What is CCPA?
The California Consumer Privacy Act (CCPA) is a state-level privacy law that gives California residents significant rights over their personal information collected by businesses. Signed into law in June 2018 and effective from January 2020, CCPA was the first comprehensive consumer privacy law in the United States and fundamentally changed how businesses collect, use and sell personal data.
CCPA was significantly strengthened by the California Privacy Rights Act (CPRA), which was passed by California voters in November 2020 and became fully effective on January 1, 2023. The CPRA created the California Privacy Protection Agency (CPPA) — the first dedicated privacy enforcement agency in the US — and added new rights, stricter requirements and expanded protections for sensitive personal information.
Why Was CCPA Created?
By 2018 California residents had grown increasingly concerned about how technology companies were collecting and monetising their personal data — often without meaningful transparency or consent. A ballot initiative threatened to put an even stricter law directly to voters, which prompted the California legislature to act quickly and pass CCPA as a compromise. The law was drafted, passed and signed in just seven days in June 2018.
CCPA drew heavily on GDPR concepts but was tailored to the US legal and business environment — focusing on consumer rights and business obligations rather than a legal basis for processing model. Since its passage CCPA/CPRA has influenced privacy legislation across the US, with over a dozen states passing their own privacy laws modelled in part on California’s approach.
| Enacted by | State of California |
| Original effective date | January 1, 2020 (CCPA) |
| CPRA effective date | January 1, 2023 (CPRA amendments fully effective) |
| Mandatory or Voluntary | Mandatory — for businesses meeting threshold criteria |
| Enforcement agency | California Privacy Protection Agency (CPPA) + California Attorney General |
| Maximum penalty | $2,500 per unintentional violation · $7,500 per intentional violation · $100–$750 per consumer per incident for data breaches |
| Official Resource | oag.ca.gov/privacy/ccpa |
Who Does CCPA/CPRA Apply To?
CCPA applies to for-profit businesses that do business in California AND meet at least one of three threshold criteria. Non-profits and government agencies are generally exempt.
| Threshold | Criteria |
|---|---|
| Revenue threshold | Annual gross revenues exceeding $25 million |
| Data volume threshold | Buys, sells, receives or shares for commercial purposes the personal information of 100,000 or more consumers or households annually (raised from 50,000 by CPRA) |
| Revenue from data threshold | Derives 50% or more of annual revenues from selling or sharing consumers’ personal information |
Importantly, CCPA applies to any business meeting these thresholds that does business in California — regardless of where the business is located. A company headquartered in New York, London or Singapore must comply if it meets the thresholds and processes data of California residents.
Consumer Rights Under CCPA/CPRA
CCPA grants California consumers a set of rights over their personal information. The CPRA added three new rights and strengthened existing ones.
| Right | Description | Added by |
|---|---|---|
| Right to know | Consumers can request disclosure of what personal information is collected, used, shared or sold about them | CCPA |
| Right to delete | Consumers can request deletion of their personal information collected by the business and its service providers | CCPA |
| Right to opt-out of sale or sharing | Consumers can opt out of the sale or sharing of their personal information to third parties — businesses must display a “Do Not Sell or Share My Personal Information” link | CCPA / CPRA |
| Right to non-discrimination | Businesses cannot discriminate against consumers for exercising their privacy rights — no denying goods, charging different prices or providing different quality of service | CCPA |
| Right to correct | Consumers can request correction of inaccurate personal information held by a business | CPRA |
| Right to limit use of sensitive personal information | Consumers can direct businesses to limit their use and disclosure of sensitive personal information to only what is necessary to provide services | CPRA |
| Right to opt-out of automated decision-making | Consumers have the right to opt out of automated decision-making technology including profiling that produces legal or similarly significant effects | CPRA |
Sensitive Personal Information Under CPRA
The CPRA introduced a new category of sensitive personal information (SPI) that requires heightened protection and gives consumers the right to limit its use.
| Category | Examples |
|---|---|
| Government identifiers | Social security numbers, passport numbers, driving licence numbers, tax identification numbers |
| Financial account data | Account log-in credentials, financial account numbers with required security codes |
| Precise geolocation | Location within a radius of 1,850 feet (approximately one city block) |
| Racial or ethnic origin | Data revealing racial or ethnic origin |
| Religious or philosophical beliefs | Data revealing religious or philosophical beliefs or union membership |
| Mail, email and text message contents | Contents of mail, email or text messages unless the business is the intended recipient |
| Genetic data | Genetic data for uniquely identifying an individual |
| Biometric data | Biometric information processed for unique identification |
| Health data | Personal information collected and analysed concerning health |
| Sexual orientation or sex life | Personal information concerning an individual’s sex life or sexual orientation |
Key Business Obligations Under CCPA/CPRA
| Obligation | Requirement |
|---|---|
| Privacy policy | Comprehensive privacy policy disclosing categories of personal information collected, purposes, retention periods and consumer rights — updated annually |
| Notice at collection | At or before the point of collection, inform consumers of the categories of personal information collected and the purposes for use |
| Do Not Sell or Share link | Prominent link on homepage allowing consumers to opt out of sale or sharing of their personal information |
| Consumer request handling | Two or more methods for submitting requests — including a toll-free number. Respond within 45 days (extendable to 90 days). |
| Data minimisation | Personal information collected must be reasonably necessary and proportionate to the disclosed purpose — no secondary use without notice |
| Retention limits | Personal information must not be retained longer than reasonably necessary for the disclosed purpose — retention periods must be disclosed |
| Service provider contracts | Written contracts with service providers restricting their use of personal information to specified purposes |
| Security requirements | Reasonable security measures appropriate to the nature of the personal information — failure triggers private right of action for data breaches |
| Risk assessments (CPRA) | Risk assessments required before processing activities that present significant risk to consumers — submitted to the CPPA on request |
| Opt-in for minors | Businesses must not sell or share personal information of consumers under 16 without opt-in consent — parental consent required for under 13 |
CCPA vs GDPR — Key Differences
| Area | CCPA/CPRA | GDPR |
|---|---|---|
| Jurisdiction | California residents | EU/EEA residents |
| Approach | Opt-out model — data can be collected by default, consumers opt out | Opt-in model — requires lawful basis before processing |
| Who it applies to | For-profit businesses meeting thresholds | Any organisation processing EU resident data |
| Maximum fine | $7,500 per intentional violation | €20 million or 4% of global turnover |
| Private right of action | Yes — for data breaches ($100–$750 per consumer) | Yes — through supervisory authority complaints |
| DPO requirement | No equivalent requirement | Required in certain circumstances |
Securitora Assessment
CCPA/CPRA is the most important US privacy law currently in effect and has set the template for privacy legislation across the United States. For any business serving California consumers — which effectively means any significant US or global business — compliance is non-negotiable. The opt-out model makes initial compliance simpler than GDPR, but the CPRA’s new data minimisation and retention requirements, combined with mandatory risk assessments, are pushing CCPA closer to GDPR-level rigour. Organisations that have already implemented GDPR compliance will find CCPA relatively straightforward — the concepts are similar, the mechanisms differ.
| Recommended for | Any for-profit business doing business in California that meets the threshold criteria |
| Difficulty to implement | Medium — opt-out model is simpler than GDPR but data mapping and request handling require operational investment |
| Best used with | GDPR · ISO 27701 (Privacy Information Management) · NIST Privacy Framework |
| Official resource | oag.ca.gov/privacy/ccpa → |