The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive state-level privacy law in the United States. Effective since January 2020 and significantly strengthened in 2023, CCPA gives California residents substantial rights over their personal information and imposes obligations on businesses that collect or process that data.
Who CCPA applies to
CCPA applies to for-profit businesses that collect California consumers’ personal information and meet any of the following thresholds:
| Threshold | Criteria |
|---|
| Annual revenue | Gross annual revenue exceeding $25 million |
| Data volume | Buys, sells, or shares the personal information of 100,000 or more California consumers, households, or devices annually |
| Revenue from data | Derives 50% or more of annual revenue from selling or sharing California consumers’ personal information |
CCPA applies based on where the consumer resides, not where your business is located. A company in New York with California customers must comply if it meets the thresholds.
Who is a “consumer”?
Under CCPA, a “consumer” is any California resident—defined as a natural person who is in California for other than a temporary or transitory purpose, or who is domiciled in California but currently outside the state temporarily.
Key definitions
CCPA uses specific terminology that differs from GDPR and other privacy frameworks:
| Term | Definition |
|---|
| Personal information | Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household. Broader than many definitions, including IP addresses, browsing history, and inferences. |
| Sale | Selling, renting, releasing, disclosing, disseminating, making available, or transferring personal information for monetary or other valuable consideration. |
| Share | Sharing personal information for cross-context behavioral advertising purposes, whether or not for monetary consideration. Added by CPRA. |
| Service provider | An entity that processes personal information on behalf of a business pursuant to a written contract that prohibits retaining, using, or disclosing the information for purposes other than performing the services. |
| Contractor | Similar to a service provider but with additional restrictions. Added by CPRA to close perceived loopholes. |
| Business | A for-profit entity that collects consumers’ personal information and meets CCPA thresholds. |
The “sale” definition is broader than cash transactions. Sharing data with an advertising partner in exchange for services can constitute a sale under CCPA.
Consumer rights
CCPA grants California consumers specific rights over their personal information:
Right to know
Consumers can request that a business disclose:
- The categories of personal information collected
- The sources from which information was collected
- The business or commercial purpose for collection or sale
- The categories of third parties with whom information is shared
- The specific pieces of personal information collected about them
Right to delete
Consumers can request deletion of their personal information, with limited exceptions for legal obligations, completing transactions, security purposes, and certain internal uses.
Right to correct
Added by CPRA, consumers can request correction of inaccurate personal information that a business maintains about them.
Right to opt-out of sale/sharing
Consumers can direct businesses not to sell or share their personal information. Businesses must provide a clear “Do Not Sell or Share My Personal Information” link on their website.
Added by CPRA, consumers can limit a business’s use of sensitive personal information (such as Social Security numbers, financial accounts, precise geolocation, or racial/ethnic origin) to purposes necessary for providing the requested goods or services.
Right to non-discrimination
Businesses cannot discriminate against consumers who exercise their CCPA rights through:
- Denying goods or services
- Charging different prices
- Providing different quality of goods or services
- Suggesting that exercising rights will result in any of the above
Business obligations
Businesses subject to CCPA must fulfill several requirements:
Privacy notices
Provide a privacy policy that discloses:
- Categories of personal information collected in the past 12 months
- Purposes for each category
- Categories of sources and third parties
- Consumer rights and how to exercise them
- Whether information is sold or shared, with opt-out instructions
Responding to consumer requests
- Provide at least two methods for submitting requests (for online businesses, this must include a web form)
- Verify the identity of consumers making requests
- Respond within 45 days (extendable by an additional 45 days with notice)
- Provide information free of charge for up to two requests per year
Service provider contracts
Maintain written contracts with service providers and contractors that:
- Specify the business purposes for processing
- Prohibit selling or sharing the information
- Require the same level of privacy protection as required by CCPA
- Grant the business rights to monitor compliance
Training
Ensure that personnel handling consumer inquiries about privacy practices are informed of CCPA requirements.
Record keeping
Businesses processing personal information of 10 million or more consumers must maintain records of requests and responses for 24 months.
CPRA created a special category of “sensitive personal information” with additional protections:
- Social Security, driver’s license, state ID, or passport numbers
- Account log-in credentials (username with password or security questions)
- Financial account, debit card, or credit card numbers with access codes
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, union membership
- Contents of mail, email, or text messages (unless the business is the intended recipient)
- Genetic data
- Biometric information for identification purposes
- Health information
- Sex life or sexual orientation information
Consumers can limit the use of sensitive personal information to what is necessary to perform the services or provide the goods reasonably expected.
Enforcement and penalties
CCPA is enforced by the California Privacy Protection Agency (CPPA) and the California Attorney General:
| Violation type | Penalty |
|---|
| Intentional violations | Up to $7,500 per violation |
| Unintentional violations | Up to $2,500 per violation |
| Data breaches | Private right of action with statutory damages of 100−750 per consumer per incident, or actual damages if greater |
Penalties are assessed per violation, meaning each affected consumer or each instance of non-compliance can be a separate violation. This can result in substantial aggregate penalties for widespread issues.
CCPA vs. GDPR
While both laws protect consumer privacy, they differ in significant ways:
| Aspect | CCPA | GDPR |
|---|
| Scope | For-profit businesses meeting thresholds, California consumers | Any organization processing EU residents’ data |
| Approach | Opt-out model (consumers must request restrictions) | Opt-in model (requires legal basis before processing) |
| Personal data definition | Includes household and device data | Focuses on identified individuals |
| Enforcement | State agency and Attorney General | National Data Protection Authorities |
| Private right of action | Limited to data breaches | Generally not available |
| Penalties | Per-violation penalties | Percentage of global revenue |
Related content
