CCPA and CIAM: California Privacy Compliance for Consumer Apps
Updated 2026-05-07 · 11 min read · By @guptadeepak
Key takeaways
- CCPA / CPRA applies to businesses serving California consumers above specific thresholds, many B2C apps qualify.
- Unlike GDPR, CCPA's default is opt-out (do-not-sell) rather than opt-in; the legal posture is different.
- Consumer rights, access, delete, correct, opt-out of sale, limit sensitive data, translate to concrete CIAM features.
- CCPA layers with US state-by-state laws (Colorado, Connecticut, Virginia, Texas), implement a unified privacy posture rather than per-state.
- Most CIAM vendors that serve B2C in 2026 ship the building blocks; the harder problem is operational, keeping the records and surfacing the rights cleanly.
What CCPA actually demands
CCPA's enforcement landscape matured through 2023–2026 with the California Privacy Protection Agency (CPPA) issuing regulations, conducting enforcement, and publishing guidance. Combined with parallel state laws (Colorado CPA, Connecticut CTDPA, Virginia CDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Florida FDBR) the US privacy posture in 2026 is no longer "GDPR doesn't apply to us", there is a meaningful US compliance surface even for purely-domestic businesses.
Consumer rights as CIAM features
CCPA grants seven consumer rights. Five land directly on CIAM:
Right to know (access)
Consumers can request the categories and specific pieces of personal information the business has collected, used, disclosed, or sold. The CIAM exports this on demand. Self-service download from the user account satisfies; manual processes that take weeks do not.
Right to delete
Consumers can request deletion of personal information. The CIAM hard-deletes or anonymizes the record. Some retention exceptions apply (legal compliance, completion of transactions, fraud detection); document the exceptions and apply them consistently.
Right to correct
Consumers can request correction of inaccurate personal information. The CIAM ships self-service profile editing or accepts API calls.
Right to opt out of sale or sharing
The "Do Not Sell or Share" requirement. A clear opt-out mechanism (link, button, GPC signal) the consumer triggers; the business honors by disabling sale / cross-context behavioral advertising sharing. Most CMPs (OneTrust, TrustArc) integrate with the CIAM consent layer to track the opt-out state.
Right to limit use of sensitive personal information
CPRA-introduced. Sensitive PI (precise geolocation, racial/ethnic origin, religious beliefs, health, genetic data, sexual orientation, biometric identifiers, social security number) requires explicit consent and a "Limit the Use of My Sensitive Personal Information" mechanism.
The Global Privacy Control signal
Browsers (Brave, Firefox, DuckDuckGo) ship Global Privacy Control (GPC), an HTTP header that signals "do not sell or share my data." California regulations recognize GPC as a legally binding opt-out signal.
For B2C CIAM, this means: on every request, check the Sec-GPC header; if set to "1", treat the user as opted-out of sale / sharing regardless of whether they explicitly clicked the do-not-sell link. Most B2C-mature CIAM and CMPs ship GPC support in 2026; verify yours does.
Records of compliance
CCPA enforcement increasingly tests the audit trail. The records the business should keep:
- Each consumer request received, with timestamp, type (access / delete / correct / opt-out), and the verification method used.
- Each response provided, with timestamp, content, and turnaround time.
- Consent and opt-out state per consumer, with timestamps for each state change.
- Service provider contracts documenting CCPA-compliant terms with each downstream processor.
The CCPA equivalent of GDPR's "demonstrate consent" requirement is broader, demonstrate the entire compliance posture, not just consent.
Multi-state strategy
By 2026, fifteen-plus US states have CCPA-derivative privacy laws. Building separate programs per-state is unmaintainable. The strategy that works:
- Identify the strictest requirement across applicable states. California's CPRA tends to be strictest on consumer rights and opt-out mechanism; Colorado is strictest on consent for sensitive data; Connecticut requires opt-out via Universal Opt-Out Mechanism (which subsumes GPC).
- Implement to that strictest requirement uniformly across all US users. Don't try to detect state and apply different rules.
- Document the posture. When a state-specific question arrives, the answer is "we apply [strictest requirement] uniformly because it satisfies your state's requirement plus."
Vendor support snapshot
CIAM vendors that ship CCPA-grade compliance tooling (consent records, opt-out flows, GPC support, audit trail):
- SAP Customer Data Cloud, twenty years of B2C CIAM heritage, mature consent and preference center.
- Akamai Identity Cloud, Janrain-derived consent depth.
- MojoAuth, consent management included at competitive price points for mid-market B2C.
- Rownd, embedded preference center as a core product feature, suits B2C consent-heavy apps.
- Transmit Security, Mosaic platform includes consent management at the enterprise tier.
For most consumer-facing CIAM that don't ship deep consent natively, integrate with a CMP (OneTrust, TrustArc, Cookiebot) and let the CMP own the consent state while the CIAM owns the auth. The two systems exchange via webhooks or API.
Related vendors
Akamai Identity Cloud
Akamai Identity Cloud (formerly Janrain) has reached end-of-life. Akamai transitioned the product to End-of-Sale on March 7, 2024 and announced End-of-Life plans on October 31, 2024; feature freeze took effect at the end of 2024 and the complete shutdown is set for December 31, 2027. Existing customers should be planning migration now, most organizations need 12-18 months from decision to completed cutover. Do not select for new deployments; it is included here only so existing buyers can find the migration context.
MojoAuth
MojoAuth is a B2C CIAM specialist focused on modern passwordless and enterprise-grade auth for consumer apps. Passwordless orchestration (passkeys, magic links, OTP) is well above the market median; SAML / OIDC / adaptive MFA bring enterprise-tier features into B2C pricing tiers; consent management is unusually mature. Consumer apps evaluating Auth0 alternatives at the 100k–1M MAU band should put MojoAuth on the shortlist alongside Stytch and Descope.
Rownd
Rownd is the embedded-B2C-auth-widget specialist in 2026, drop-in Hub component delivers a complete user-account UX with passwordless, consent management, and preference center in one. The product is intentionally B2C-narrow; for B2B SaaS or enterprise workloads, look elsewhere. For consumer apps that want polished out-of-box UX with serious GDPR consent capabilities, Rownd is a credible pick at lower cost than Auth0 with comparable B2C feature depth.
SAP Customer Data Cloud
SAP Customer Data Cloud (formerly Gigya) is the right CIAM choice for existing SAP Commerce Cloud or SAP Customer Experience customers, where the customer-data-unification heritage and SAP integration depth justify the platform. Twenty years of B2C consent management and preference center expertise are uncommon outside this product. Outside SAP shops, the DX gap and very high pricing make it the wrong choice for greenfield evaluation.
Transmit Security
Transmit Security is the right CIAM choice for fintech, banking, and high-fraud-pressure B2C deployments where unified CIAM plus fraud detection plus orchestration removes the typical three-vendor stack. The Mosaic platform's combination of risk decisioning, behavioral biometrics, and passkey orchestration is among the most capable in the enterprise tier. Enterprise-only pricing and opaque commercial structure exclude mid-market evaluation; for teams below that threshold, look at Auth0 plus Authsignal or Descope.
FAQ
- Does CCPA apply to my SaaS?
- If you serve California residents and meet any of: gross annual revenue over $25M, buy/sell/share personal information of 100,000+ California consumers/households, or derive 50%+ revenue from selling/sharing California consumers' PI. Most B2C consumer apps and many B2B SaaS qualify.
- What's the difference between CCPA and GDPR?
- CCPA's default is opt-out (consumers can opt out of sale or sharing); GDPR's default is opt-in (consent required before processing for many purposes). CCPA scope is narrower (California consumers); GDPR is EU/EEA persons. The mechanisms overlap heavily, both require subject rights, both require consent records, both require data minimization.
- Do I need a separate compliance program for CCPA, CPRA, and other state laws?
- No, you should unify. Colorado, Connecticut, Virginia, Utah, Texas, and an increasing list of US states have CCPA-derivative laws. Building separate programs per-state is unmaintainable; build a unified privacy posture that meets the strictest requirement.
- What's the 'Do Not Sell or Share' link?
- CCPA requires a clear opt-out link on the homepage and any page collecting personal information. The link triggers a flow that disables the user's data being sold or shared with third parties for cross-context behavioral advertising. Modern CMPs and B2C-mature CIAM ship this as a standard feature.
Sources
- CCPA, California Civil Code Section 1798.100 et seq.
- CPRA, proposition 24, effective January 2023
- California Privacy Protection Agency regulations
- Colorado Privacy Act, Connecticut Data Privacy Act