California Consumer Privacy Act (CCPA)

Overview

Info

The California Consumer Privacy Act (CCPA) is a state-level data privacy law enacted in California, effective January 1, 2020. It grants California residents greater control over their personal information and imposes data protection requirements on businesses that collect it.

CCPA is often compared to the GDPR, but it focuses more on consumer rights and transparency rather than detailed security requirements.

Key Objectives

• Increase transparency around data collection and sharing
• Empower California residents with rights over their personal data
• Require businesses to disclose how personal information is used and shared
• Provide a framework for enforcement and private legal action in case of certain data breaches

Consumer Rights

Note

Under CCPA, California residents have the right to:

• Know what personal data is being collected and why
• Access their personal data
• Delete their personal data
• Opt out of the sale of personal data
• Non-discrimination for exercising their CCPA rights

Applicability

Applies to for-profit businesses that collect personal information from California residents and meet any of the following thresholds:

• Gross revenue over $25 million
• Buy/sell/share personal data of 100,000+ consumers or households
• Earn 50% or more of annual revenue from selling personal information

Business Obligations

• Provide clear and accessible privacy notices at or before data collection
• Implement processes for consumers to submit data access and deletion requests
• Include a “Do Not Sell My Personal Information” link on websites, if applicable
• Respond to requests within 45 days
• Train employees handling CCPA requests on compliance procedures

Enforcement and Penalties

• Enforced by the California Attorney General and California Privacy Protection Agency (CPPA)
• Fines up to $2,500perviolation\ast \ast ,and\ast \ast$7,500 for intentional violations
• Individuals can sue for certain data breaches involving unencrypted personal data

CPRA Update

Tip

The California Privacy Rights Act (CPRA), effective January 1, 2023, amends and expands CCPA. It adds new rights, defines sensitive personal information, and establishes a dedicated enforcement agency (CPPA).

Summary

Cite

CCPA is a cornerstone U.S. data privacy law. Even companies outside California should consider compliance if they collect California resident data.

• Enhances consumer control over personal data
• Emphasizes transparency and accountability
• Serves as a model for other state privacy laws in the U.S.

---