The California Consumer Privacy Act (CCPA) is a groundbreaking privacy law that gives California residents greater control over their personal information. Passed in 2018 and enforceable since 2020, it was the first comprehensive state-level privacy law in America. Whether you’re a consumer concerned about your data or a business handling California residents’ information, understanding the CCPA is essential. This guide breaks down the core principles to help you understand this pivotal law.
The Birth and Evolution of CCPA
The CCPA emerged from growing public concern over how companies were collecting and using personal data without clear transparency or consent.
In 2017, a proposal was introduced to give Californians stronger privacy rights through a public vote. Before it could reach the ballot, California lawmakers stepped in, recognizing the strong demand for data protection.
On June 28, 2018, the California Consumer Privacy Act was passed and signed into law, making it the first comprehensive state-level privacy law in the United States. Its purpose was clear and direct: to give people visibility into how their data is used and real control over it.
The CPRA Era Begins
In November 2020, as businesses were still adapting to the CCPA, California voters approved Proposition 24, known as the California Privacy Rights Act (CPRA). This was not a new law replacing the CCPA, it was a stronger version built on it.
The CPRA became fully effective on January 1, 2023, and it raised the bar for data protection in several ways and brought important changes:
- Stronger protection for children: Businesses must obtain verifiable parental consent before collecting or selling personal data of children under 13, and affirmative consent from the minor if the child is between 13 and 16.
- New agency for enforcement: A dedicated privacy regulator was established in 2023 to enforce the CCPA and CPRA, with full authority to investigate violations, issue regulations, and impose penalties.
- Enhanced penalties: Fines for violations involving the personal data of children under 16 were significantly increased, reflecting a stricter approach to protecting minors.
- Expanded consumer rights: The CPRA added new rights, including the right to correct inaccurate personal information and the right to limit the use of sensitive personal data.
Understanding CCPA's Core Concepts
What Is “Personal Information”?
Before looking at rights and obligations, it’s important to understand what the CCPA actually protects.
Under the CCPA, personal information includes any information that identifies, relates to, describes, or can reasonably be linked directly or indirectly to a consumer or a household.
This definition is deliberately broad. It covers
- Obvious identifiers: Names, postal addresses, email addresses, phone numbers, Social Security numbers
- Online identifiers: IP addresses, cookies, device identifiers, browsing and search history
- Location data: GPS coordinates and precise geolocation information
- Commercial information: Purchase history, products or services viewed or bought
- Biometric and genetic data: Fingerprints, facial recognition data, DNA information
- Inferences: Profiles or conclusions drawn from personal data about a person’s preferences, behavior, financial situation, or health.
Importantly, these protections apply not only to individuals but also to households. If a business collects data that reflects the collective behavior of people living together, that information is protected under the law.
Important Exemptions to Know
While the scope of personal information is wide, the CCPA does exclude certain types of data.
- Publicly Available Information: Data lawfully available from federal, state, or local government records.
- De-identified and Pseudonymized Data: Information that cannot be reasonably linked back to an individual or household.
- Certain Medical Information: Information governed by other medical privacy laws like HIPAA.
It is also important to note that earlier exemptions for employment and business-to-business data expired on January 1, 2023. As a result, employees, job applicants, and business contacts are now entitled to privacy rights under the CCPA.
Data Subject Rights Under the CCPA
At the core of the CCPA are the rights granted to data subjects. These rights give California residents meaningful control over how their personal information is collected, used, and shared.
- The Right to Know: A data subject has the right to request details of the personal information a business has collected, including the specific data held, its sources, the purpose of collection, and the categories of third parties with whom it is shared.
- The Right to Delete: A data subject may request deletion of personal information, subject to limited exceptions such as completing a requested transaction, meeting legal obligations, ensuring security, or fixing system errors.
- The Right to Correct: If personal information held by a business is inaccurate, the data subject has the right to request its correction, helping ensure data accuracy and fairness.
- The Right to Opt-Out: A data subject can direct a business to stop selling or sharing personal information. Under the CPRA, “sharing” includes disclosure for targeted advertising, and businesses must provide a clear and accessible opt-out mechanism.
- The Right to Limit Use: Data subjects can restrict how sensitive personal information such as social security numbers, precise geolocation, racial or ethnic origin, or health data is used, limiting processing to specific and necessary purposes.
- The Right to Non-Discrimination: A business may not deny services, charge different prices, or reduce service quality because a data subject chooses to exercise their CCPA rights.
Who Falls Under the Scope of the CCPA?
Not every business is covered by CCPA. The law applies to for-profit businesses that do business in California AND meet at least one of these thresholds:
- Annual gross revenue over $25 million, OR
- Buy, sell, or share personal information of 100,000+ California residents or households, OR
- Derive 50%+ of annual revenue from selling or sharing Californians’ personal information.
Businesses that operate entirely outside California and do not collect personal data of California residents are not subject to the CCPA. In addition, non-profit organizations, government bodies, and certain entities already regulated under other privacy laws, such as HIPAA, are generally exempt.
What Businesses Need to Do Under CCPA
If your business handles personal data from California residents, compliance with CCPA is essential. Here’s what you need to focus on:
- Provide clear Privacy Notices: Clearly inform your customers what data you collect, why you collect it, and how they can exercise their rights. Make sure your notice is simple and easy to understand.
- Respect Consumer Rights: Respond promptly when someone asks to know, correct, delete, or opt-out of the sale or sharing of their personal information. You must act within 45 days, with an option to extend by 45 more days for complex requests, and always verify the requester’s identity.
- Implement Security Measures: Implement reasonable security practices to prevent unauthorized access, use, or disclosure of personal information.
- Manage Third-Party Relationships: If you work with contractors or service providers who handle personal data, ensure they use it only for approved purposes and meet the same security standards. You remain responsible for any misuse.
- Train Your Team: Employees who handle consumer data should understand CCPA requirements, consumer rights, and data security best practices. Regular training is key.
- Keep Records: Maintain documentation of what data you collect, where it comes from, how it’s used, and who it’s shared with. Proper records help demonstrate compliance if you’re ever audited.
Penalties and Enforcement
CCPA compliance comes with serious consequences for businesses that fail to protect consumer data. Enforcement used to rest solely with the California Attorney General, but now the California Privacy Protection Agency (CPPA) serves as the dedicated regulator, with full powers to investigate, issue regulations, and enforce the law. Violations carry significant penalties:
- Up to $2,500 per unintentional violation.
- Up to $7,500 per intentional violation.
These penalties are “per violation,” meaning if a business fails to respond properly to 1,000 consumer requests, it can quickly result in significant fines.
In addition to regulatory action, consumers have a private right of action in cases of data breaches caused by inadequate security measures. In such cases, affected individuals may seek damages ranging from $100 to $750 per consumer per incident, or actual damages, whichever is higher. In large-scale breaches, this can lead to serious financial exposure.
Conclusion
The CCPA and CPRA have redefined how Americans control their personal data. Consumers can see what’s collected, request deletion, and stop its sale, with the CPPA ensuring these rights are enforced.
California’s privacy model is inspiring similar laws nationwide, showing that data protection is quickly becoming a standard expectation. For businesses, compliance not only avoids penalties but also builds trust and strengthens customer relationships. The CCPA marks a new era where data belongs to the people, and understanding these principles is key to responsible and successful business in the digital age.
