California Consumer Privacy Act

Passed in 2018, the California Consumer Privacy Act (CCPA) was the first privacy law of its kind in the US. It established landmark data rights for California (CA) residents and created new requirements for any business that sells to and/or processes personal data from California consumers.

Consumer rights provided by the CCPA

Right to be informed - California consumers have the right to know:

  • What data and categories of data a business is collecting on them
  • How that data is being collected
  • How it’s being used both by the business and any third parties

Right of access - Consumers have the right to request access to the personal data a business has collected about them.

Right to rectification - If a consumer believes their CCPA rights have been violated, they have the right to bring their complaints to the Attorney General.

Right to erasure and right to be forgotten - Businesses must delete a consumer's data upon request, as long as the consumer's identity can be verified. In addition, the business must direct any vendors and other service providers to do the same.

Right to restrict process - Consumers have the right to tell a business “Do not sell my personal information.” Not only that, but the business must provide an easily accessible page on their website that enables the consumer to make this request.

Right to data portability - After receiving a data request, businesses must provide the consumer’s information in an easily transmittable format.

Right to object - California consumers have the right to object to the use and sale of their data at any time.

Who does the CCPA apply to?

The CCPA applies to businesses that:

  • Process data for 50,000 or more CA residents OR
  • Have a gross revenue over $25 million OR
  • Derive 50% or more of annual revenue from selling or sharing CA residents' personal data

The CCPA also covers subsidiaries, meaning California based companies can’t exempt themselves by storing consumer data in an offshore subsidiary or storage site.

It also applies to California residents browsing an out-of-state website. So, if people from California visit your website, your company must respect the rights outlined by the CCPA for those visitors—even if your organization is based outside of CA.

In 2020, the CCPA was amended by the California Privacy Rights Act (CPRA). The CPRA changed the CCPA in a variety of ways, but one of the most significant was an increase in the data processing threshold—from 50,000 to 100,000.

Read more about the differences between the CCPA and CPRA.