CCPA Compliance Guide for Ecommerce Stores in 2026

The CCPA applies to a for-profit business that does business in California, determines the purposes and means of processing personal information, and meets at least one threshold. As of January 1, 2025, the revenue threshold adjusted to $26,625,000. The law also covers businesses that annually buy, sell, or share the personal information of 100,000 or more consumers or households, or derive 50% or more of annual revenue from selling or sharing consumers' personal information.

For ecommerce operators, the practical question is not only annual revenue. A store can reach CCPA relevance through a large California customer base, significant site traffic, and the use of advertising or audience-building tools that move customer data to third parties.

One of the most important changes for ecommerce teams is that the law does not focus only on a classic data sale. California defines sharing to include disclosing personal information to a third party for cross-context behavioral advertising, even when no money changes hands. That means a store can trigger opt-out duties through retargeting and advertising infrastructure alone.

This is where many storefront privacy policies drift away from reality. A merchant may think it does not sell customer data, but the store may run pixels, ad network tags, and audience sync tools that require a real analysis of whether the store is sharing personal information under California law.

California consumers have rights to know, delete, correct, opt out of sale or sharing, limit certain uses of sensitive personal information, and receive equal treatment after exercising those rights. A privacy policy should describe those rights clearly, but the harder part is building a workflow that can honor them in practice.

For requests to know, delete, and correct, businesses generally must confirm receipt within 10 business days and respond within 45 calendar days, with one additional 45-day extension when reasonably necessary. Requests to opt out of sale or sharing and requests to limit sensitive personal information must be processed as soon as feasibly possible, up to 15 business days.

Under the statute and the current regulations, your privacy policy is supposed to give a comprehensive description of your online and offline information practices. For a store, that means your policy should cover the real flow of data through checkout, payments, fraud tools, support systems, analytics, advertising, email platforms, returns tools, shipping providers, and account features.

A short policy that says you collect contact and payment information is not enough if the store also uses retargeting tools, shares identifiers with ad platforms, records support chats, or retains data for fraud review, warranty work, or loyalty programs.

A privacy policy is not the only notice the law expects. The regulations require a Notice at Collection at or before the point where personal information is collected. If a business does not give that notice at or before collection, the regulations say it shall not collect personal information from the consumer.

That notice has to tell the consumer what categories of personal information are being collected, why they are collected or used, whether the information is sold or shared, how long each category is kept or the criteria used to set retention, and where the consumer can find the relevant opt-out notice and privacy policy. Online, a direct link to the specific section of your privacy policy can work. A generic link to the top of a long policy does not satisfy the standard.

For ecommerce stores, this often comes up in newsletter signup forms, account creation, checkout pages, chat widgets, loyalty programs, warranty registration, financing applications, in-store QR forms, and Wi-Fi capture flows.

Advertising technology is where many online stores get into trouble. If your site uses third-party tools for cross-context behavioral advertising, you need to decide whether you are selling or sharing personal information and build the opt-out experience accordingly. In most instances, California requires a clear and conspicuous link such as Do Not Sell or Share My Personal Information, Your Privacy Choices, or Your California Privacy Choices in the header or footer.

California also requires businesses to honor qualifying opt-out preference signals, such as Global Privacy Control. If your store uses a consent management platform or privacy portal, that does not shift liability away from your business. Regulators are looking at whether the mechanism works, not whether a vendor was installed.

If the store uses or discloses sensitive personal information outside the limited purposes allowed by the statute, your business also needs a workable way for consumers to limit that use or disclosure.

Most businesses need at least two methods for consumers to submit requests to know, delete, or correct. One of those methods has to be a toll-free number and, if your business has a website, one method has to be through the website. A business that operates exclusively online generally can use an email address instead.

Verification needs to be reasonable and data-minimizing. In recent enforcement actions, the CPPA focused on businesses that required consumers to provide more information than necessary or forced identity verification when the consumer was only trying to opt out of sale or sharing. Those requests are not supposed to become mini-account recovery exercises.

The regulations also require businesses to maintain records of consumer requests and how your business responded for at least 24 months. If you cannot explain when requests came in, how they were handled, and why any were denied, the written policy is not enough.

A store cannot finish CCPA compliance by editing text alone. The data map behind your policy determines whether the disclosures are right. You need to know which tools collect data directly from consumers, which vendors act as service providers or contractors under written contracts, which recipients are true third parties, and which disclosures may count as sale or sharing.

That means reviewing payment processors, fraud vendors, shipping tools, returns tools, support systems, customer data platforms, analytics products, affiliate tools, review software, and advertising partners. If the vendor roles are wrong in practice, the disclosures and opt-out logic will be wrong too.

The California Privacy Protection Agency has already given stores concrete warning signs. In March 2025, the CPPA said Honda required excessive personal information for privacy requests, made authorized-agent requests difficult, used an asymmetrical interface for privacy choices, and shared personal information with ad tech companies without producing contracts containing the required terms. Honda agreed to pay a $632,500 fine and change its practices.

In May 2025, the CPPA said Todd Snyder failed to properly configure its privacy portal, did not process opt-out requests for 40 days, collected more information than necessary, and required consumers to verify identity before opting out. Todd Snyder agreed to pay a $345,178 fine and overhaul its process.

The lesson for ecommerce stores is straightforward. Broken request portals, one-sided choice screens, excessive verification steps, and weak ad tech contracting are not theoretical risks. They are already on the enforcement list.

As adjusted for 2025 inflation, the CPPA can seek administrative fines of up to $2,663 per violation and up to $7,988 per intentional violation or violations involving personal information of consumers your business knows are under 16. The California Attorney General can also seek civil penalties.

The private right of action is narrower. It is tied to certain security breach claims involving nonencrypted and nonredacted personal information, or email address and password combinations, where your business failed to implement reasonable security procedures and practices. The statutory damages range that was adjusted for 2025 is $107 to $799 per consumer per incident, or actual damages if higher.

For larger businesses, the compliance load is heavier. The regulations require businesses that handle the personal information of 10,000,000 or more consumers in a calendar year to publish request metrics by July 1 each year. Additional 2026 regulations also create cybersecurity audit and risk assessment obligations for certain higher-risk businesses.

A useful CCPA review for an ecommerce store starts with the operating reality of your business, not the template in the footer.