5 Common misconceptions about CCPA compliance (and what’s actually true)

Much of the information online oversimplifies what the California Consumer Privacy Act (CCPA) and its follow-up amendment, the California Privacy Rights Act (CPRA), actually require. Organizations assume they’re compliant–or worse, not covered by the law–until they take a closer look at their data flows, consent mechanisms, or vendor ecosystem and realize there’s much more to CCPA compliance than they thought.

Here are five of the most common misconceptions about CCPA compliance and how businesses should really be preparing.

Misconception 1: “We’re not a California company, so CCPA doesn’t apply to us.”

The reality: CCPA compliance is tied to whose data companies collect, not where a company is located.

Maybe the biggest misconception about CCPA compliance is that it only applies to businesses physically located in California. In reality, the law is triggered by processing the personal data of California residents, regardless of where a company is headquartered.

A business based in New York or Europe can easily fall under the California Consumer Privacy Act if it serves California customers, has California visitors on its website, or collects California user data through digital channels. This remains true for CPRA compliance, which even ups the stakes due to the inclusion of do not sell/share my data requirements.

Misconception 2: “No one is actually enforcing the CCPA.”

The reality: The scope of CCPA and CPRA extend far beyond just Fortune 500s and large data brokers. In reality, the threshold isn’t high, as organizations that meet one of these three criteria need to comply:

• Exceed global gross annual revenues of $26.6M
• Handle the data of 100,000 or more California consumers or households.
• Earn 50% or more of annual revenue from selling or sharing consumer data

The last point is where many businesses misunderstand the scope of CCPA compliance. Under CPRA, “sharing” now includes cross-context behavioral advertising, which encompasses retargeting, some analytics tools, and common ad-tech integrations.

This change from CCPA to CPRA was monumental and pulled hundreds of thousands of companies into the law’s scope. Official government surveys out of privacy-conscious countries like the United Kingdom have found that 64% of businesses with more than 250 employees share data with third-parties, which likely reflects the average American company’s data sharing practices.

But even going beyond legal thresholds, one might think regulators wouldn’t concern themselves with small companies far outside the Fortune 500. That couldn’t be farther from the truth.

The California Privacy Protection Agency (CPPA), created to help enforce CCPA compliance, has hit numerous companies of under 500 employees with major enforcement actions, including Tilting Point Media, Healthline Media, and Todd Snyder, the last of which has under 250 employees.

Between that reality and the fact that the CPPA has dramatically increased its own staff as it now investigates around 135 consumer privacy complaints a week, not going out of the way to achieve CCPA and CRPA compliance means creating meaningful business risk.

Misconception 3: “Since we’re GDPR compliant, we’re automatically CCPA compliant.”

The reality: While the EU’s General Data Protection Regulation (GDPR) and CCPA share themes like transparency and consumer rights, they are not interchangeable regulatory frameworks.

Key differences include:

• Opt-in vs Opt-out model
• CCPA’s Do Not Sell or Share requirements added in the CPRA
• 30 vs 45-day response timelines for user privacy requests such as data access, deletion, and automated decision-making opt-outs

Even GDPR-compliant privacy programs with solid principles and activities in place for data mapping, subject request handling, and consent management will need additional California-specific protocols in place.

Much of the difference boils down to GDPR being opt-in and requiring a legal basis for processing data, whereas California is opt-out, instead protecting explicitly defined sensitive data and instituting Do Not Share/Sell requirements in the CPRA. This is the reason European companies don’t typically portray “Do Not Sell/Share” links on their sites, while American companies generally do.

The nuance of each law is why companies pursuing full CCPA compliance need robust privacy programs, as treating GDPR as a one-to-one equivalent will leave significant gaps.

Misconception 4: “A cookie banner means we’re CCPA compliant.”

The reality: A cookie banner is only the front-end expression of compliance. The real substance of CCPA compliance lies in whether a company’s data systems actually enforce user choices behind the scenes–a fact that has been a key theme to numerous CCPA enforcement actions.

Companies need to know what data they are collecting, how it flows through their stack, whether vendor tools continue firing after opt-outs, and with added CPRA compliance responsibilities, if their adtech works in compliance. Many businesses discover by accident that tracking technologies still “sell” or “share” data in ways that violate the CCPA/CPRA.

This gets even more complicated when factoring in the need to honor Global Privacy Control (GPC) signals, which means a user hasn’t opted out on any individual site, but instead uses a browsing signal to opt out across every site they visit. California regulators have made clear that GPC is a legally enforceable opt-out mechanism under CCPA and CPRA, further highlighting the importance of managing consent properly rather than just putting a cookie banner on a website.

A banner alone does nothing to deliver CCPA compliance, as the majority of requirements actually revolve across backend infrastructure, vendor governance, and automated enforcement.

Misconception 5: “We’ll be able to manage CCPA compliance in spreadsheets.”

The reality: Many companies, from early-stage startups to growing B2C brands, manage privacy requirements manually using spreadsheets or surveys because they view privacy as a cost center. However, as regulations expand and data flows become more complex, manual operations introduce significant risk.

There is more privacy-related work than ever and the amount is growing, from having to track data inventories, respond to user privacy requests (aka data subject requests or DSRs) asking for data access, deletion, and opt-outs of automated decision-making technologies within strict timelines, enforce CPRA Do Not Sell/Share choices, map data across systems, and maintain accurate vendor governance. Spreadsheets and an outdated view of privacy as a back-of-house function simply can’t hold up to the modern data environment.

Fortunately, privacy tools allow even small teams to run sophisticated, automated CCPA compliance programs. Automation reduces operational strain, ensures consistency, and decreases the risk of missing deadlines or miscapturing opt-outs.

Manual privacy operations and cheap lightweight tools are increasingly unsustainable as enforcement intensifies and consumer expectations rise.

How Transcend supports CCPA compliance

Transcend helps teams replace manual work with reliable, automated infrastructure built for modern privacy and data requirements.

From easy, ready-to-go cookie banner setup to powerful consent management controls like real-time website scanning and controls to reflect user consent choices across all your data systems, the platform allows companies to:

• Automatically detect and categorize tracking technologies and data flows
• Enforce “Do Not Sell or Share” settings across every system, not just banners
• Honor GPC signals consistently and accurately
• Verify and fulfill DSRs end-to-end in minutes with virtually no manual touchpoints
• Launch branded, user-friendly consent experiences in minutes
• Activate consented data quickly and compliantly for business initiatives

When you clear away the misconceptions around how to be CCPA and CPRA compliant, you begin to fully understand the importance of capable, proactive privacy. By bringing companies industry-leading automation, Transcend makes CCPA compliance both more comprehensive and more manageable.