Skip to main content
CCPA complianceCCPACPRAdata privacyconsumer rightsPIIdata governance

CCPA Compliance for Data Teams

The California Consumer Privacy Act (CCPA) - significantly expanded by the California Privacy Rights Act (CPRA) - is the United States' most influential data-privacy law, granting California residents rights over the personal information businesses collect about them. CCPA compliance for data teams is the practical work of being able to answer, at any moment, the questions the law makes consumers entitled to ask: what personal information do you hold about me, where did it come from, who did you share it with, and can you delete it?

For a data team, this is less a legal problem than a data-management one. A privacy lawyer can interpret the statute, but only the data team can actually find every copy of a consumer's personal information across warehouses, lakes, pipelines, and SaaS exports, trace where it flowed, and delete it on request. CCPA compliance matters because the gap between the legal obligation and the data reality is exactly where violations - and the penalties that follow - live.

TL;DR

The CCPA (as amended by the CPRA) gives California residents rights to know, delete, correct, and opt out of the sale or sharing of their personal information. It applies to for-profit businesses meeting thresholds on revenue (~$25M), volume (100,000+ consumers/households), or data-driven revenue (50%+ from selling/sharing). For data teams, compliance comes down to four capabilities: knowing what personal data you hold (a catalog), knowing which data is personal (classification), knowing where it flowed (lineage), and being able to find and delete it. It overlaps heavily with GDPR but is not identical - notably CCPA's focus on the "sale" and "sharing" of data.

What the CCPA Is

The CCPA took effect in 2020 and was strengthened by the CPRA, which added new rights, created a dedicated regulator (the California Privacy Protection Agency), and tightened obligations. Together they form California's baseline privacy regime. The law defines personal information broadly - not just obvious identifiers like name and email, but anything that could reasonably be linked to a consumer or household, including device IDs, location, browsing history, and inferences drawn about a person. A subcategory, sensitive personal information (precise geolocation, health, financial account details, race, and more), carries extra obligations.

The CCPA is often compared to the EU's GDPR, and they share DNA - both grant access and deletion rights and demand transparency. But the emphases differ: GDPR is consent-and-lawful-basis centric, while the CCPA centres on the sale and sharing of personal information and a consumer's right to opt out of it. A team that is GDPR-ready has a strong head start on CCPA, but the two are not interchangeable.

Who It Applies To

The CCPA applies to for-profit businesses that handle Californians' personal information and meet at least one threshold. As amended, these are commonly summarised as:

  • Revenue - gross annual revenue above roughly $25 million; or
  • Volume - buying, selling, or sharing the personal information of 100,000 or more consumers or households a year; or
  • Data-driven revenue - deriving 50% or more of annual revenue from selling or sharing personal information.

Crucially, the law reaches businesses anywhere that handle the data of California residents - not just companies based in California. Because California is so large, CCPA effectively functions as a national standard for any consumer-facing US business, much as GDPR became a global one. Exact thresholds and definitions are periodically updated, so the current statutory text and CPPA guidance are the authority - but the practical takeaway for data teams rarely changes: assume it applies and build accordingly.

The Consumer Rights

The heart of the CCPA is a set of consumer rights, each of which translates into a concrete demand on the data team:

CCPA Consumer Rights → Data-Team Capabilities CCPA CONSUMER RIGHTS → DATA-TEAM CAPABILITIES Right to KNOW What you hold, sources,purposes, who you shared with → Find every copy &trace its lineage Right to DELETE Erase personal info onrequest (with exceptions) → Locate & delete acrossall systems, incl. backups Right to CORRECT Fix inaccurate personal info → Know the source oftruth for each field Right to OPT OUT Of the sale or sharingof personal information → Tag & gate data flaggedfor sale / sharing Right to LIMIT Use of sensitivepersonal information → Classify sensitive PIIdistinctly & enforce limits EVERY RIGHT RESTS ON THE SAME FOUNDATION A complete catalog (what you hold) · classification (which data is personal) · lineage (where it flowed) You cannot honour a right for data you cannot find
Click to enlarge
  • Right to know. Consumers can request what personal information you hold, where it came from, why you collected it, and who you disclosed it to - which means you must be able to find every copy and trace its lineage.
  • Right to delete. Consumers can ask you to erase their data, with some exceptions - which means locating and deleting it across every system, including downstream copies.
  • Right to correct. Consumers can have inaccurate data fixed - which requires knowing the source of truth for each field.
  • Right to opt out of sale/sharing. Consumers can stop you selling or sharing their data - which requires tagging and gating exactly that data.
  • Right to limit use of sensitive PII. Consumers can restrict how their sensitive data is used - which requires classifying sensitive personal information distinctly.

And consumers may not be discriminated against for exercising any of these rights. Non-compliance carries real penalties - civil fines per violation, higher for intentional breaches or those involving minors, plus a private right of action for certain data breaches.

The Data Team's Job

Stripped of legal language, every CCPA right reduces to the same four data capabilities. A team that has these can satisfy the law; one that lacks them cannot, no matter how good its privacy policy reads:

  1. Know what you hold. A complete inventory of data assets - without it, "what personal information do you have about me?" is unanswerable.
  2. Know which data is personal. Classification that flags personal and sensitive information wherever it lives, including unlabeled and unstructured data.
  3. Know where it flowed. Lineage that shows every downstream copy and recipient - because a deletion that misses three derived tables is not a deletion.
  4. Act on it. The workflows and access controls to fulfil, log, and prove each request within the law's deadlines.

The recurring failure is the forgotten copy: personal data duplicated into a data mart, an export, or a model's training set that no one tracked. Under the right to delete, that copy is a violation waiting to be found.

How Dawiso Approaches It

Every one of those four capabilities is a data governance capability, which is why CCPA readiness is a by-product of good governance rather than a separate compliance tool. A governed catalog gives the data team the complete inventory the right to know depends on; AI-assisted classification finds and tags personal and sensitive information across the estate so nothing is missed; and interactive data lineage traces every downstream copy, turning a deletion or disclosure request from a frantic search into a precise, evidenced operation. Combined with stewardship and access workflows, the catalog becomes the system of record that proves - to a regulator or a consumer - that a request was honoured completely. The same foundation that answers GDPR requests answers CCPA ones; the law changes, but the underlying need to see and trace your data does not.

Conclusion

CCPA compliance looks like a legal obligation but lands as a data-engineering one. The consumer rights it grants - to know, delete, correct, opt out, and limit - all resolve to a single question the data team must be able to answer on demand: where, exactly, is this person's data? Teams that can answer it have already done the hard work of cataloging, classifying, and tracing their data; teams that cannot will find that no privacy policy substitutes for knowing where the data actually is. Build the visibility first, and CCPA compliance - like GDPR before it and whatever comes next - becomes a capability you already have rather than a deadline you race toward.

See it in action

Data & Analytics Catalog

Create a unified view of your data assets and gain insights faster with automated data discovery.

Table of contents

What the CCPA IsWho It Applies ToThe Consumer RightsThe Data Team's JobHow Dawiso Approaches It

Related Terms

What Is Data Privacy?

Data privacy is the right of individuals to control how their personal information is collected, used, and shared. Learn the legal frameworks (GDPR, CCPA), technical privacy controls, and how data governance enables privacy compliance at scale.

Read more →

What Is Data Classification?

Data classification is the process of organizing data into categories based on sensitivity, type, or business value. Learn how automated classification powers data governance, GDPR compliance, and security.

Read more →

Data Governance

Learn what data governance is, how to build a framework, and why it's essential for AI-ready organizations.

Read more →

What Is Data Masking?

Data masking protects sensitive information by replacing it with realistic but fictional values. Learn static vs dynamic masking, common techniques, and how masking supports GDPR compliance and secure analytics.

Read more →

What Is Risk Assessment in Data Management?

Risk assessment is the process of identifying, analyzing, and prioritizing risks to your data - privacy, quality, security, and compliance. Learn how it works.

Read more →