The California Consumer Privacy Act (CCPA) is a data privacy law that gives California residents specific rights over their personal information. Since taking effect in January 2020, CCPA has become one of the most significant privacy regulations in the United States.
What Does CCPA Stand For?
CCPA stands for California Consumer Privacy Act. It was passed in 2018 and became enforceable in 2020. The law was later amended by the California Privacy Rights Act (CPRA), which strengthened certain provisions starting in 2023.
While CCPA focuses on California residents, its effects extend to businesses across the country and internationally if they meet certain criteria.
Who Does the CCPA Apply To?
CCPA applies to for-profit businesses that meet at least one of the following thresholds:
- Annual gross revenues exceeding $25 million
- Buying, selling, or sharing personal information of 100,000 or more California residents, households, or devices annually
- Deriving 50% or more of annual revenues from selling or sharing California residents’ personal information
Businesses not meeting these thresholds are generally not subject to CCPA, though they may still choose to implement privacy practices as a matter of good practice.
What Is Personal Information Under CCPA?
CCPA defines personal information broadly as information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household.
Examples include:
- Names, addresses, and phone numbers
- Email addresses and account names
- Social Security numbers and driver’s license numbers
- Purchase history and browsing history
- Geolocation data
- Biometric information
- Professional or employment information
- Inferences drawn from any of the above
Unlike some definitions, CCPA extends to household-level data, not just individual data.
Consumer Rights Under CCPA
California residents have several rights under CCPA:
Right to Know: Consumers can request disclosure of what personal information a business has collected, the sources of that information, the purposes for collection, and the categories of third parties with whom it was shared.
Right to Delete: Consumers can request deletion of their personal information, subject to certain exceptions.
Right to Opt-Out: Consumers can direct businesses not to sell or share their personal information. This is often implemented through “Do Not Sell My Personal Information” links.
Right to Non-Discrimination: Businesses cannot discriminate against consumers who exercise their CCPA rights by charging different prices or providing different service levels.
CCPA Compliance Requirements
Businesses subject to CCPA must implement several measures:
Privacy Policy: A clear privacy policy must describe data collection practices, consumer rights, and how to exercise those rights.
Consumer Request Processes: Businesses must establish methods for consumers to submit requests and respond within specific timeframes.
Opt-Out Mechanisms: A clear and conspicuous link allowing consumers to opt out of the sale of their personal information must be provided.
Data Inventory: Understanding what personal information is collected, where it comes from, and where it goes supports compliance obligations.
Employee Training: Staff handling consumer inquiries must understand CCPA requirements.
CCPA and Website Cookies
While CCPA does not require consent before placing cookies (unlike GDPR), it does require disclosure about data collection practices. If a website sells or shares personal information collected through cookies with third parties, the opt-out right applies.
The definition of “sale” under CCPA is broad and can include sharing data with advertising partners even without monetary exchange.
FAQ
What is the CCPA in simple terms?
CCPA is California’s privacy law giving residents rights to know what data businesses collect, delete that data, and opt out of its sale.
Why was the CCPA introduced?
CCPA was introduced to give California consumers control over personal information collected by businesses and increase transparency about data practices.
What is a CCPA violation?
Violations include failing to honor consumer requests, not providing required disclosures, or discriminating against consumers exercising their rights. Penalties can reach $7,500 per intentional violation.
What is the role of CCPA in data security?
CCPA requires businesses to implement reasonable security measures. Consumers can pursue private legal action if a data breach results from inadequate security.
What does CCPA require businesses to do?
Businesses must provide privacy notices, honor consumer rights requests, offer opt-out mechanisms, and maintain data handling practices that support compliance.
What is the definition of personal information under CCPA?
Personal information is any data identifying, relating to, or reasonably linkable to a California consumer or household, including identifiers, commercial information, and inferences.
Does CCPA apply to businesses outside California?
CCPA applies to businesses meeting revenue or data thresholds regardless of location, if they collect personal information from California residents.
