v1.10.90-0e025b8
Skip to main content
LegalBusiness

CCPA and CPRA: What Proxy-Based Data Collection Teams Need to Know

12 min read

By Hex Proxies Engineering Team

CCPA and CPRA: What Proxy-Based Data Collection Teams Need to Know

This article is for informational purposes only and does not constitute legal advice. Consult qualified counsel for guidance specific to your situation.

California's privacy regime is the most consequential state-level data protection law in the United States. The California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020, creates rights for California consumers and obligations for businesses that collect their personal information. The CPRA took full effect on January 1, 2023 and established the California Privacy Protection Agency (CPPA), which has rule-making and enforcement authority distinct from the Attorney General's office.

For teams running proxy-based data collection, three questions matter: (1) does the statute apply to our activity, (2) what counts as a "sale" or "sharing" of personal information, and (3) how do the B2B and employee information exemptions affect scraped data?

Threshold: Who Is Covered

CCPA/CPRA applies to a "business" that does business in California, collects California consumers' personal information (directly or indirectly), and meets one of three thresholds under Cal. Civ. Code § 1798.140(d):

  1. Annual gross revenues over $25 million in the preceding calendar year;
  2. Buys, sells, or shares the personal information of 100,000 or more California consumers or households annually; or
  3. Derives 50% or more of annual revenue from selling or sharing California consumers' personal information.

A data collection operation that scrapes millions of records including California consumer data likely crosses the second threshold. The 100,000-consumer count is measured over a rolling year and there is no requirement that the consumers knew their data was collected.

Personal information, defined broadly

Section 1798.140(v) defines personal information as information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The definition expressly includes publicly available information only when it is from government records, is made available by the consumer directly, or is information the consumer has not restricted. Data scraped from a consumer-facing website that the consumer did not publish themselves is not automatically outside the definition.

The 2023 CPRA regulations at 11 CCR § 7002 reinforce that the "publicly available" carve-out is narrow: data collected from government records, data the consumer manifestly made public, and widely distributed media. User profiles on social networks, which the consumer did not choose to publish but which are visible by default, are inside the statute, not outside.

"Sale" and "Sharing" After CPRA

The CCPA's original "sale" definition was famously broad and caught many transfers that were not commercial sales in any ordinary sense. The CPRA added a separate concept of "sharing," specifically targeted at cross-context behavioral advertising, while retaining the broad "sale" concept.

Under § 1798.140(ad), "sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to a third party for monetary or other valuable consideration. The California Attorney General's 2020 final statement of reasons confirmed that "valuable consideration" is interpreted broadly and can include non-monetary benefits.

Under § 1798.140(ah), "sharing" means making personal information available to a third party for cross-context behavioral advertising, regardless of whether consideration is exchanged.

For scraped data, the implications are:

  • Scraping data for your own internal use is "collecting," not "selling" or "sharing." You still have notice obligations, but the more demanding opt-out mechanics do not attach.
  • Reselling scraped data to a third party, or licensing it, is likely a "sale" unless the transfer qualifies as a service-provider or contractor relationship under § 1798.140(ag) with a written contract containing the required restrictions.
  • Using scraped data to target ads across different businesses' digital properties is "sharing," even if no money changes hands.

The Service Provider / Contractor Exemption

If you transfer personal information to a vendor under a written contract that prohibits the vendor from retaining, using, or disclosing the information for any purpose other than providing the contracted service, and that meets the specific terms required by § 1798.140(ag)(1), the transfer is not a "sale" or "sharing."

This exemption is how scraping operations usually work in practice: a data collection vendor scrapes on behalf of a customer under a services contract, and the scraped data is delivered to the customer without becoming a sale under the statute. The contract language has to meet the specific requirements in the CPPA regulations at 11 CCR § 7051, which were finalized in 2023 and updated in 2024.

Consumer Rights

California consumers have the following rights under CPRA:

  • Right to know what personal information has been collected (§ 1798.100).
  • Right to delete personal information, subject to exceptions including for transactional necessity, security, free expression, and internal use consistent with consumer expectations (§ 1798.105).
  • Right to correct inaccurate information (§ 1798.106).
  • Right to opt out of sale or sharing (§ 1798.120).
  • Right to limit use of sensitive personal information (§ 1798.121).
  • Right to data portability (§ 1798.130(a)(5)).

A business that collects personal information from sources other than the consumer (as scraping always does) still has to honor these rights. The CPPA's 2024 enforcement advisory emphasized that businesses cannot decline a deletion request on the ground that the data came from a public source.

B2B and Employee Exemptions: Expired

A common mistake in 2026 is relying on the B2B and employee information exemptions that were in force until January 1, 2023. Those exemptions, which had excluded business contact information and employee records from most CCPA rights, sunset under CPRA. Business contact information (names, titles, email addresses, phone numbers of employees at other companies) is now fully within scope. Sales-prospecting databases built by scraping LinkedIn or similar sources are squarely covered.

Notice at Collection

Section 1798.100(a) requires a notice at or before the point of collection describing the categories of personal information collected and the purposes. The CPPA regulations at 11 CCR § 7012 clarify that businesses collecting personal information from sources other than the consumer must provide notice, with allowance for impracticable situations. Scrapers typically meet this by publishing a privacy notice at a known URL and referencing the collection practices there, similar to the GDPR Article 14 disproportionate-effort exception.

Enforcement in Practice

CPPA enforcement has been active since 2023. Notable 2023-2024 actions include the Sephora settlement (Attorney General action, $1.2 million) for failing to honor opt-out requests, a CPPA enforcement advisory on data brokers in March 2024, and the passage of SB 362, the Delete Act, which requires data brokers to honor consolidated deletion requests through a CPPA-operated mechanism beginning August 1, 2026.

The Delete Act specifically targets operations that collect personal information from public sources and compile it into saleable profiles. It imposes registration obligations (Cal. Civ. Code § 1798.99.82) and the one-stop deletion mechanism. Scraping operations that build aggregated consumer datasets for sale should assess whether they fit the data broker definition under § 1798.99.80(d), which is broader than most operators assume.

Practical Posture

  1. Map the data flow. Identify whether your scraping touches California consumer personal information, and at what volumes.
  2. Classify the processing. Collection for internal use is lower-burden than selling or sharing; identify which category each processing activity falls into.
  3. Paper the vendor relationship. If you scrape on behalf of customers, use a service-provider contract that meets 11 CCR § 7051.
  4. Publish a privacy notice that discloses collection from public sources.
  5. Build a consumer rights handling workflow. Right-to-know and deletion requests are enforceable even against data scraped from public sources.
  6. Assess data broker status under SB 362 if your operation aggregates and sells.
  7. Track the enforcement pipeline. CPPA guidance and enforcement advisories evolve quickly.

Key Citations

  • Cal. Civ. Code §§ 1798.100 - 1798.199.100 (CCPA as amended by CPRA).
  • 11 CCR §§ 7000 - 7304 (CPPA regulations).
  • SB 362 (2023) (the Delete Act), codified at Cal. Civ. Code §§ 1798.99.80 - 1798.99.89.
  • People v. Sephora USA, Inc., Alameda County Super. Ct. (2022).
  • CPPA Enforcement Division, Enforcement Advisory No. 2024-01.

Related Resources

Proxies for AI-Powered Lead Generation

Enable AI-powered lead generation systems to collect business intelligence, enrich prospect profiles, and verify contact data using residential and ISP proxies.

Proxies for Credit Risk Data Collection

Aggregate credit risk data from public company filings, court records, business registries, and financial databases using residential proxies that access sources across 150+ countries.

Proxies for Local SEO Verification

City-level geo-targeted residential proxies for verifying local search results, Google Business Profile accuracy, and local pack rankings across markets.

Residential Proxies

Rotating residential IPs from 100+ countries with city-level targeting.