Last updated 2026-07-11

TL;DR
The California Consumer Privacy Act (CCPA), amended by CPRA in 2020, gives California residents the right to know what personal data you hold, opt out of its sale or sharing, and have it deleted. For outbound callers, that means honoring opt-out requests before dialing, scrubbing purchased lead lists on demand, and keeping records that prove consent. Penalties run up to $7,500 per intentional violation.
What is the CCPA and why should outbound callers care about it?
The California Consumer Privacy Act took effect January 1, 2020. Its 2020 amendment, the California Privacy Rights Act (CPRA), strengthened enforcement and created a dedicated agency, the California Privacy Protection Agency (CPPA), to oversee compliance starting in 2023. The law sits in California Civil Code sections 1798.100 through 1798.199.100. [1]
Most compliance guides write about CCPA as a website and data-broker problem. Outbound callers get a footnote. That is a mistake. The law's core rights map straight onto how sales teams build and work call lists.
If you dial California phone numbers, you are almost certainly a "business" or a "service provider" under the statute. A business qualifies if it collects personal information from California residents and meets one of three tests: annual gross revenues over $25 million, buying or selling personal information of 100,000 or more consumers or households a year, or deriving 50% or more of annual revenue from selling personal information. [1] Small teams miss the middle one. 100,000 records is a low bar once you are buying data from a broker.
The personal information covered includes phone numbers, names, and email addresses, plus anything that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." [1] Your call list qualifies. So does the CRM record tied to it.
Does CCPA apply to your outbound calling operation?
The first question is whether you are a covered "business." CCPA uses that exact term, and the three thresholds are separate. You only need to hit one, not all three. [1]
Here is the practical breakdown for outbound teams:
| Threshold | Applies if... | Common outbound scenario |
|---|---|---|
| Revenue | Annual gross revenue over $25 million | Mid-size or larger sales org |
| Data volume | Buy, sell, or share personal info of 100,000+ CA consumers/households per year | Lead gen company, or any team running large purchased lists |
| Revenue from data | 50%+ of annual revenue from selling personal info | Data brokers, list vendors |
"Sharing" was added by CPRA and captures cross-context behavioral advertising. So if you pass lead data to affiliate partners or co-registration networks, that counts. [1]
Even if your company does not qualify as a "business," you may be a "service provider" for someone who does. Service providers carry their own obligations, including hard limits on how they can use the data they receive. If a client hands you a California lead list and you dial it on their behalf, you are a service provider, and the data can only be used for the specific purpose your contract names. [1]
Businesses regulated by the Gramm-Leach-Bliley Act (GLBA) or HIPAA get a partial exemption for data already covered under those laws. The exemption is narrow. It does not erase your other CCPA obligations. [2]
What rights do California consumers have that directly affect your call list?
Four CCPA rights bite hardest for outbound callers.
First, the right to know. A California resident can send you a verifiable request asking what personal information you have on them, where you got it, what you use it for, and whether you sold or disclosed it. [1] You have 45 days to respond, with one 45-day extension if you notify them. That means you need to trace a phone number back to its source and the chain of sharing.
Second, the right to delete. A consumer can tell you to delete their personal information, phone number included, from your records. You must delete it and tell your service providers to delete it too. Exceptions exist, but completing a transaction or contractual obligation is the only one most callers can lean on, and it is narrow. [1]
Third, the right to opt out of sale or sharing. This is the one outbound teams break without knowing it. If you sell leads to partners, share data through co-registration, or pass records to affiliate networks, a consumer can shut that off. You have 15 business days to honor the request. You cannot re-sell or re-share that person's data for 12 months without a fresh opt-in. [1]
Fourth, the right to correct. CPRA added it. Consumers can demand you fix inaccurate personal information. If someone disputes the phone number or email on file, you need a process to handle it.
None of these rights need a lawsuit to trigger. A written request does it. Businesses must offer at least two easy ways to submit them: a toll-free phone number and, if you have a website, a web form or a "Do Not Sell or Share My Personal Information" link. [9]
How does CCPA interact with TCPA for outbound calling?
The TCPA and CCPA are separate laws with separate enforcement, but they collide in practice for anyone dialing or texting. The TCPA governs how you contact people (autodialer rules, consent, time-of-day limits). CCPA governs what data you hold and what you can do with it.
The overlap is sharpest around consent records. TCPA requires prior express written consent to call or text mobile numbers using an autodialer or prerecorded voice. [3] CCPA separately requires you to show what data you collected and why. A consumer who exercises their right to know may find you got their cell number from a third-party lead vendor. If they then opt out of the sale of their data, or ask you to delete it, you can lose your TCPA consent basis too, because the source data behind that consent chain is gone.
One consumer action can strip your TCPA consent and your CCPA right to hold the record at the same time. Teams that treat these as two separate problems get caught flat-footed.
Another collision point is the Do Not Call list. CCPA does not replace state or federal DNC rules. It sits on top of them. A consumer on the federal DNC registry still holds every CCPA right, and a consumer who fires off a CCPA opt-out still needs an independent DNC check before your next call. [4]
SMS is the same story. Text message marketing needs TCPA consent, and CCPA separately governs the underlying contact record. If a mobile number came from a lead aggregator, you likely have to disclose that source in a right-to-know response, and the consumer can demand deletion.
What must your call list sourcing process look like under CCPA?
Buying leads from a broker, renting a list, or taking warm transfers from a partner all involve receiving personal information from a third party. CCPA requires a business to tell consumers, at or before the point of collection, what categories of information it collects and why. [1] When you buy a list, the original collector owns that disclosure duty. You still carry downstream duties.
If the list source never obtained proper notice and opt-in from California residents, any calls you make on that data land you in a gray zone. You inherit a consent problem you did not create. The exposure is yours, because you are the one dialing.
Here is the working checklist for purchased lists:
1. Get a data processing agreement or service provider contract with the vendor that names the lawful basis for sharing and limits your use to the agreed purpose. 2. Ask the vendor point-blank whether they have compliant California consumer notices in place and whether their data still includes people who have opted out. 3. Keep records of when you received each batch, from whom, and what disclosures were made. 4. Build a suppression workflow: when a California consumer deletes or opts out, remove them from every active list and push that suppression back to the vendor if your contract requires it.
The California Attorney General's enforcement has targeted businesses that claimed compliance but could not show it. A policy on paper is not enough. Documented workflows are what survive an investigation. [5]
What are the CCPA penalties for outbound calling violations?
The California Attorney General can impose civil penalties of up to $2,500 per unintentional violation and up to $7,500 per intentional violation. [1] The California Privacy Protection Agency has independent authority to levy the same fines. [6]
For callers, "per violation" is the phrase that matters. A single purchased list of 50,000 California numbers, each missing a required opt-out mechanism, could in theory be 50,000 separate violations. No enforcement action to date has stacked maximum per-record penalties across a whole list. But even a modest violation rate turns expensive fast under that math.
CCPA also carries a private right of action. It is narrow. Consumers can sue only for unauthorized access, disclosure, or theft of certain categories of unencrypted or unredacted personal information. [1] Statutory damages run from $100 to $750 per consumer per incident, or actual damages, whichever is greater. This targets data breaches, not calling compliance. But if a breach exposes your call list and it holds California consumers, you face both breach liability and CCPA exposure.
The first major CCPA enforcement action, the California AG's case against retailer Sephora, ended in a $1.2 million settlement in 2022 after the company failed to honor opt-out requests and failed to disclose that it sold data. [5] That case set the tone: the AG goes after systematic failure to honor consumer rights, more than technical notice slips.
For a sense of what TCPA class settlements look like on the other side of the ledger, the Cash App TCPA class action settlement and the Credit One TCPA settlement show how quickly exposure compounds at scale.
How do you handle CCPA opt-out requests in a live calling environment?
The operational problem is speed. A consumer can submit a right to opt out online at 9 a.m., and your dialer can reach their number that same afternoon. CCPA gives you 15 business days to honor an opt-out from sale or sharing, and 45 days (plus a possible 45-day extension) to honor a deletion. Neither window helps if you are calling the person in the meantime.
Build a suppression feed that updates your dialer in real time, or as close to it as your systems allow. Treat every opt-out or deletion request as a reason to pause that record immediately, before any legal deadline. The deadline tells you how long you have to finish the downstream removal steps. It does not tell you to keep dialing in the meantime.
For teams running a cold call or cold calling workflow with outsourced dialers, this becomes a contract issue. Your service provider agreement needs to say you will pass suppression lists to the vendor and they must honor them within a set window. If your vendor keeps calling after you got the opt-out, the violation is still yours.
A few specifics on process:
- Log the date and time of every opt-out or deletion request you receive.
- Confirm receipt to the consumer inside the required window.
- Scrub the record from all active campaign lists, not only the one that prompted the request.
- Keep the suppression records. If the consumer or an investigator asks whether you honored the request, you need to show when and how.
- Push suppression back to your data source if your contract requires it, and document that you did.
Does CCPA require a privacy notice for your outbound calling business?
Yes. Covered businesses must give a privacy notice at or before the point of collection. [1] For callers who generate their own leads (web forms, inbound calls that convert to outbound follow-up, referral programs), the notice goes on the collection form or page.
For callers who only buy lists and never collect directly from California consumers, the picture is murkier. The collection duty technically falls on whoever gathered the data. But if you are a covered business, you still need a public privacy policy that discloses what categories of personal information you collected in the past 12 months, what you do with it, and how consumers exercise their rights. [1]
The required contents of a CCPA privacy notice for a calling business:
- Categories of personal information collected (phone numbers, names, purchase history if any)
- Purposes for collection (to contact people about your products or services)
- Categories of third parties you share information with (data vendors, dialer platforms)
- Consumer rights under CCPA and how to exercise them
- Whether you sell or share personal information
- Retention periods or the criteria you use to set them
If you share data with a do not call telemarketer list service or a third-party DNC scrubbing provider to check your lists, disclose that sharing or cover it under a service provider agreement.
For teams without a website, the two-method requirement is harder. The regulations say at least two methods, one of which must be a toll-free phone number. [9] A business that does all its work by phone needs to be ready to receive and log CCPA requests by phone.
How is CCPA enforcement different from TCPA enforcement?
TCPA enforcement is mostly private. Class action lawyers file for individual plaintiffs and negotiate settlements. The FCC and FTC hold enforcement authority, but most dollar exposure comes from private suits. [3]
CCPA flips that. The primary enforcers are government agencies: the California Attorney General and, since July 2023, the California Privacy Protection Agency. Consumers can sue for data breach incidents, but routine calling violations (missed opt-out requests, missing disclosures) are AG and CPPA territory. [6]
That difference matters operationally. TCPA class actions target specific campaigns and need a named plaintiff who got an illegal call. CCPA enforcement can start from a regulatory audit, a complaint from any consumer or advocacy group, or the AG's own initiative. You do not need an adversarial plaintiff to draw CCPA exposure.
The CPPA also has investigative teeth. It can demand records, audit your data practices, and issue fines without first going to court. [6] That is a different threat model than TCPA, where the first sign of trouble is usually a demand letter from a plaintiff's attorney.
Consent is where the two overlap. Defending a TCPA case, you have to show prior express written consent. Responding to a CCPA investigation, you have to show your data collection was disclosed. The records that save you in one proceeding tend to save you in the other. Good record-keeping does double duty.
What should small outbound teams actually do right now to comply?
The steps are not glamorous, but they are finite. Here is what matters most for a small team dialing California numbers.
Start with a data inventory. List every source of phone numbers and contact records: purchased lists, CRM data from past campaigns, referrals, your own web forms. For each source, note whether a proper CCPA notice went out at collection and whether you have a data processing agreement with the vendor.
Build a suppression workflow. Keep one suppression list your dialer checks before any outbound call. Every right-to-delete and right-to-opt-out request goes on it the day you get it, before any deadline clock matters. Review it weekly at a minimum.
Update your vendor contracts. Any company that sends you personal information or receives it from you needs a service provider or contractor agreement that spells out the purpose limitation and their CCPA obligations. A handshake deal does not cut it.
Post a compliant privacy notice. If you have a website, update the privacy policy to include the CCPA disclosures. If you do not have a website, set up a toll-free number consumers can call to exercise their rights, and assign someone to field and log those requests.
For a structured starting point, LeadCompliant's compliance kit includes a CCPA-aligned data audit template and a suppression workflow checklist built for outbound calling.
To line up your DNC obligations alongside CCPA, see how do I get the do not call list and mobile phone do not call list. The two tracks (CCPA and DNC) need to run together, not in separate silos.
Nobody has clean data on how often small teams get caught in CCPA enforcement. The closest signal is the AG's public enforcement record, which through 2023 hit companies with revenues in the tens of millions. But enforcement scales as the CPPA staffs up, and the complaint-driven model means any California consumer you annoy can trigger an investigation, regardless of your size.
Are there CCPA exemptions that protect some outbound calling activities?
A few exemptions exist. They are narrower than most callers hope.
Business-to-business (B2B) contacts had a partial exemption under early CCPA for personal information collected in a business context. That exemption expired January 1, 2023. CPRA killed it. If you call a business contact and collect their personal cell or email, that individual is now a "consumer" under CCPA with full rights. [7] B2B outbound teams need to update their compliance frameworks to match.
Employee data has its own limited exemption, but that covers your HR practices, not your calling.
Publicly available information sits outside CCPA's definition of personal information when it comes from government records. A business name and main line published in a state registry is not covered. But add a direct cell number sourced from a data broker, and that cell number is covered. [1]
The "service provider" carve-out does not exempt you from CCPA. It just clarifies your role. As a service provider, you are still bound by the law's limits on how you use personal data. You just are not liable as a "business" making independent decisions about consumer data.
The short version: most outbound callers touching California consumer data have no clean exemption to hide behind. Build for full coverage, and document any exemption argument you plan to make. That documentation protects you if you are wrong about how far the exemption reaches.
Frequently asked questions
Does CCPA apply to outbound cold calling, or only to online data collection?
CCPA applies to any business that collects or uses personal information about California residents, whether that collection happens online or offline. Phone numbers on a call list are personal information under the statute. If your outbound operation meets any of the three CCPA business thresholds (revenue, data volume, or share of revenue from data), the law covers your calling activities.
How long do I have to respond to a CCPA deletion request from someone on my call list?
You have 45 days to respond to a verifiable consumer deletion request. You can take one additional 45-day extension if you notify the consumer of the delay and the reason. California Civil Code section 1798.130 sets these timeframes. Practically, you should pause dialing that record the moment you receive it, before the legal clock even matters.
Can a California consumer stop me from calling them using CCPA instead of just saying do not call?
Yes, and the mechanism reaches further. A CCPA deletion request or opt-out from sale can require you to remove a number from your database entirely, more than add it to a suppression list. A standard do-not-call request stops future calls. A CCPA deletion request can erase the underlying record. Honor both. They carry different timelines and different compliance records you have to keep.
What is the CCPA penalty per violation for outbound calling compliance failures?
The California AG and the California Privacy Protection Agency can each levy civil fines of up to $2,500 per unintentional violation and up to $7,500 per intentional violation under Civil Code section 1798.155. Violations can be counted per consumer record affected, so a systematic failure across a large call list multiplies fast. There is no per-call cap that limits exposure to a single fine.
Do I need a written contract with my lead vendor to comply with CCPA?
Yes. If your lead vendor is a service provider under CCPA, you need a written contract that limits the vendor's use of the data to the services they provide you. Without that contract, the vendor could be treated as selling data rather than processing it, which changes both parties' obligations. The California AG's regulations specify what those contracts must include.
Does the CCPA B2B exemption still protect my outbound sales calls to businesses?
No. The B2B exemption in the original CCPA expired January 1, 2023, when CPRA took full effect. Business contacts you call, including employees at the companies you target, are now consumers with full CCPA rights if they are California residents. Your B2B outbound program needs the same data inventory and opt-out processes as a B2C program.
If I buy a lead list from a vendor, who is responsible for CCPA compliance on that data?
Both parties share responsibility, in different ways. The original collector owns the notice and disclosure duty at the point of collection. As the buyer, you become a covered business with your own obligations: honoring opt-out and deletion requests, holding a service provider contract with the vendor, and not using the data beyond the disclosed purpose. You cannot outsource compliance by buying from a third party.
Does CCPA require a "Do Not Sell My Personal Information" link on my website?
If you sell or share personal information and have a website, you must post a clear and conspicuous link titled "Do Not Sell or Share My Personal Information" on your homepage. CPRA updated the link text to include sharing. If you do not sell or share personal information, you do not need the link, but you must still disclose that fact in your privacy notice.
How does CCPA affect automated dialing or prerecorded message campaigns to California numbers?
CCPA does not replace TCPA requirements for autodialer or prerecorded message campaigns. You need both TCPA prior express written consent and a CCPA-compliant data handling process. Losing CCPA standing on a record, through a deletion request, can undermine the TCPA consent chain if that consent was tied to the same data source. Treat the two compliance tracks as linked, not independent.
What records should I keep to prove CCPA compliance for my calling operation?
Keep records of every source of phone numbers and when you received them, the notice or consent obtained at collection, every opt-out or deletion request with dates and how you responded, your service provider contracts with lead vendors and dialers, and your privacy notice version history. The California AG has cited inability to demonstrate compliance as an aggravating factor in enforcement.
Does CCPA give consumers the right to know where you got their phone number?
Yes. A verifiable right-to-know request requires you to disclose the categories of sources you collected personal information from, which includes the phone number. You do not have to name the specific vendor, but you must disclose the category (for example, third-party data broker). That is why tracing data provenance from your CRM or dialer back to the original list source matters operationally.
Is there a size threshold below which small outbound teams are exempt from CCPA?
CCPA exempts businesses that fall below all three thresholds at once: under $25 million in annual gross revenue, buying or selling personal information on fewer than 100,000 California consumers or households a year, and under 50% of revenue from selling personal information. Clear even one threshold and you are covered. The 100,000-record data volume threshold is easier to hit than most small teams expect.
How does CCPA affect outbound SMS marketing to California residents?
The same rules apply. Phone numbers used for outbound SMS are personal information under CCPA. Opt-out and deletion requests cover SMS contact just as they cover voice calls. TCPA requires separate consent for SMS, and that consent can be undermined if the underlying record is deleted under CCPA. Run both TCPA consent checks and CCPA suppression checks before any SMS campaign to California numbers.
What did the first major CCPA enforcement action teach outbound callers?
The 2022 AG action against Sephora, which ended in a $1.2 million settlement, showed that the AG focuses on systemic failures: the company did not honor opt-out requests and did not disclose that it sold data. For outbound callers, the lesson is that a privacy policy alone is not enough. You need documented, operational processes for receiving and acting on consumer rights requests, and proof they worked.
Sources
- California Legislature, California Civil Code sections 1798.100-1798.199.100 (CCPA as amended by CPRA): CCPA rights (know, delete, opt-out, correct), business thresholds ($25M revenue, 100K records, 50% revenue from data), definitions of personal information, 45-day response window, $2,500/$7,500 penalty tiers, required privacy notice contents, and B2B exemption expiration
- California Attorney General, California Consumer Privacy Act (CCPA) overview and FAQs: GLBA and HIPAA partial exemptions under CCPA; AG interpretive guidance on covered businesses and service providers
- Federal Trade Commission, National Do Not Call Registry: CCPA does not replace federal or state DNC obligations; DNC rules apply independently of CCPA rights
- California Attorney General, settlement with Sephora USA Inc. (2022 CCPA enforcement action): $1.2 million Sephora settlement in 2022 for failure to honor opt-out requests and failure to disclose data selling; AG cited inability to demonstrate compliance as aggravating factor
- California Privacy Protection Agency, enforcement and rulemaking authority: CPPA has independent authority to issue fines of up to $7,500 per intentional violation, conduct audits, and investigate without a court order, effective July 2023
- California Legislature, California Privacy Rights Act (Proposition 24, 2020): CPRA amended CCPA effective January 1, 2023, eliminating B2B exemption, adding right to correct, adding sharing alongside selling as an opt-out trigger, and creating the CPPA
- California Attorney General, CCPA Regulations (11 Cal. Code Regs. sections 7000-7103): Regulations require businesses to provide at least two methods for consumers to submit requests, including a toll-free phone number, and to include all required disclosures in the privacy notice
- U.S. Department of Health and Human Services, HIPAA information: HIPAA-covered data has a partial exemption under CCPA but the exemption does not erase all CCPA obligations for covered businesses