SiteProof AI Blog
CCPA AI Compliance for Websites: What California Law Requires
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), imposes specific obligations on websites that collect, process, or share personal data from California residents using AI systems. If your website uses a chatbot, AI analytics, or any AI tool that touches user data — and you have California users — CCPA compliance is not optional.
Does CCPA Apply to Your Website?
CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds:
The thresholds mean CCPA is primarily targeted at larger businesses. However, smaller websites should be aware:
AI Data Collection Under CCPA — What Must Be Disclosed
CCPA requires businesses to disclose in their privacy policy the categories of personal information collected and the purposes for which it is used. For AI systems on your website, this means disclosing:
| AI Feature | Data Typically Collected | CCPA Disclosure Required |
|---|---|---|
| Customer service chatbot | Name, email, conversation content, IP address | Yes — categories + purpose + retention |
| AI analytics / behavior tracking | Browsing history, device ID, session data | Yes — categories + purpose + opt-out right |
| AI recommendation engine | Purchase history, preferences, inferred interests | Yes — including inferences as a category |
| AI-powered search | Search queries, click behavior | Yes — categories + purpose |
| Third-party AI widgets | Any data the widget collects | Yes — disclose third-party collection |
CCPA specifically includes "inferences drawn from personal information" as a category of personal information. If your AI system builds user profiles or infers interests, preferences, or characteristics from behavior — that inference data must be disclosed and is subject to consumer rights.
Consumer Opt-Out Rights for AI Data Use
California consumers have the right to opt out of the sale or sharing of their personal information. For websites using AI:
Right to opt out of sale/sharing — "Do Not Sell or Share My Personal Information"
If your website shares user data with AI vendors for advertising, analytics, or model training purposes, you must provide a clear opt-out mechanism. CCPA requires a 'Do Not Sell or Share My Personal Information' link in your website footer or privacy settings.
Right to know what data AI systems have collected
California consumers can request a copy of all personal information your business has collected about them — including data processed by AI systems. You must be able to provide this upon request within 45 days.
Right to delete AI-processed personal information
Consumers can request deletion of their personal information, including data held by your AI vendors. You must pass deletion requests to your AI service providers and confirm compliance.
Right to correct inaccurate personal information
CPRA added the right to correction. If an AI system has generated inaccurate inferences about a consumer, they have the right to request correction.
CPRA and Automated Decision-Making
The California Privacy Rights Act (effective January 1, 2023) introduced specific requirements for automated decision-making that go beyond the original CCPA:
Right to opt out of automated decision-making
CPRA gives consumers the right to opt out of automated decision-making technology — including AI profiling — that produces legal or similarly significant effects. The California Privacy Protection Agency (CPPA) issued draft regulations on this right in 2024.
Right to access automated decision logic
Consumers have the right to understand the logic involved in automated decisions that significantly affect them — similar to GDPR Article 22. This includes AI-based pricing, content ranking, and eligibility decisions.
Sensitive personal information restrictions
CPRA created heightened protections for sensitive personal information, including biometric data used by AI systems. Processing sensitive data for AI training or profiling requires explicit consumer consent.
The CPPA automated decision-making regulations were in development as of mid-2025. Businesses using AI for significant consumer decisions should monitor these regulations — implementing GDPR Article 22-equivalent controls now provides a strong compliance foundation for when California regulations finalize.
CCPA AI Compliance Checklist for Websites
Determine if CCPA applies
Check whether your business meets any of the three CCPA thresholds. If yes, all obligations below apply.
Audit all AI tools for data collection
List every AI tool on your website, what personal data it collects, and whether data is shared with the vendor for purposes beyond providing the service.
Update your privacy policy
Disclose all categories of personal information collected by AI systems, the purposes for collection, whether data is sold or shared, and consumer rights.
Add 'Do Not Sell or Share' link
If any AI tool involves sale or sharing of personal information, add a 'Do Not Sell or Share My Personal Information' link to your footer and implement the opt-out mechanism.
Implement consumer rights processes
Build processes to respond to CCPA requests within 45 days: access requests, deletion requests, correction requests, and opt-out requests — including passing these to AI vendors.
Review AI vendor contracts
Ensure contracts with AI vendors include CCPA-required provisions: the vendor cannot sell or share data received from you, cannot use it for unauthorized purposes, and must comply with consumer deletion requests.
Check for Global Privacy Control (GPC)
CCPA requires businesses to honor the Global Privacy Control browser signal as an opt-out of sale/sharing. Verify your website detects and respects GPC.
Enforcement and Penalties
| Violation Type | Maximum Penalty | Enforced By |
|---|---|---|
| Unintentional violation | $2,500 per violation | California Privacy Protection Agency |
| Intentional violation | $7,500 per violation | California Privacy Protection Agency |
| Data breach involving unprotected personal data | Private right of action — $100–$750 per consumer per incident | California consumers (civil suits) |
| Violation of children's data rules (under 16) | $7,500 per intentional violation | California Privacy Protection Agency |
The per-violation structure means penalties scale with user base size. A website with 50,000 California users that intentionally violates CCPA across all users faces theoretical exposure of $375 million — though enforcement actions to date have resulted in significantly lower settlements. The CPPA has prioritized enforcement against large-scale data brokers and companies with systematic non-compliance.
For a broader view of how CCPA fits alongside GDPR and EU AI Act obligations, see our GDPR AI compliance checklist and our guide on website AI compliance audits.
Run a free automated compliance scan to check your website for CCPA, GDPR, and EU AI Act gaps — 60 seconds, no account required.
Frequently Asked Questions
Does CCPA apply to businesses outside California?
Yes. CCPA applies to any for-profit business that collects personal information from California residents and meets one of the thresholds: annual gross revenue over $25 million, buys or sells personal information of 100,000 or more consumers or households annually, or derives 50% or more of annual revenue from selling personal information. If you have California users and meet any threshold, CCPA applies regardless of where your business is located.
What counts as 'selling' data under CCPA for AI purposes?
Under CCPA, 'selling' includes sharing personal information with a third party for monetary or other valuable consideration. Sharing user data with AI vendors — including sending conversation data to an AI API — may qualify as a sale or sharing under CPRA if the vendor uses that data for its own purposes. Review your AI vendor contracts to determine whether they use your users' data for model training or other purposes.
Does CCPA require disclosure of AI use?
CCPA requires disclosure of the categories of personal information collected and the purposes for which it is used — including use by AI systems. If your chatbot collects personal information, your privacy policy must disclose this. CCPA does not have a specific 'AI disclosure' requirement like the EU AI Act, but the data collection disclosure obligations effectively require it.
What is the CPRA automated decision-making opt-out right?
California Privacy Rights Act (CPRA), effective January 1, 2023, gives California consumers the right to opt out of automated decision-making technology, including profiling, that produces legal or similarly significant effects. The California Privacy Protection Agency (CPPA) was developing implementing regulations for this right as of 2025. Businesses using AI for significant automated decisions should monitor these regulations.
What are the CCPA penalties for AI compliance violations?
The California Privacy Protection Agency can impose civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. The California Attorney General can also bring enforcement actions. Unlike GDPR, there is no percentage-of-revenue cap — penalties are per-violation, which can compound quickly for websites with large California user bases.
Check Your Website Now — It's Free
Run a free EU AI Act compliance scan. No signup required.
Start Free Scan →