CCPA Redaction Requirements: What California Businesses Must Know

Buried in the California Consumer Privacy Act is a provision that most compliance teams either overlook or misunderstand. Section 1798.150 of the CCPA gives consumers the right to sue businesses for data breaches: $100 to $750 per consumer, per incident, with no cap on class size. But that same section contains a safe harbor: if the breached data was properly encrypted or redacted, the private right of action does not apply.

That single word, "redacted," turns document redaction from a best practice into a legal shield. A California business that properly redacts personal information before storing or sharing it can avoid the most expensive consequence of a data breach: a class-action lawsuit from every affected consumer.

Yet most businesses treat redaction as an afterthought, something that happens manually and inconsistently, if it happens at all. This guide covers what the CCPA actually requires, which categories of personal information trigger the obligation, how redaction fits into consumer rights requests, and what the 2026 regulatory updates mean for your compliance program.

What is CCPA redaction?

CCPA redaction is the permanent removal of personal information from documents to comply with the California Consumer Privacy Act. It applies when responding to consumer access requests, disclosing records that contain third-party data, and storing documents proactively to qualify for the Section 1798.150 safe harbor that shields businesses from class-action lawsuits after a data breach.

What does the CCPA require businesses to redact?

The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA), gives California residents a set of enforceable rights over their personal information. Several of these rights create direct redaction obligations for businesses.

Right to Know (Section 1798.100, 1798.110). Consumers can request the specific pieces of personal information a business has collected about them. When you fulfill this request, you must disclose the consumer's data, but you must also redact any personal information belonging to other individuals that appears in the same documents. Handing over a contract that contains both the requester's name and another consumer's Social Security number is a violation.

Right to Delete (Section 1798.105). Consumers can request deletion of their personal information. Where full deletion isn't possible (because the data appears in shared records, for instance), redaction of the specific consumer's identifiers from those records may be an appropriate alternative.

Right to Opt-Out (Section 1798.120). Consumers can opt out of the sale or sharing of their personal information. When a business continues processing shared documents after an opt-out, any personal information belonging to the opted-out consumer must be removed or redacted from those documents before further sharing.

Data Subject Access Requests (DSARs). The CCPA gives businesses 45 calendar days to respond to a consumer access request, with the possibility of a 45-day extension. During that window, the business must locate all responsive documents, redact third-party personal information from those documents, and deliver the results to the requesting consumer. For organizations with unstructured data (emails, contracts, scanned records, chat logs), this is where the operational burden hits hardest.

What personal information must be redacted under the CCPA?

The CCPA defines personal information broadly across 11 categories under Section 1798.140(v). Every one of these categories can appear in documents that require redaction.

1. Identifiers. Name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver's license number, passport number.

2. Protected classification characteristics. Race, color, ancestry, national origin, citizenship, religion, marital status, medical condition, physical or mental disability, sex, sexual orientation, veteran or military status, genetic information.

3. Commercial information. Records of personal property, products or services purchased, purchasing or consuming histories or tendencies.

4. Biometric information. Physiological, biological, or behavioral characteristics including DNA, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, voice recordings, sleep, health, or exercise data.

5. Internet or other electronic network activity. Browsing history, search history, information regarding interaction with a website, application, or advertisement.

6. Geolocation data. Precise physical location.

7. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information.

8. Professional or employment-related information. Current or past job history, performance evaluations.

9. Non-public education information. Education records directly related to a student maintained by an educational institution, as defined by the Family Educational Rights and Privacy Act (FERPA).

10. Inferences. Inferences drawn from any of the above to create a profile reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.

11. Sensitive Personal Information (SPI). Added by the CPRA: Social Security numbers, driver's license or state ID numbers, passport numbers; account log-in credentials combined with required security codes; precise geolocation; racial or ethnic origin; religious or philosophical beliefs; union membership; contents of mail, email, and text messages (unless the business is the intended recipient); genetic data; biometric data used for identification; health information; sex life or sexual orientation data.

Any document that contains data from these categories (and that means nearly every business document) falls within the CCPA's scope when it comes to consumer access requests, third-party disclosures, or breach notification obligations.

What does NOT need to be redacted under the CCPA?

Over-redaction is a real compliance risk. Redacting too much delays DSAR responses, frustrates consumers, and can itself trigger enforcement if it prevents a consumer from receiving information they're entitled to. The CCPA does not require redaction of:

• The requesting consumer's own information. In a DSAR response, you redact other people's personal information from the documents, not the requester's own data, which is what they asked for.
• Aggregated or de-identified data. Information that has been de-identified under the CCPA's standard (so it cannot reasonably be linked to a specific consumer or household) falls outside the definition of personal information and does not require redaction.
• Publicly available information. Information that a business has a reasonable basis to believe the consumer has lawfully made available to the public is excluded from the CCPA's definition of personal information under Section 1798.140(v)(2).
• Business contact information used in a purely commercial context. An employee's business email address or work phone number used in a B2B transaction is not treated as personal information under the CCPA when it relates to their role as an employee, not as a consumer.
• Information already provided by the requester. If a consumer provided specific information as part of their request, including it back in the response does not constitute a CCPA violation.

The practical rule: redact third-party personal information that the consumer has no right to receive, and de-identified data that has been properly processed to remove linkability. Do not redact the consumer's own information or legitimately public data.

What is the CCPA redaction safe harbor?

This is the provision that changes the risk calculus for California businesses. Section 1798.150 creates a private right of action (meaning individual consumers, not just regulators, can sue) when their "nonencrypted and nonredacted personal information" is subject to unauthorized access due to a business's failure to implement reasonable security.

The penalties are significant:

• $100 to $750 per consumer, per incident (statutory damages), or actual damages, whichever is greater
• No cap on class size
• A 30-day cure period after written notice before statutory damages apply

But the safe harbor is equally significant: if the personal information was properly encrypted or redacted at the time of the breach, the private right of action under Section 1798.150 does not apply. The 2019 amendment clarified that either encryption or redaction is sufficient; both are not required simultaneously.

What this means in practice: a business that routinely redacts personal information from stored documents, removing SSNs, account numbers, and other identifiers from records that don't need them, can significantly reduce its exposure to class-action litigation under the CCPA. This isn't a get-out-of-jail-free card (the California Attorney General and the California Privacy Protection Agency can still enforce), but it eliminates the most financially devastating enforcement pathway.

For the safe harbor to hold, the redaction must be permanent and irreversible. Visual masking (placing a black box over text without removing the underlying data) does not qualify. If a plaintiff can demonstrate that the "redacted" information was recoverable through copy-paste, text extraction, or metadata inspection, the safe harbor fails.

How do CCPA redaction requirements differ from GDPR?

Organizations operating in both California and the EU often assume they can use a single compliance framework for both. While the practical redaction workflows are similar, the legal structures differ in ways that matter.

The practical takeaway: organizations handling both CCPA and GDPR obligations can use largely the same redaction workflow for both regimes. The same documents need the same PII stripped before disclosure. The key difference is the CCPA's explicit safe harbor, an incentive to redact proactively, not just reactively in response to access requests.

What are the CCPA penalties in 2026?

The California Privacy Protection Agency (CPPA) and the state Attorney General have ramped up enforcement significantly. Penalties are adjusted for inflation, and the fines are real.

Current penalty amounts (2026):

• Unintentional violations: up to $2,663 per violation
• Intentional violations or violations involving minors: up to $7,988 per violation
• Private right of action for breaches: $100–$750 per consumer per incident

Recent enforcement actions:

The largest CCPA settlement to date came in February 2026, when the California Attorney General announced a $2.75 million settlement with Disney over opt-out violations across its streaming services. Disney's opt-out mechanism only applied per-device rather than account-wide, and its webform limited sharing within Disney's own ad ecosystem while continuing disclosures to third-party ad-tech partners. Disney must now report to the AG every 60 days on compliance progress.

Other notable 2026 enforcement actions include Tractor Supply Company ($1.35 million), American Honda Motor Co. ($632,500), Todd Snyder Inc. ($345,178), and a $1.1 million fine involving student privacy violations. The CPPA's enforcement division has also pursued multiple data broker registration violations.

These numbers may look modest compared to GDPR's headline fines. But remember the private right of action. A data breach affecting 100,000 California consumers, with statutory damages of $750 each, creates potential exposure of $75 million, dwarfing any regulatory fine. The redaction safe harbor in Section 1798.150 exists precisely to address this risk.

What changed on January 1, 2026

The CPPA Board adopted significant new regulations effective January 1, 2026, expanding the CCPA's operational requirements in several areas that affect redaction workflows.

Risk assessments. Businesses must now conduct risk assessments before processing activities that present significant risks to consumer privacy. This includes selling or sharing personal information, processing sensitive personal information, and using automated decision-making technology. Assessments must be submitted to the CPPA; the first attestation deadline is April 1, 2028.

Annual cybersecurity audits. Businesses that derive 50% or more of their revenue from selling or sharing personal information, or that meet revenue thresholds and process PI of 250,000+ consumers or SPI of 50,000+ consumers, must conduct annual cybersecurity audits. Deadlines are staggered by revenue: over $100M revenue by April 1, 2028; $50M–$100M by April 1, 2029; under $50M by April 1, 2030.

Automated decision-making technology (ADMT). Businesses using ADMT for significant decisions concerning consumers must provide pre-use notices, honor opt-out requests, and give consumers access to ADMT outputs.

Expanded data access rights. Businesses must now provide access to personal information going back to January 1, 2022, not just information collected after the consumer's request. For organizations with years of accumulated documents, this dramatically increases the volume of records that may need redaction before disclosure.

These regulations make a compelling case for automating your redaction workflow rather than handling it manually. The volume of documents, the breadth of data types, and the accountability requirements (risk assessments, audit trails, cybersecurity audits) all point toward systematizing the process.

How to build a CCPA-compliant redaction workflow

A CCPA-compliant redaction process needs to address five requirements.

1. Identify all 11 categories of personal information. The CCPA's definition is broad. A single contract might contain identifiers (names, SSNs), commercial information (purchase amounts), professional information (job titles), and inferences (credit scores). Your redaction tool or process needs to catch all of them, not just the obvious ones.

2. Handle DSARs within the 45-day window. When a consumer requests their data, you need to locate all responsive documents, identify and redact third-party personal information in those documents, and deliver the response. On unstructured data (PDFs, Word documents, scanned records, emails), manual redaction at scale is not feasible within this timeline.

3. Make redactions permanent and irreversible. Visual overlays do not satisfy the CCPA. The underlying data must be removed from the document's content streams. If you're using free tools that draw black boxes without removing text, you're not meeting the standard, and the safe harbor won't protect you.

4. Maintain audit trails. The 2026 regulations require demonstrable compliance. An audit trail showing what was redacted, when, by whom, and under which legal basis is not optional: it's what proves your process works when a regulator or plaintiff's attorney asks.

5. Strip metadata. Document properties, revision history, author names, and embedded content all constitute personal information under the CCPA. Redacting visible text without cleaning metadata leaves personal information in the file that can be extracted with standard tools.

How RedactifyAI supports CCPA compliance

RedactifyAI was designed for exactly this kind of regulatory workflow. Its AI detection engine scans documents for all 11 CCPA categories of personal information, including the sensitive personal information categories added by the CPRA. It identifies names, SSNs, financial account numbers, biometric identifiers, geolocation references, and more, then flags each detection for review before applying permanent, irreversible redaction.

For DSAR response workflows, the platform processes PDFs, Word documents, and scanned images with OCR, stripping both visible content and hidden metadata in a single pass. Every redaction is logged with timestamps and user attribution, creating the audit trail that the 2026 regulations require.

The Section 1798.150 safe harbor is only as strong as your redaction process. If a breach occurs and your "redacted" documents turn out to contain recoverable text under visual overlays, the safe harbor fails and the private right of action is back on the table. Permanent redaction (the kind that modifies the document's content streams rather than decorating them) is what the statute requires.

Test your current process against a real document. Upload a PDF to our free redaction tool and see what the AI catches that manual review missed. For full multi-document DSAR workflows, sign up free or book a demo.

Frequently asked questions

Does the CCPA require businesses to redact documents?

Not in those exact words. The CCPA requires businesses to protect personal information through reasonable security measures and to avoid disclosing third-party personal information during DSAR responses. Redaction is the primary mechanism for meeting both obligations. Section 1798.150 explicitly rewards redaction by providing a safe harbor from private lawsuits when breached data was properly redacted.

What is the CCPA redaction safe harbor?

Section 1798.150 of the CCPA allows consumers to sue businesses when non-encrypted and non-redacted personal information is breached. If the data was properly encrypted or redacted before the breach, the private right of action does not apply. This means properly redacted data shields a business from class-action litigation under the CCPA, though the Attorney General and CPPA can still pursue enforcement actions.

How is CCPA different from GDPR for redaction purposes?

The practical redaction work is similar: both require removing third-party personal information from documents before disclosure. Key differences: the CCPA provides an explicit redaction safe harbor (GDPR does not), CCPA allows 45 days to respond to access requests (GDPR allows 30), and the CCPA defines personal information more broadly to include household-level data. See our GDPR and HIPAA redaction guide for a detailed comparison.

What are the penalties for CCPA violations in 2026?

Unintentional violations carry fines up to $2,663 per violation. Intentional violations or those involving minors carry fines up to $7,988 per violation. Under the private right of action (Section 1798.150), consumers can sue for $100–$750 per person per incident for breaches involving non-redacted data. The largest settlement to date is the $2.75 million Disney case in February 2026.

What changed with the CCPA regulations effective January 1, 2026?

The CPPA Board adopted new regulations requiring risk assessments before high-risk processing activities, annual cybersecurity audits for qualifying businesses, new obligations around automated decision-making technology, and expanded data access rights back to January 1, 2022. These regulations increase the operational complexity of CCPA compliance and make automated redaction workflows more important.

Does visual masking (black boxes) satisfy CCPA redaction requirements?

No. Visual masking (placing a black rectangle over text without removing the underlying data) does not constitute redaction under the CCPA. The text remains in the document's content streams and can be recovered through copy-paste, text extraction, or metadata inspection. For the Section 1798.150 safe harbor to apply, redaction must permanently and irreversibly remove the personal information from the file.