Is AntForms CCPA compliant?

AntForms provides the technical controls California businesses need for CCPA compliance: HTTPS by default, consent fields, opt-out checkboxes, data retention webhooks, and a clear privacy policy. CCPA compliance is a business responsibility; the form builder provides the tools.

What does CCPA require on an online form?

Privacy notice link, explicit consent before data collection, a separate Do Not Sell or Share checkbox for California residents, data minimization (only collect what you need), and a link to the data subject access request (DSAR) process.

Is CPRA the same as CCPA?

CPRA (California Privacy Rights Act) is the 2023 amendment to CCPA. It adds protections for sensitive personal information, extends rights to employees and contractors, and creates the California Privacy Protection Agency (CPPA) as the enforcement body.

Do I need a Do Not Sell checkbox on every form?

Yes, if you share data with third parties for cross-context behavioral advertising or sell data. The checkbox must be separate from general consent and equally prominent. Small businesses under the CCPA threshold (25M revenue, 100K California consumers, or 50 percent revenue from data sales) are exempt.

What is the CCPA threshold for small businesses?

CCPA applies to businesses with $25 million plus annual revenue, OR processing data of 100,000 plus California consumers, OR 50 percent plus revenue from selling personal data. Below these thresholds, CCPA does not apply, but most companies voluntarily comply as a trust signal.

Can I use AntForms for HIPAA compliant medical intake?

AntForms does not sign BAAs currently. For HIPAA-regulated medical intake, use a HIPAA-compliant form builder with a signed BAA (Jotform HIPAA, Formidable Forms HIPAA plan, or Formstack Healthcare). AntForms works for non-regulated health content like fitness quizzes.

How long can I keep form data under CCPA?

Only as long as reasonably necessary for the stated purpose. California businesses typically adopt 12-month default retention with automatic deletion via webhook to OneTrust, Transcend, or a custom job. Longer retention requires documented justification.

What happens if my form is not CCPA compliant?

Penalties up to $7,500 per intentional violation plus $2,500 per unintentional violation. California Privacy Protection Agency fines grew 45 percent year-over-year in 2025. Private right of action for data breaches adds statutory damages of $100 to $750 per consumer.

CCPA Compliant Form Builder for California Businesses (2026)

Devashish ShuklaApril 13, 20268 min read Updated April 14, 2026

form-builder guides privacy-data compliance

CCPA Compliant Form Builder for California Businesses

Warning: This article is for informational purposes only and is not legal advice. CCPA and CPRA obligations vary by company size, revenue, and data-handling context. Consult a qualified privacy attorney or your CCPA Service Provider for advice specific to your business.
Last reviewed: 2026-04-14.

A CCPA compliant form builder provides the technical controls California businesses need to meet California Consumer Privacy Act and California Privacy Rights Act requirements on every data-collection form. It ships HTTPS by default, explicit consent fields, separate Do Not Sell checkboxes, data minimization, data retention webhooks, and clear privacy notices. AntForms provides all of these controls on the free plan, combined with the business processes (privacy policy, DSAR workflow, data inventory) that complete CCPA compliance.

Most California businesses under $25M revenue sit outside the strict CCPA threshold but still need compliance-ready forms to close B2B deals, pass vendor reviews, and build consumer trust. A compliance-ready form builder removes the technical barrier to compliance; the business processes sit on top.

TL;DR
CCPA and CPRA require: privacy notice, consent, Do Not Sell opt-out, data minimization, DSAR access
AntForms ships HTTPS, consent fields, opt-out checkboxes, retention webhooks on the free plan
Penalties reach $7,500 per intentional violation; CPPA fines grew 45 percent year-over-year in 2025
12-month default data retention with webhook-triggered deletion is the accepted standard
Free on AntForms with unlimited submissions

What CCPA and CPRA require on a form

California Consumer Privacy Act (effective January 1, 2020) plus California Privacy Rights Act (effective January 1, 2023) set five requirements for every form that collects personal information from California residents.

Notice at collection (CCPA section 1798.100): Privacy policy link visible before or at the point of collection.
Explicit consent for data collection, stated in plain language, not buried in terms of service.
Separate Do Not Sell or Share checkbox for cross-context behavioral advertising and data sales, equally prominent to the consent checkbox.
Data minimization (CPRA section 1798.100(c)): Only collect data reasonably necessary for the stated purpose.
Right to access, correct, delete (CPRA sections 1798.100 to 1798.130): Link to a data subject access request (DSAR) form.

The California Attorney General CCPA FAQ and the California Privacy Protection Agency publish updated guidance quarterly. Sensitive personal information (SPI) under CPRA includes health, finance, precise location, race, religion, sexual orientation, and genetic data, with additional restrictions.

CCPA penalty structure and enforcement trends

Penalties have grown sharply since CPRA enforcement started in 2023.

Violation type	Penalty
Unintentional violation	$2,500 per incident
Intentional violation	$7,500 per incident
Minor violation (under 16)	$7,500 per incident
Breach (private right of action)	$100 to $750 per consumer
Failure to cure after 30-day notice	$7,500 per incident

California Privacy Protection Agency (CPPA) enforcement actions grew 45 percent year over year in 2025 per IAPP 2025 enforcement tracker. The largest 2025 settlements involved non-compliant web forms (Sephora, DoorDash, others). The trend: regulators enforce on what is easiest to observe, and web forms are easy to observe.

See build secure gdpr compliant forms with AntForms for GDPR parallel requirements and data privacy security online forms for technical security patterns.

The 8 form controls a CCPA compliant builder ships

A form builder cannot make a business compliant. It can provide the technical controls that remove the compliance burden from developers.

Control	Required for CCPA	AntForms free plan
HTTPS on every form	Yes	Yes
Privacy policy link	Yes	Free footer
Explicit consent checkbox	Yes	Free field
Separate opt-out checkbox	Yes	Free field
Data minimization (per-field justification)	Yes	Free (documented)
Sensitive data warnings	Yes (CPRA)	Conditional logic
Data retention webhook	Yes	Free
DSAR access link	Yes	Free footer

AntForms provides all 8 controls at no cost. Business processes (privacy policy content, DSAR handler, data inventory) sit on top of the form.

Step-by-step: build your CCPA compliant form in AntForms

Follow these steps to publish a CCPA compliant form in about 5 minutes.

Start with a blank form. Open AntForms, click New form, pick blank.
Add the privacy notice link. Footer link pointing to your privacy policy. Required on every page that collects data.
Add the explicit consent checkbox. Unchecked by default (consent must be affirmative). Plain language: “I consent to AntForms collecting my name, email, and [specific fields] to [specific purpose].”
Add California-specific opt-out. Separate checkbox: “Do not sell or share my personal information.” Equally prominent styling.
Apply data minimization. Only collect fields essential to the purpose. Document justification for each field in your data inventory.
Add sensitive data warning. Conditional notice when health, finance, or demographic fields appear.
Configure data retention. Webhook to your retention tool with a 12-month deletion trigger. See AntForms google sheets integration for simple retention via timestamped sheets.
Add the DSAR link. Footer link: “California residents can request data access, correction, or deletion here.”
Verify HTTPS. AntForms serves every form over HTTPS. Check the embed page has no HTTP resources that create mixed-content warnings.
Document in privacy inventory. Add the form to your data inventory with purpose, fields, retention period, and third-party sharing. Required for any CCPA audit.

Real-world CCPA use cases for forms

These five scenarios show how California businesses apply the controls in practice.

B2B SaaS lead form. CCPA applies because prospects are California residents. Simple consent plus DSAR link handles the 95 percent case. Related: demo request form template saas 2026.
Ecommerce checkout with upsell. Checkout captures payment data (not CCPA-sensitive) plus optional email marketing (CCPA-sensitive). Separate opt-in for marketing.
Healthcare fitness app onboarding. Not HIPAA-regulated (no PHI) but CCPA-sensitive (health category). Conditional SPI warning when fitness goals are disclosed.
Financial services intake. CPRA sensitive category. Explicit consent for each data use (credit check, identity verification, marketing). See creating secure privacy-first forms legal tips 2026.
Children’s education platform. Under-16 users require verifiable parental consent. California fines are 3x higher for minors. Use a dedicated workflow with ID verification. Related: privacy by design forms marketing.

Common CCPA mistakes on forms

Six mistakes account for most CCPA enforcement actions. Each has a form-level fix.

Pre-checked consent boxes. CCPA consent must be affirmative. Pre-checking fails the test.
Consent buried in terms of service. Must be separate, prominent, plain language.
Single consent for multiple uses. Collecting email for order fulfillment does not imply consent to marketing. Separate checkboxes per use.
No Do Not Sell option. If you share data with ad networks (Google Analytics, Facebook Pixel, Meta Ads), you owe a Do Not Sell option.
Missing SPI warning. Collecting sensitive categories without a conditional warning violates CPRA section 1798.121.
No documented retention period. CCPA requires businesses to state retention timelines or the criteria used to determine them.

Limitations to know

AntForms provides technical controls for CCPA. Business processes sit on top and cannot be provided by any form builder.

Privacy policy content. A form builder does not write your privacy policy. Use a privacy policy generator (Termly, iubenda) or hire a privacy lawyer.
DSAR workflow handling. Someone must process access, correction, and deletion requests within 45 days. AntForms captures the request; a human processes it.
Vendor data processing agreements (DPAs). CCPA requires contracts with service providers. Sign a DPA with any vendor handling personal data, including form builders.
HIPAA for medical intake. AntForms does not sign BAAs. For HIPAA data, use a HIPAA-compliant platform with a signed BAA.
CPPA audit preparation. A form builder does not prepare audit responses. Maintain your own data inventory, consent logs, and DSAR response records.

Key takeaways

CCPA and CPRA require 5 controls on every form: notice, consent, opt-out, minimization, DSAR access.
AntForms ships 8 technical controls (HTTPS, consent, opt-out, retention webhook, DSAR link, SPI warnings, data minimization, privacy notice) on the free plan.
Penalties reach $7,500 per intentional violation; CPPA enforcement actions grew 45 percent year-over-year in 2025.
Consent must be affirmative (unchecked by default), separate, and in plain language.
Do Not Sell or Share checkbox is required separately from general consent for businesses sharing data with ad networks or selling data.
Sensitive personal information (CPRA) triggers additional warnings and use restrictions.
12-month default data retention with webhook-triggered deletion is the accepted standard.
For HIPAA medical intake, use a HIPAA-compliant builder with a signed BAA; AntForms serves non-PHI health content.