CCPA / CPRA for merch programs touching California residents

What it requires

• Notice at collection: explicit categories and purposes
• Right-to-know, right-to-delete, right-to-correct, right-to-opt-out responses within 45 days
• Do Not Sell or Share My Personal Information link in footer
• Limit-Use-of-Sensitive-Personal-Information mechanism for sensitive categories
• Service Provider / Contractor agreement with every supplier processing PI
• Data Protection Assessment for high-risk processing under CPRA
• Annual cybersecurity audit for businesses meeting threshold
• Children-under-16 opt-in (parent consent for under-13)

How it impacts merch programs

• Welcome kits and event merch sign-ups now treated as PI processing
• Suppliers must be Service Providers (or Contractors) by signed agreement
• Cross-context behavioural ad use of merch-recipient data triggers sale-or-share opt-out
• Sensitive PI (precise geolocation, race, religion) needs limit-use mechanism
• Data-subject deletion requests must propagate to all merch sub-processors
• Recipient list shared with shipping carrier needs Service Provider agreement

Documentation packet — what suppliers must provide

1. Service Provider Agreement (CCPA / CPRA-compliant)
2. Notice at collection language (recipient-form copy)
3. Privacy policy with required disclosures per Cal. Civ. Code 1798.130
4. Data inventory map per processing purpose
5. DPA addendum identifying CCPA roles
6. Cybersecurity audit report (if threshold met)
7. DPIA / risk assessment for sensitive PI processing
8. Verified data-subject request workflow log

Decision tree — when does this framework apply?

• Annual gross revenue > USD 25M, or 100 000+ CA residents PI, or 50%+ revenue from selling PI? CCPA applies
• Are you a business under CCPA? Drives obligations
• Is data shared for cross-context ads? Opt-out + Do Not Sell or Share link
• Is sensitive PI processed for non-essential purposes? Limit-use needed

Penalties for non-compliance

• USD 2 500 per unintentional violation, USD 7 500 per intentional / minors data
• Private right of action for breaches (USD 100-750 per consumer per incident)
• California Privacy Protection Agency (CPPA) enforcement actions
• Cease-and-desist + injunctive relief

How we help

• CCPA / CPRA-compliant Service Provider Agreement pre-signed
• Recipient deletion workflow with 45-day SLA + cascade to sub-processors
• Privacy-policy language aligned to merch-data processing
• California-resident segregation in our processing systems
• Sensitive-PI minimisation in standard recipient forms
• Annual cybersecurity audit shared if you meet the threshold

Related frameworks

• Gdpr Merch
• Iso 9001 14001 27001
• Fcpa Uk Bribery

Related resources

• Glossary of compliance terms
• Material catalogue
• Sustainability report 2026
• Data Processing Addendum
• Whitepapers and reports

Frequently asked questions

Are we a business under CCPA?

If you meet revenue, volume, or sale-of-PI thresholds and process CA-resident PI, yes.

Do recipient lists count as PI?

Yes: name + address + email + employer = PI under CCPA Cal. Civ. Code 1798.140(v).

Service Provider vs Contractor?

Service Provider receives PI for a business purpose; Contractor is a similar role under CPRA: both require contract terms in 1798.140.

Do we need a Do Not Sell or Share link?

If you sell or share PI for cross-context behavioural ads: yes; otherwise the link still recommended.

Children under 16?

Opt-in required for sale/share for under-16; parental consent required under-13.