California Privacy Law

    What is CCPA?

    Understanding California's Consumer Privacy Act: rights, requirements, and compliance

    Updated: January 20257 min read

    CCPA Definition

    The California Consumer Privacy Act (CCPA) is a state-level data privacy law that went into effect on January 1, 2020. It gives California residents new rights over their personal information and imposes obligations on businesses that collect consumer data.

    In 2023, the CCPA was amended and expanded by the California Privacy Rights Act (CPRA), which strengthened consumer rights and created the California Privacy Protection Agency to enforce the law.

    Key Fact:

    CCPA is often called "GDPR for California" but has significant differences in scope, rights, and enforcement.

    Who Must Comply with CCPA?

    CCPA applies to for-profit businesses that collect California residents' personal information and meet at least one of these criteria:

    1

    Annual gross revenues exceeding $25 million

    2

    Buys, sells, or shares personal information of 100,000+ California consumers or households

    3

    Derives 50% or more of annual revenue from selling or sharing consumers' personal information

    Important: Even businesses outside California must comply if they collect data from California residents and meet the thresholds above.

    Consumer Rights Under CCPA

    CCPA grants California residents six fundamental privacy rights:

    Right to Know

    Request disclosure of personal information collected, used, or sold

    Right to Delete

    Request deletion of personal information held by businesses

    Right to Opt-Out

    Opt-out of the sale or sharing of personal information

    Right to Non-Discrimination

    Equal service and pricing regardless of exercising rights

    Right to Correct

    Request correction of inaccurate personal information

    Right to Portability

    Receive personal information in a portable format

    What is Personal Information Under CCPA?

    CCPA defines personal information broadly as information that identifies, relates to, or could reasonably be linked to a California consumer or household. This includes:

    • Identifiers (name, email, IP address)
    • Commercial information (purchase history)
    • Biometric data
    • Internet activity (browsing history)
    • Geolocation data
    • Professional information
    • Education information
    • Inferences about preferences
    • Sensitive personal information
    • Audio, video, thermal data

    CCPA Compliance Requirements

    Businesses subject to CCPA must:

    1. Provide Privacy Notice

    Disclose what categories of personal information are collected, sources, purposes, and whether it's sold or shared.

    • Must be posted at or before collection
    • Updated at least annually
    • Available for 12 months from posting

    2. Honor Consumer Requests

    Respond to consumer requests for access, deletion, correction, and opt-out within specified timeframes.

    • Verify consumer identity before responding
    • Respond within 45 days (extendable to 90)
    • Provide at least two methods to submit requests

    3. Provide "Do Not Sell or Share" Link

    If you sell or share personal information, you must provide a clear "Do Not Sell or Share My Personal Information" link on your homepage.

    4. Train Employees

    Train employees who handle consumer inquiries about CCPA requirements and how to respond to requests.

    5. Implement Reasonable Security

    Maintain reasonable security procedures to protect consumer personal information from unauthorized access.

    CCPA Penalties and Enforcement

    Civil Penalties

    Up to $2,500 per violation

    For unintentional violations of CCPA requirements

    Intentional Violations

    Up to $7,500 per violation

    For intentional violations or failure to cure within 30 days

    Private Right of Action

    $100-$750 per consumer per incident

    Consumers can sue for statutory damages if a data breach occurs due to failure to maintain reasonable security

    CCPA vs GDPR: Key Differences

    AspectCCPAGDPR
    ScopeCalifornia residentsEU/EEA residents
    ConsentOpt-out modelOpt-in model (explicit consent)
    Right to DeleteMore exceptions allowedBroader right to erasure
    Max Penalty$7,500 per violation€20M or 4% of revenue
    EnforcementState attorney general + CPPAData protection authorities

    Steps to CCPA Compliance

    1. Assess applicability: Determine if your business meets CCPA thresholds
    2. Data inventory: Map what personal information you collect and where it flows
    3. Update privacy policy: Add CCPA-required disclosures
    4. Add opt-out mechanism: Implement "Do Not Sell" link if applicable
    5. Create request portal: Set up process for consumers to submit requests
    6. Implement verification: Establish procedures to verify consumer identity
    7. Train staff: Educate employees on CCPA requirements and procedures
    8. Review contracts: Update service provider and vendor agreements
    9. Monitor compliance: Regularly audit processes and update as needed

    Generate Your CCPA-Compliant Privacy Policy

    PolicyForge automatically includes CCPA-required disclosures in your privacy policy. No legal expertise required.

    Related Articles

    What is GDPR?

    Learn about Europe's General Data Protection Regulation and requirements

    What is EU AI Act?

    Understand Europe's groundbreaking AI regulation

    CCPA Compliance Generator

    Automated CCPA compliance checking and policy generation