CCPA Compliance

Configure your forms for the California Consumer Privacy Act.

What is the CCPA?

The California Consumer Privacy Act (CCPA), amended by the CPRA in 2023, is California's consumer privacy law. It applies to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds:

Annual gross revenue over $25 million, or
Buy, sell, or share the personal information of 100,000+ consumers/households per year, or
Derive 50%+ of annual revenue from selling or sharing consumer personal information.

Even if your business is based outside California, the CCPA applies if you collect data from California residents and meet any threshold above.

Why the CCPA does not require a consent checkbox

Unlike the GDPR, the CCPA does not require prior consent to collect personal information. The CCPA operates on an opt-out model rather than an opt-in model:

GDPR — you cannot collect data until the person says "yes" (opt-in).
CCPA — you can collect data, but the person can say "stop" at any time (opt-out).

The CCPA requires that you inform consumers about what data you collect and how you use it (via a privacy policy), and give them the right to opt out of the sale or sharing of their data. But submitting a form is not "selling" data — it's a direct collection that the consumer initiated.

This is why the FormBlade CCPA preset does not enable the consent checkbox. Adding one would be unnecessary friction for your users without a legal requirement.

Note: If you want to add a consent checkbox anyway (e.g., for extra transparency or because you also serve EU visitors), you can enable it manually after applying the CCPA preset. The preset is a starting point, not a restriction.

What the CCPA preset configures

Setting	Value	Why
Consent checkbox	Not required	The CCPA uses an opt-out model. Prior consent is not required for direct data collection.
IP anonymization	Disabled	The CCPA does not require IP anonymization. Full IPs can be useful for fraud detection and analytics.
Data retention	730 days	The CCPA requires businesses to disclose retention periods. Two years is a common, defensible timeframe for form submissions.
User-agent storage	Enabled	Browser info is not particularly sensitive under the CCPA and is useful for troubleshooting submission issues.

Set up the CCPA preset

Account level

Go to Account Settings in the sidebar.
Scroll to Compliance.
Select CCPA (California) from the dropdown.
Click Save.

Per form

Open the form in your dashboard.
Go to Settings → Compliance.
Toggle Override account defaults.
Select CCPA (California).
Click Save.

What the CCPA does require

Even without a consent checkbox, the CCPA imposes obligations that you need to handle on your own website:

Privacy policy (Section 1798.100)

Your website must have a privacy policy that discloses:

The categories of personal information you collect (e.g., identifiers, contact information).
The purposes for which you collect and use it.
How long you retain it (FormBlade's 730-day default gives you a specific number to cite).
The categories of third parties with whom you share it (e.g., FormBlade as a service provider).

Link your privacy policy from the form page or the page that contains the form. You can add the URL in the form's Privacy policy URL field in FormBlade settings.

Right to delete (Section 1798.105)

California consumers can request deletion of their personal data. You can delete individual submissions from the dashboard. If you receive a deletion request, you should:

Search for the consumer's submissions by email address or name in the dashboard.
Delete all matching submissions.
Respond to the consumer confirming deletion within 45 days.

Right to know (Section 1798.110)

Consumers can request to see what personal data you have collected about them. Export the relevant submissions as CSV from the dashboard and provide them to the consumer.

"Do Not Sell or Share" link

If you sell or share personal information with third parties (beyond service providers like FormBlade), you must provide a "Do Not Sell or Share My Personal Information" link on your website. If you only use FormBlade to collect and store submissions and do not sell the data, this link is not required — but many businesses add it proactively.

CCPA vs CPRA

The California Privacy Rights Act (CPRA) amended the CCPA effective January 2023. The key additions relevant to form data:

Sensitive personal information — the CPRA adds a new category for data like Social Security numbers, financial accounts, and precise geolocation. Standard contact form fields (name, email, message) are not considered sensitive.
Data minimization — the CPRA requires that you collect only personal information that is "reasonably necessary" for the purpose. Don't add unnecessary fields to your forms.
Retention limits — you must not retain data longer than necessary. FormBlade's automatic retention purge helps you comply.