California Consumer Privacy Act
The CCPA is California's first comprehensive consumer privacy law, granting residents rights to know, delete, and opt out of the sale of their personal information. It applies to larger for-profit businesses and is enforced by the California Attorney General.
The California Consumer Privacy Act (CCPA) is a state privacy law that gives California residents new rights over their personal information. It was signed in 2018 and took effect on January 1, 2020, with enforcement beginning July 1, 2020. The CCPA was the first comprehensive consumer privacy law in the United States and set a template that many other states followed.
The law focuses on transparency and consumer control. It requires businesses to tell consumers what personal information they collect and why, and it lets consumers limit how that information is sold or shared. The California Attorney General issued implementing regulations that detail notice and request-handling obligations.
Who It Applies To
The CCPA applies to for-profit businesses that collect personal information from California residents and that meet one of three thresholds: annual gross revenue over USD 25 million; buying, selling, or sharing the personal information of 100,000 or more consumers or households; or deriving 50 percent or more of annual revenue from selling personal information. It covers personal information broadly, including identifiers, internet activity, geolocation, and inferences. Certain data covered by HIPAA, GLBA, and other laws is exempt.
Key Requirements
Consumers have the right to know what personal information is collected and how it is used and shared, the right to delete personal information, the right to opt out of the sale of personal information, and the right to non-discrimination for exercising their rights. Businesses must post a privacy policy describing collection and consumer rights. They must provide at least two methods for submitting requests and must respond within 45 days, extendable once. Businesses that sell personal information must post a clear "Do Not Sell My Personal Information" link. Special protections apply to minors: opt-in consent is required to sell the data of consumers under 16.
Penalties for Non-Compliance
The California Attorney General can seek civil penalties of up to USD 2,500 per violation and USD 7,500 per intentional violation. The CCPA also created a limited private right of action for certain data breaches involving non-encrypted, non-redacted personal information, with statutory damages between USD 100 and USD 750 per consumer per incident, or actual damages if greater.
How to Comply
Map the personal information you collect, the sources, the business purposes, and the third parties you share it with. Update your privacy policy to disclose categories, purposes, and consumer rights. Build verifiable request channels for access and deletion and meet the 45-day deadline. Add a "Do Not Sell" mechanism if you sell data, and honor opt-out signals. Apply heightened consent rules for minors. Train staff who handle requests and keep records of how requests are processed. Note that the CCPA was significantly amended by the CPRA, which added new rights and a dedicated enforcement agency.