "I agree."

Section 1798.120(c) prohibits the sale or sharing of personal information from consumers under 16 unless the consumer has affirmatively opted in.

What Must Be Shown Under CCPA/CPRA

According to Section 1798.100(b), customers must be given notice before the point of data collection outlining the types of personal data that will be gathered and how they will be used.

To comply with these restrictions, the following must be clearly displayed in your clickwrap agreement:

  • Categories of personal information being collected, using the enumerated categories in Section 1798.140(v).
  • The purpose for each category of information collected.
  • Whether personal information is sold or shared, and with which categories of third parties.
  • The retention period for each category of personal information, or the criteria used to determine retention.
  • A conspicuous "Do Not Sell or Share" link, accessible without requiring the consumer to navigate away from the current page.

The CPPA's regulations further require that these disclosures be provided in a manner that is easy to read and understandable to consumers.

What Records You Must Keep Under CCPA/CPRA

Section 1798.130(a)(2) requires businesses to disclose, upon a verifiable consumer request, the specific pieces of personal information collected about the consumer and the purposes for which they were used. To respond to these requests accurately, the clickwrap agreement must maintain records that connect each consent event to the data practices it authorized.

A compliant consent record under CCPA/CPRA must capture:

  • The consumer's identity - Email, user ID, or other attribute linking the acceptance to a specific individual.
  • The version of the privacy notice and terms - Exact agreement presented at the time of consent, including the specific categories of information and purposes disclosed.
  • The timestamp and method of the consent action - meeting the electronic record standards established by the ESIGN Act.
  • The consumer's opt-out status - Whether the consumer exercised the "Do Not Sell or Share" right.
  • Sensitive data consent status - Whether separate opt-in consent was obtained for sensitive personal information processing.

Businesses are required by Section 1798.130(a)(2) to provide consumers with the specific pieces of personal information gathered during the prior 12 months upon request in order to reconstruct what data practices were permitted at any given time within this interval.

CCPA / CPRA and Clickwrap Agreements

Key Provisions of CCPA / CPRA

Personal Information
Personal information is any data that identifies, relates to, describes, or could reasonably be linked to a particular consumer (Section 1798.140(v)).
Sale of Personal Information
Sale of personal information covers selling, renting, releasing, disclosing, or handing personal information to a third party for money or other valuable consideration (Section 1798.140(ad)).
Sensitive Personal Information
Sensitive personal information is a narrower category demanding stronger protections, SSNs, financial account details, precise geolocation, racial or ethnic origin, and biometric data all fall within it (Section 1798.140(ae)).
Service Provider
A service provider is an entity that handles personal information on a business's behalf under a written contract that bars it from using that data for its own purposes (Section 1798.140(ag)).
Right to Opt Out
Consumers can tell a business to stop selling or sharing their information at any time, using a "Do Not Sell or Share" mechanism (Section 1798.120).
Notice at Collection
Before or at the point of collection, a business must tell consumers what categories of personal information they're collecting and why (Section 1798.100(b)).
Data Minimization
Collection and use of personal data must be reasonably necessary for the disclosed purpose, not merely related to it (Section 1798.100(c)).

Penalties for CCPA / CPRA Non-Compliance

Intentional violations $7,500 per violation
Each intentional violation or violation involving a minor's data carries a $7,500 penalty per consumer per incident. With large user bases, exposure can reach hundreds of millions of dollars.
Unintentional violations $2,500 per violation
Each non-intentional violation is subject to an administrative fine of up to $2,500; no general statutory cure period now applies.
Private right of action $100-$750 per consumer per incident
Consumers can directly sue for certain data breaches involving unencrypted or non-redacted personal information, with statutory damages of $100 to $750 per consumer per incident.

Frequently Asked Questions

Yes. CCPA/CPRA applies to any for-profit business that collects personal information from California residents and meets the revenue, data volume, or data sales thresholds, regardless of where the business is physically located.
CPRA has been effective since January 2023 and has amended the CCPA by adding new consumer rights (correction, sensitive data limits), creating the California Privacy Protection Agency for enforcement, and introducing data minimization requirements. Since then, the two are usually referenced together as one law.

Related Regulations

GDPR
General Data Protection Regulation
EU-wide · Active 2018
ESIGN Act
Electronic Signatures in Global and National Commerce Act
Federal · Active 2000
This entry is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your situation.