California Consumer Privacy Act (CCPA)

Definition

The California Consumer Privacy Act (CCPA), effective January 1, 2020, and later amended by the California Privacy Rights Act (CPRA) in 2023, is the most comprehensive state-level privacy law in the United States. It grants California residents specific rights over their personal information and imposes obligations on businesses that collect, sell, or share that data. The law applies to for-profit entities doing business in California that meet revenue thresholds of $25 million, handle data of 100,000 or more consumers or households, or derive 50% or more of revenue from selling or sharing personal information.

How It Works

CCPA grants consumers the right to know what personal information is collected and how it is used, the right to delete personal information, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising these rights. CPRA added the right to correct inaccurate information and the right to limit use of sensitive personal information. Businesses must provide clear privacy notices, honor consumer requests within 45 days, implement reasonable security measures, and maintain records of requests for 24 months. The California Privacy Protection Agency (CPPA) enforces the law alongside the state Attorney General. Businesses must also conduct regular risk assessments for high-risk processing activities.

Why It Matters

CCPA violations can result in civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation. Consumers also have a private right of action for data breaches resulting from a business's failure to maintain reasonable security, with statutory damages of $100 to $750 per consumer per incident. As the de facto national privacy standard, CCPA compliance is essential for any business with California customers. It has influenced privacy legislation in over a dozen other states.