CCPA and Customer Reviews: US Brand Compliance Guide
Reviews are personal information under CCPA: disclose collection, honour deletion in 45 days, and offer a one-step opt-out, or face up to $7,500 per intentional violation.
The Californian customer's data subject request landed on a Friday. The reviews team had a clock running to surface every review she had ever written, every photo she had ever uploaded, and every consent record attached to either. This runbook is the one we wrote that Friday afternoon, before the next one arrived.
CCPA (and its successor CPRA) classifies customer reviews and review-linked profile data as personal information. That classification triggers disclosure, deletion, and opt-out obligations for any brand operating in California or marketing to Californians. The penalties are real: up to $7,500 per intentional violation, and California regulators have grown steadily more active since 2024.
In this article
What CCPA covers
CCPA applies to personal information: customer names, IP addresses, profile data, photographs, videos, and any inferences drawn from them. A customer review almost always carries several of these. The threshold is wide. Any business with California customers above certain revenue or data thresholds is in scope, headquartered there or not.
What disclosure does CCPA require for reviews?
CCPA requires a privacy notice covering the categories of personal information collected, the purposes of use, the categories of third parties the data is shared with, retention periods, and consumer rights. UGC and review platforms must appear in that notice. Most brands' privacy policies are out of date on exactly these specifics. The consent records you keep for reuse double as evidence here; the operational backbone is covered in the UGC rights and permissions guide.
Right-to-delete handling
When a California consumer requests deletion of their review or UGC, the brand must comply within 45 days. The deletion must extend to: the brand's own systems, all sub-processors (including the UGC platform), CDN caches serving the content, analytics systems that retain user-identifiable data, and any downstream syndication partners. The CDN cache step is the one most brands miss.
"Sale" definition and review aggregators
If your reviews are syndicated to third-party platforms (Google Shopping, Meta, Bazaarvoice network), that may constitute a "sale" under CCPA depending on the financial relationship. Sales trigger additional opt-out obligations. Verify with each syndication partner whether their flow qualifies, and document the determination.
How does a CCPA opt-out workflow have to work?
Brands must provide a "Do Not Sell or Share My Personal Information" link, accessible from the homepage footer. The link must lead to a one-step opt-out. Hidden, multi-step, or pre-checked consent flows are non-compliant. Recent enforcement has homed in on this UI requirement specifically.
| Obligation | What it requires | The step brands miss |
|---|---|---|
| Disclosure | List UGC/review categories in the privacy notice | Naming the UGC platform as a processor |
| Right to delete | Erase within 45 days across all systems | Purging the CDN cache and syndication copies |
| Opt-out of "sale" | One-step "Do Not Sell or Share" link in the footer | Treating syndication as a non-sale without checking |
| Recordkeeping | Verifiable consumer-request log kept two years | No durable audit trail when the regulator asks |
Penalties
Civil penalties run $2,500 per unintentional violation and $7,500 per intentional one. The California Privacy Protection Agency (CPPA) has expanded enforcement staffing significantly since 2024, and its first enforcement actions targeted UGC and ad-tech specifically. The regulator has flagged both as priority areas.
Compliance checklist
Six steps: (1) audit your privacy policy for UGC-specific disclosures, (2) build a working right-to-delete pipeline including CDN purge, (3) provide a visible Do-Not-Sell link, (4) document data sharing with each review/UGC partner, (5) train customer service on consumer rights handling, (6) log every consumer request for audit purposes. The overlap with GDPR compliance covers most of the operational work.
CCPA compliance for UGC and reviews is a baseline expectation now, not an aspiration. The regulator is active and the penalties are real. Most brands underinvest until the first complaint or audit lands, and catch-up at that point costs far more than getting it right from the start.
0 days
GDPR right-to-erasure SLA
End-to-end inc. CDN purges
0 days
CCPA deletion SLA
CPRA
0%
of brands fail withdrawal SLA on audit
Idukki research Q1 2026
0%
Median rights yes-rate
Idukki dataset
Sources & notes
- 1California Privacy Protection Agency (CPPA) · CCPA/CPRA regulations, enforcement priorities and penalty schedule.
- 2GDPR full text · Articles 6 (lawful basis), 7 (consent), 17 (right to erasure), 28 (processor obligations), 46 (transfers).
- 3FTC Endorsement Guides · Material connection must be disclosed clearly and conspicuously. Brand is liable for endorser disclosure failures.
- 4Bazaarvoice, 2025 Shopper Experience Index · +144% conversion / +162% RPV among UGC-engagers; +354% conversion on PDPs with reviews vs without.
Continue reading
7 pieces in this clusterThese long-form pieces on the Idukki blog link back to this article, go deeper on the cluster.
- Strategy
What Is User-Generated Content (UGC) in Ecommerce?
UGC in ecommerce is any photo, video, review, or post about a product made by a customer rather than the brand. What counts as UGC, why it converts, how it gets collected and cleared, what the law actually requires, and how to measure it without fooling yourself.
- Strategy
What Is UGC Rights Management? Legal Framework
How brands obtain explicit, documented permission before reposting customer content: what a valid consent record has to cover, where manual workflows break, the GDPR/CCPA/FTC overlay, and the mistakes that have triggered enforcement.
- Strategy
How to Get Rights to Repost Customer UGC (with Templates that Average 38% Yes-Rate)
DM, comment, and email templates with measured response rates of 24-41%. The 24-hour window, the consent-form one-tap link, audit-trail storage, revocation SLA, and what to do when permission is denied. Built from 60,000+ rights requests on the Idukki platform.
- Strategy
FTC Endorsement Guidelines for Influencer and UGC Content
The 2023 updates expanded brand liability. Disclosure rules, labelling reposted UGC, the material-connection definition, and the enforcement actions to learn from.
- Strategy
GDPR + UGC Compliance: The Operational Manual for 2026
Lawful basis, consent capture, retention, revocation, audit trail, cross-border transfer, sub-processor obligations, and special-category data. The full operational manual for UGC programmes, built around the 30-day SLA that tells you whether the regime actually works.
- AI search
11 UGC Trends That Will Define Ecommerce in 2027
AI-personalised serving, vertical formats, live shoppable, agentic shopping, AR try-on at scale, creator royalty standards. Eleven shifts, ranked by how much they will actually move revenue.
- AI search
Social Commerce Predictions 2027: What Brands Should Plan For
TikTok Shop overtakes Amazon for under-25 fashion. Instagram retires link-in-bio. Agents handle 20%+ of discovery. Five predictions, and the prep each one demands.
More from Rohin Aggarwal
- Industry playbook
How to run a UGC competition that fills your gallery, online and in-store
A prize plus a deadline plus a clear ask turns a trickle of UGC into a stream. The runbook: five formats, a schedule, copy templates.
- Conversational commerce
Why we built the Conversational PDP
A Conversational PDP answers the silent question that drives most product-page exits: curated Q&A first for the common doubts, an AI concierge scoped to your own data second.
- Strategy
PDP before and after UGC: what actually changes on the page
Add verified customer photos, video and reviews to the middle scroll of a brand-only PDP and conversion lifts. Here is what moves, scroll by scroll, and where "just add UGC" gets oversold.