California CCPA and web scraping collided in court for the first time in 2025, and the rulings changed how serious data teams think about compliance. If you scrape California-origin data at any meaningful scale in 2026, you need to understand what CCPA actually covers, where the carve-outs are, and how enforcement is trending — because the California Privacy Protection Agency (CPPA) now has active investigative authority and issued its first enforcement actions under CPRA amendments last year.
What CCPA Actually Covers (And What It Doesn’t)
CCPA applies to for-profit businesses that collect personal information from California residents and meet any one of these thresholds: $25M+ in annual gross revenue, buying/selling personal data of 100,000+ consumers or households annually, or deriving 50%+ of revenue from selling personal data. If you’re a startup running scrapes for internal analytics, you may fall outside the statute entirely. If you’re a data broker or SaaS enrichment tool, you almost certainly don’t.
The definition of “personal information” under CCPA is broad: names, email addresses, IP addresses, browsing history, inferences drawn to create profiles, and “unique identifiers.” Scraped LinkedIn profiles, contact directories, and review datasets can all qualify if the subjects are California residents. Publicly posted data is not automatically exempt — the law focuses on the nature of the data, not where it was sourced.
The business-to-business (B2B) exemption originally carved out commercial contact data (company names, business email addresses, job titles), but that exemption expired in January 2023. In 2026, scraping B2B contact data on California residents carries the same obligations as scraping consumer data.
How CCPA Compliance Maps to a Scraping Pipeline
For a scraping operation that touches California personal data, the practical obligations break down like this:
- Data mapping: document every dataset containing California resident PII, including scraped sources, storage locations, and downstream uses.
- Privacy notice: publish a compliant privacy policy before collection begins — this applies even to data collected via automated scraping.
- Opt-out mechanism: if you sell or share data, you must honor Global Privacy Control (GPC) signals and provide a “Do Not Sell or Share My Personal Information” link.
- Data minimization: collect only what you need. Scraping full profile pages when you only use job titles creates unnecessary exposure.
- Data subject requests: implement a process to handle deletion, correction, and access requests within 45 days.
- Retention limits: establish and enforce a retention schedule — indefinitely cached scraped datasets are a liability.
The CPPA has signaled it views GPC non-compliance as a low-hanging enforcement target. Running a browser-based scraper that strips GPC headers is a pattern regulators have specifically called out.
Here’s a minimal Python snippet showing how to respect GPC signals when making requests:
import httpx
headers = {
"Sec-GPC": "1", # signal opt-out preference
"User-Agent": "Mozilla/5.0 (compatible; DataBot/1.0)",
}
resp = httpx.get("https://example.com/directory", headers=headers)
# if target returns 403 or redirect on GPC signal, honor it -- do not retry without signalThis won’t satisfy full compliance on its own, but stripping GPC signals from scraping clients is a concrete audit finding.
CCPA vs. Other Privacy Frameworks: Quick Comparison
If you’re managing multi-jurisdictional compliance, the differences between CCPA and its peers matter for how you architect your pipeline. For a broader view of how similar obligations play out across different legal systems, the Brazil LGPD and Web Scraping: 2026 Compliance Guide and the UK GDPR Post-Brexit and Web Scraping: 2026 Rules are worth reading alongside this one.
| Framework | Lawful basis required | B2B data covered | Fines (max) | Regulator |
|---|---|---|---|---|
| CCPA/CPRA | No (opt-out model) | Yes (since 2023) | $7,500/intentional violation | CPPA |
| EU GDPR | Yes (6 bases) | Yes | 4% global revenue or €20M | DPAs |
| UK GDPR | Yes (6 bases) | Yes | £17.5M or 4% revenue | ICO |
| Brazil LGPD | Yes (10 bases) | Yes | 2% Brazil revenue, up to R$50M | ANPD |
CCPA’s opt-out model (rather than an opt-in consent model) is more forgiving for data collectors, but fines per violation can stack fast at scale. A scrape of 500,000 California resident records without a compliant privacy notice is theoretically 500,000 violations.
Where Terms of Service Intersect With CCPA
CCPA compliance does not protect you from ToS-based legal action. LinkedIn v. hiQ established that scraping publicly accessible data is not a CFAA violation, but LinkedIn pursued hiQ under breach-of-contract theories tied to its ToS. These are separate legal rails. Understanding how ToS clauses are actually enforced in court is a prerequisite for any production scraping setup — the Web Scraping Terms of Service Analysis: When ToS Matters Legally (2026) breaks down the post-hiQ landscape in detail.
In practice: CCPA compliance reduces your regulatory exposure from the state. ToS compliance (or a legal opinion on ToS enforceability) reduces your civil litigation exposure from the scraped site. You need both analyses, not one or the other.
Key Risk Vectors in 2026
The enforcement patterns that have emerged under CPRA give a clearer picture of where the CPPA is actually looking:
- Data brokers: the CPPA’s Data Broker Registry now has over 600 registered entities. Non-registration is an immediate fine target.
- “Dark patterns” in opt-out flows: if your product uses scraped data and makes it difficult to submit a deletion request, that’s a CPRA violation separate from the scraping itself.
- AI training datasets: the CPPA issued guidance in late 2024 clarifying that using scraped California resident data to train commercial AI models triggers CCPA obligations. This is currently the fastest-growing enforcement area.
- Third-party data purchases: buying a scraped dataset from a vendor doesn’t insulate you. If you use the data for commercial purposes, you share responsibility for compliance.
- Cross-border transfers: California resident data transferred to non-adequate-protection jurisdictions for processing needs a contractual basis, similar to GDPR SCCs.
For teams operating across Southeast Asia and looking at how CCPA fits into a broader compliance matrix, the pillar piece ASEAN Data Protection Laws: A Web Scraping Compliance Matrix shows how California obligations layer with PDPA (Thailand/Singapore), PDPL (Philippines), and emerging frameworks.
Bottom Line
If your scraping pipeline touches California resident data and your business clears the CCPA revenue or data-volume thresholds, treat CCPA compliance as a non-optional infrastructure cost in 2026, not a legal afterthought. Start with a data map and a compliant privacy policy, implement GPC signal respect at the request layer, and register as a data broker if you sell or license scraped datasets. DRT will continue tracking CPPA enforcement actions and regulatory guidance as the AI training data rules develop through the year.