Key aspects of the California Consumer Privacy Act (CCPA), including consumer rights, compliance requirements, and recent updates.
California law · California Consumer Privacy Acts
Highlights
Key consumer rights under the CCPA include the right to know, delete, opt out of the sale of personal information, and be free from discrimination for exercising these rights.
Covered businesses must implement reasonable security practices, provide required public notices, honor consumer rights requests, and ensure non-discrimination in their practices.
California became the first U.S. state with a comprehensive consumer privacy law when the California Consumer Privacy Act of 2018 (CCPA) took effect on Jan. 1, 2020. It also became the first state to establish a separate agency devoted exclusively to protecting privacy after voters approved the California Privacy Rights Act of 2020 (CPRA).
The CCPA grants California residents new rights regarding their personal information. It imposes data protection duties on certain entities conducting business in California. Given the CCPA’s expansiveness and broad reach, it’s critical for entities in California and around the world that collect and process California residents’ personal information to understand the law.
Jump to ↓
Who must comply with the California Consumer Privacy Act?
Consumer rights under the California Consumer Privacy Act
Business obligations under the California Consumer Privacy Act
CoCounsel
Bringing together generative AI, trusted content and expert insights
Meet your legal AI assistant ↗What does the CCPA protect?
The CCPA provides personal information rights and protections for consumers, who are broadly defined as any California residents who are either:
- In California for other than a temporary or transitory purpose
- Living in California but currently out of state for a temporary or transitory purpose
In addition to consumers of household goods and services, the CCPA’s definition of consumers includes California-based:
- Employees, job candidates, independent contractors, and other workforce members
- Contacts from business customers or vendors
The CCPA defines personal information more broadly than California’s other laws. It includes any information that directly or indirectly:
- Identifies, relates to, or describes a particular consumer or household
- Is reasonably capable of being associated with or linked to a particular consumer or household
The CCPA protects data even if it does not relate to an individual because it covers households and devices, and it protects information connected to a unique identifier instead of a person’s name.
Who must comply with the California Consumer Privacy Act?
For-profit entities must comply with the CCPA if they:
- Collect a consumer’s personal information and determine the purposes and means of processing; and
- Do business in California and meet one of these thresholds:
- Annual gross revenue that exceeds $25 million (adjusted for inflation);
- Annually buy, share, or sell the personal information of more than 100,000 consumers or households; or
- Derive 50% or more of annual revenues from selling or sharing consumers’ personal information
There are many exceptions to the CCPA. For example, entities do not have to comply if:
- Every aspect of the commercial conduct takes place wholly outside of California
- The sale of personal information is part of a merger or acquisition
- There are legal or conflicts-of-laws issues
The CCPA does not apply to non-profit and public entities, which are covered by other laws.
Consumer rights under the California Consumer Privacy Act
The CCPA grants consumers several rights, including the right to:
- Know how a business collects, uses, and shares their personal information
- Delete personal information the business holds about them, with some exceptions
- Opt out of the sale and sharing of personal information to third parties
- Be free of discrimination for exercising their CCPA rights
Business obligations under the California Consumer Privacy Act
To meet its CCPA obligations, a covered business should:
- Protect personal information by implementing reasonable security practices and procedures
- Make all required CCPA public notice disclosures, including:
- Notices at collection;
- A privacy policy that includes comprehensive information about consumers’ CCPA rights and how to exercise them;
- A notice of the right to opt out; and
- Financial incentive notices, if offered
- Honor consumers’ CCPA rights and establish internal procedures to receive, verify, and respond to consumer rights requests
- Review all price, service, or quality differences relating to the collection, retention, or sale of personal information to ensure non-discrimination
- Comply with employee training and record-keeping requirements
- Review service provider and third-party personal information data sharing contracts for alignment with the CCPA’s requirements
CCPA enforcement
Both the California Privacy Protection Agency (CPPA) and the California Attorney General (CAG) have the authority to enforce the CCPA. The agency enforces the CCPA through administrative proceedings, cease-and-desist orders, and administrative fines. The CAG has the power to investigate violations and seek civil penalties and injunctions.
The agency and CAG may seek civil penalties up to either:
- $2,500 per violation
- $7,500 per intentional violation or for violations involving minors under 16
CCPA private right of action
The CCPA extends California’s data breach laws by creating a private right of action for unauthorized access, theft, or disclosure of certain non-encrypted and non-redacted personal information due to a business failing to implement reasonable security procedures. The data breach liability section defines personal information more narrowly than the general CCPA definition.
In a CCPA private action, consumers may seek either statutory damages between $100 and $750 for each California resident and incident, or actual damages, whichever is greater. Before filing a lawsuit, a consumer must provide the business with written notice and a 30-day period to correct the violations.
California Privacy Rights Act of 2020 (CPRA) and other updates
Californians voted to expand the CCPA by passing Proposition 24, the California Privacy Rights Act of 2020 (CPRA). The new regulations went into effect in March 2023.
The CPRA, among other changes:
- Expanded the CCPA’s personal information protection rights and business obligations, particularly around sensitive information like precise geolocation data.
- Provided transparency around automated decision making.
- Created a dedicated privacy protection agency in California, the California Privacy Protection Agency, to implement and enforce the law and educate the public.
- Three new measures to amend the CCPA took effect on Jan. 1, 2025.
These expanded the definitions of personal information to include “neural data,” metadata, and information from artificial intelligence (AI) systems, and require businesses to which information is transferred to honor consumers’ opt-out preferences.
Looking ahead
As the California Privacy Protection Agency evolves, it is focusing on goals laid out in its 2024-2027 Strategic Plan.
For a more complete treatment of this issue, please read the Practical Law Practice Note, Understanding the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), one of more than 65,000 resources available through Practical Law and Practical Law Connect.
