What Is the CCPA? Key Points of the California Consumer Privacy Act
Published:
Last Updated:
Category: Marketing Glossary
Published:
Last Updated:
Category: Marketing Glossary

Authors: Shusaku Yosa
If you run a website aimed at overseas audiences, or use cookies and pixels for ad delivery, the CCPA is hard to avoid. It is a California state law, yet it can apply to companies based in Japan. This article covers what the CCPA is, who it applies to, the rights it grants consumers, the traps marketers most often fall into, and the key points of the amendments that took effect in January 2026.
The CCPA (California Consumer Privacy Act) was enacted in 2018 and took effect in January 2020, making it the first comprehensive consumer privacy law in the United States. It gives California consumers the right to know what personal information a business holds, to have it deleted, and to stop it from being sold — and it places corresponding disclosure and response obligations on businesses.
The CCPA was substantially amended by the CPRA (California Privacy Rights Act). The CPRA came into full effect in January 2023, adding new rights such as the right to correct and the right to limit the use of sensitive personal information, and establishing a dedicated regulator: the CPPA (California Privacy Protection Agency).
In practice, when people say "CCPA" today, they generally mean the full set of rules as amended by the CPRA. The CPRA is not a separate law standing alongside the CCPA — it is an amending statute that rewrote it. Holding that in mind avoids a lot of confusion.
The CCPA applies based on whether you handle the personal information of California consumers — not on where your company is located. A company headquartered in Japan can therefore fall in scope. Specifically, it applies to for-profit businesses meeting any one of the following.
The 100,000 threshold is a lower bar than most people assume. If you run a website or app aimed at the US market and use tracking for advertising or analytics, you may already have crossed it without realizing.
The most widely misunderstood term in the CCPA is "sale." A sale under the CCPA is not limited to exchanges of money. It covers transfers made for other valuable consideration too — which means passing data to an advertising platform can be treated as a sale.
The CPRA then added the concept of "sharing," which refers to disclosures made for cross-context behavioral advertising — the kind of targeting that follows a user from site to site. In other words, retargeting via third-party cookies and advertising pixels can qualify as "sharing" and be subject to opt-out, even where no consideration changes hands. This is the biggest gap between the CCPA and the intuitions most teams carry over from Japan's Act on the Protection of Personal Information.
GPC (Global Privacy Control) is a mechanism by which a browser or extension automatically transmits a user's intent to refuse the sale or sharing of their data. Under the CCPA, receiving this signal means you must treat it as a valid opt-out request. Ignoring GPC has been one of the regulator's key enforcement focuses in recent years. Don't assume a consent banner is enough — verify technically that the signal actually reaches your advertising tags.
Regulations finalized by the CPPA in September 2025 began applying in stages from January 1, 2026. The CCPA is shifting from a phase of "get your policies in order" to one of "prove your operations and controls."
CCPA violations carry civil penalties assessed per violation, with higher amounts for intentional violations and those involving minors (the figures are adjusted for inflation). The per-violation amount may look modest, but it multiplies by the number of consumers affected — so totals escalate quickly.
Another defining feature of the CCPA is that consumers have a private right of action (and thus class action exposure) for certain data breaches. The CPPA has been sharpening its enforcement posture in recent years, including joint investigations with regulators in other states.
The CCPA is the first comprehensive privacy law in the US, giving California consumers control over their personal information. The CPRA amendments expanded those rights, and the CPPA now enforces them. Companies based outside California, including in Japan, can fall in scope once they handle enough California resident data.
For marketing teams, two points matter most: data transfers for advertising can count as "sale or sharing" even with no money involved, and GPC signals must be honored at a technical level. The 2026 amendments moved the rules from "have your documents in order" to "be able to prove your operations." Start by taking inventory of how data flows through your stack, and checking what is actually being passed downstream of your advertising tags.
Note: This article is provided for general informational purposes only and does not constitute legal advice. Laws and regulations are subject to change. Always consult primary sources for the latest requirements and seek professional counsel regarding whether and how they apply to your business.

What is a KPI? A simple, jargon-free explanation: how KPIs differ from KGIs, an everyday analogy, a three-step method be...

What is the 2025 Digital Cliff? A plain-English explanation of METI's DX Report warning: the 12 trillion yen annual loss...

A clear explanation of what PPC advertising is. Covers the click-based charging mechanism, types such as listing ads, th...