California has always been a bit different when it comes to privacy laws. While the rest of the United States has largely taken a hands-off approach to data protection, California has consistently pushed ahead with consumer privacy rights. The California Consumer Privacy Act, or CCPA, is the most significant example of this trend.
Passed in 2018 and effective since January 2020, CCPA gave California residents unprecedented control over their personal information. It's often compared to Europe's GDPR, though there are important differences. And with the California Privacy Rights Act (CPRA) amendments taking effect, the law has only gotten stronger.
Who Does CCPA Apply To?
Unlike GDPR, which applies to almost any organization processing EU residents' data, CCPA has specific thresholds. The law applies to for-profit businesses that do business in California AND meet one of these criteria:
- Annual gross revenue exceeding $25 million
- Buying, selling, or sharing personal information of 100,000 or more California residents, households, or devices annually
- Deriving 50% or more of annual revenue from selling or sharing California residents' personal information
That first threshold sounds high, but the second one catches many businesses off guard. If you have 100,000 unique visitors from California per year and you're using analytics or advertising that involves data sharing, you might meet that threshold without realizing it.
There are also some exemptions. Nonprofits are generally excluded. So are businesses covered by certain sector-specific regulations like HIPAA for healthcare data. But these exemptions are narrower than many people assume.
What Counts as Personal Information?
CCPA uses a broad definition of personal information—anything that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
This includes the obvious stuff like names and email addresses, but also:
- IP addresses
- Browsing history
- Search history
- Purchasing history
- Geolocation data
- Biometric information
- Professional or employment information
- Education information
- Inferences drawn from any of the above
That last category—inferences—is particularly broad. If you're using data to make predictions about someone's preferences, characteristics, or behavior, those predictions themselves become personal information under CCPA.
The Consumer Rights You Need to Know
CCPA grants California residents several specific rights. If you're subject to the law, you need to be prepared to honor these.
Right to Know
Consumers can request that you disclose what personal information you've collected about them, where it came from, why you collected it, and who you've shared it with. You have 45 days to respond to these requests, with a possible 45-day extension if you notify the consumer.
This isn't just about providing a data dump. You need to explain your data practices in a meaningful way.
Right to Delete
Consumers can request that you delete their personal information. You must also direct any service providers you've shared the data with to delete it as well.
There are exceptions. You can retain data if it's necessary to complete a transaction, detect security incidents, comply with legal obligations, or for certain internal uses. But you can't just refuse because deletion is inconvenient.
Right to Opt-Out of Sale
If you "sell" personal information, consumers have the right to opt out. This is where CCPA gets tricky, because "sale" is defined very broadly. It includes not just traditional data sales for money, but also sharing data for other valuable consideration.
This means that common practices like sharing data with advertising networks might constitute "sales" under CCPA, even if no money changes hands directly. If you're participating in targeted advertising ecosystems, you probably need a "Do Not Sell My Personal Information" link on your website.
Right to Non-Discrimination
You cannot treat consumers differently because they exercised their CCPA rights. You can't charge them more, provide inferior service, or deny them goods because they opted out of data sales or requested deletion.
There is one nuance here: if consumer data is directly tied to a service benefit, you can offer financial incentives for providing data, as long as they're reasonably related to the value of the data and clearly disclosed.
What CPRA Changed
The California Privacy Rights Act, passed in 2020 and fully effective since 2023, amended and expanded CCPA significantly. Some key changes:
New Rights
Right to Correct: Consumers can now request correction of inaccurate personal information.
Right to Limit Use of Sensitive Personal Information: Consumers can direct businesses to limit the use of sensitive data (like precise geolocation, race, health information) to what's necessary for providing the service.
"Sharing" Alongside "Selling"
CPRA added "sharing" as a distinct concept from "selling." Sharing means transferring personal information for cross-context behavioral advertising, even without monetary exchange. This closed a loophole where some businesses argued their advertising data flows weren't "sales."
Enforcement Agency
CPRA established the California Privacy Protection Agency (CPPA), a dedicated enforcement body. Previously, CCPA was enforced solely by the Attorney General's office. This new agency has more resources and is expected to be more active in enforcement.
Expanded Liability
CPRA extended the private right of action (where consumers can sue directly) to certain email data breaches, not just the original categories.
Compliance Requirements
If CCPA applies to your business, here's what you need to have in place:
Privacy Policy Updates
Your privacy policy must include specific CCPA disclosures: categories of personal information collected in the past 12 months, the purposes for collection, categories of sources, categories of third parties with whom you share data, and specific pieces of information collected.
You also need to explain each consumer right and how to exercise it.
Consumer Request Procedures
You need at least two methods for consumers to submit requests—typically a toll-free phone number and a website form. For online-only businesses, email can work, but having a dedicated form is recommended.
You must verify the identity of consumers making requests. The verification level should match the sensitivity of the request—deletion requests typically require more robust verification than access requests.
"Do Not Sell or Share" Link
If you sell or share personal information for cross-context behavioral advertising, you need a clear link on your homepage titled "Do Not Sell or Share My Personal Information." Consumers clicking this link must be able to opt out without creating an account.
Training
Anyone who handles consumer inquiries needs to know about CCPA rights and how to direct consumers to exercise them. The law specifically requires training for customer service personnel.
Data Inventory
While not explicitly required, you practically need to know what data you have, where it comes from, where it goes, and why you have it. You can't respond to consumer requests accurately without this information.
Penalties for Non-Compliance
CCPA violations can result in civil penalties up to $2,500 per unintentional violation and $7,500 per intentional violation. These are per-violation penalties, so they can add up quickly if you have systematic compliance failures.
Consumers can also sue directly for certain data breaches—specifically, unauthorized access resulting from a failure to implement reasonable security measures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.
When you're talking about breaches affecting thousands of consumers, those statutory damages can become substantial.
CCPA vs. GDPR: Key Differences
If you're already GDPR compliant, you have a head start on CCPA, but there are some important differences:
Scope: GDPR applies to everyone processing EU residents' data. CCPA has business thresholds.
Consent vs. Opt-Out: GDPR often requires affirmative consent before processing. CCPA generally allows processing but requires opt-out mechanisms for sales.
Sale of Data: CCPA's focus on data "sales" is unique. GDPR doesn't have this same concept.
Private Right of Action: CCPA allows consumers to sue for certain breaches. GDPR enforcement is primarily through regulatory authorities.
Practical Steps for Businesses
If you're just starting CCPA compliance, here's a roadmap:
- Determine if CCPA applies to you. Calculate your California exposure against the thresholds.
- Map your data. Understand what personal information you collect, from where, and who you share it with.
- Assess your data sales. This is often the trickiest part. Review your advertising and data-sharing relationships.
- Update your privacy policy. Add the required CCPA disclosures.
- Implement consumer request mechanisms. Build out the processes for receiving and responding to rights requests.
- Add opt-out mechanisms. If you're selling or sharing data, implement the required links and processes.
- Train your team. Make sure everyone who interacts with consumers knows about CCPA.
- Review contracts. Ensure your service provider agreements include appropriate data protection terms.
CCPA compliance isn't a one-time project. Consumer expectations are evolving, enforcement is ramping up, and more states are passing similar laws. Building a solid privacy foundation now will serve you well as the regulatory landscape continues to shift.