Skip to content

Our Privacy Statement & Cookie Policy

All Thomson Reuters websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.

Legal Topics

The California Consumer Privacy Act (CCPA) — Legal glossary

Marjorie Richter J.D.  

· 6 minute read

Marjorie Richter J.D.  

· 6 minute read

Key aspects of the California Consumer Privacy Act (CCPA), including consumer rights, compliance requirements, and recent updates.

California law · California Consumer Privacy Acts

Highlights

The California Consumer Privacy Act (CCPA) protects personal information of California residents, defined broadly to include individuals, households, employees, job candidates, and business contacts

Key consumer rights under the CCPA include the right to know, delete, opt out of the sale of personal information, and be free from discrimination for exercising these rights.

Covered businesses must implement reasonable security practices, provide required public notices, honor consumer rights requests, and ensure non-discrimination in their practices.

California became the first U.S. state with a comprehensive consumer privacy law when the California Consumer Privacy Act of 2018 (CCPA) took effect on Jan. 1, 2020. It also became the first state to establish a separate agency devoted exclusively to protecting privacy after voters approved the California Privacy Rights Act of 2020 (CPRA).

The CCPA grants California residents new rights regarding their personal information. It imposes data protection duties on certain entities conducting business in California. Given the CCPA’s expansiveness and broad reach, it’s critical for entities in California and around the world that collect and process California residents’ personal information to understand the law.

Jump to ↓

What does the CCPA protect?


Who must comply with the California Consumer Privacy Act?


Consumer rights under the California Consumer Privacy Act


Business obligations under the California Consumer Privacy Act


CCPA enforcement


CCPA private right of action


Recent updates

CoCounsel

CoCounsel

Bringing together generative AI, trusted content and expert insights

Meet your legal AI assistant ↗

What does the CCPA protect?

The CCPA provides personal information rights and protections for consumers, who are broadly defined as any California residents who are either:

  • In California for other than a temporary or transitory purpose
  • Living in California but currently out of state for a temporary or transitory purpose

In addition to consumers of household goods and services, the CCPA’s definition of consumers includes California-based:

  • Employees, job candidates, independent contractors, and other workforce members
  • Contacts from business customers or vendors

The CCPA defines personal information more broadly than California’s other laws. It includes any information that directly or indirectly:

  • Identifies, relates to, or describes a particular consumer or household
  • Is reasonably capable of being associated with or linked to a particular consumer or household

The CCPA protects data even if it does not relate to an individual because it covers households and devices, and it protects information connected to a unique identifier instead of a person’s name.

Who must comply with the California Consumer Privacy Act?

For-profit entities must comply with the CCPA if they:

  1. Collect a consumer’s personal information and determine the purposes and means of processing; and
  2. Do business in California and meet one of these thresholds:
    • Annual gross revenue that exceeds $25 million (adjusted for inflation);
    • Annually buy, share, or sell the personal information of more than 100,000 consumers or households; or
    • Derive 50% or more of annual revenues from selling or sharing consumers’ personal information

There are many exceptions to the CCPA. For example, entities do not have to comply if:

  • Every aspect of the commercial conduct takes place wholly outside of California
  • The sale of personal information is part of a merger or acquisition
  • There are legal or conflicts-of-laws issues

The CCPA does not apply to non-profit and public entities, which are covered by other laws.

Consumer rights under the California Consumer Privacy Act

The CCPA grants consumers several rights, including the right to:

  • Know how a business collects, uses, and shares their personal information
  • Delete personal information the business holds about them, with some exceptions
  • Opt out of the sale and sharing of personal information to third parties
  • Be free of discrimination for exercising their CCPA rights

Business obligations under the California Consumer Privacy Act

To meet its CCPA obligations, a covered business should:

  1. Protect personal information by implementing reasonable security practices and procedures
  2. Make all required CCPA public notice disclosures, including:
    • Notices at collection;
    • A privacy policy that includes comprehensive information about consumers’ CCPA rights and how to exercise them;
    • A notice of the right to opt out; and
    • Financial incentive notices, if offered
  3. Honor consumers’ CCPA rights and establish internal procedures to receive, verify, and respond to consumer rights requests
  4. Review all price, service, or quality differences relating to the collection, retention, or sale of personal information to ensure non-discrimination
  5. Comply with employee training and record-keeping requirements
  6. Review service provider and third-party personal information data sharing contracts for alignment with the CCPA’s requirements

CCPA enforcement

Both the California Privacy Protection Agency (CPPA) and the California Attorney General (CAG) have the authority to enforce the CCPA. The agency enforces the CCPA through administrative proceedings, cease-and-desist orders, and administrative fines. The CAG has the power to investigate violations and seek civil penalties and injunctions.

The agency and CAG may seek civil penalties up to either:

  • $2,500 per violation
  • $7,500 per intentional violation or for violations involving minors under 16

CCPA private right of action

The CCPA extends California’s data breach laws by creating a private right of action for unauthorized access, theft, or disclosure of certain non-encrypted and non-redacted personal information due to a business failing to implement reasonable security procedures. The data breach liability section defines personal information more narrowly than the general CCPA definition.

In a CCPA private action, consumers may seek either statutory damages between $100 and $750 for each California resident and incident, or actual damages, whichever is greater. Before filing a lawsuit, a consumer must provide the business with written notice and a 30-day period to correct the violations.

California Privacy Rights Act of 2020 (CPRA) and other updates

Californians voted to expand the CCPA by passing Proposition 24, the California Privacy Rights Act of 2020 (CPRA). The new regulations went into effect in March 2023.

The CPRA, among other changes:

  • Expanded the CCPA’s personal information protection rights and business obligations, particularly around sensitive information like precise geolocation data.
  • Provided transparency around automated decision making.
  • Created a dedicated privacy protection agency in California, the California Privacy Protection Agency, to implement and enforce the law and educate the public.
  • Three new measures to amend the CCPA took effect on Jan. 1, 2025.

These expanded the definitions of personal information to include “neural data,” metadata, and information from artificial intelligence (AI) systems, and require businesses to which information is transferred to honor consumers’ opt-out preferences.

Looking ahead

As the California Privacy Protection Agency evolves, it is focusing on goals laid out in its 2024-2027 Strategic Plan.

For a more complete treatment of this issue, please read the Practical Law Practice Note, Understanding the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), one of more than 65,000 resources available through Practical Law and Practical Law Connect.

 

More answers