CCPA

What is CCPA?

CCPA stands for the California Consumer Privacy Act, a state privacy law that took effect on January 1, 2020. It gives California residents specific rights over their personal information and places corresponding obligations on businesses that collect, process, or sell that data. The California Privacy Rights Act (CPRA), which amended and strengthened CCPA effective January 1, 2023, is now the operative framework. When practitioners say "CCPA compliance," they typically mean CPRA-amended CCPA.

The law applies regardless of where the business is headquartered. A New York company, a Texas company, a company based anywhere in the world: if it meets the thresholds and processes California residents' data, CCPA applies.

That's the first thing most organisations get wrong. They assume state laws are local problems. California has 39 million residents and a GDP larger than most nations. The practical reach is enormous.

Who CCPA applies to

CCPA applies to for-profit businesses that collect California consumers' personal information and meet at least one of three thresholds.

Annual gross revenue exceeding $25 million. Processing the personal information of 100,000 or more California consumers or households per year. Deriving 50% or more of annual revenue from selling or sharing California consumers' personal information.

That revenue threshold catches most mid-market and enterprise companies. The processing threshold catches many companies that wouldn't otherwise think of themselves as large data processors: a SaaS company with 100,000 California user accounts hits the threshold whether or not those users pay a cent.

Businesses that don't meet any threshold are exempt. But the thresholds are low enough that most companies of meaningful scale need to assess their position carefully.

What CCPA defines as personal information

This is where CCPA catches organisations off guard. The definition is broader than most internal data inventories are built to capture.

CCPA defines personal information as information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

Three words do the heavy lifting: "reasonably capable of being associated." Not just direct identifiers. Not just data that currently identifies someone. Data that could be linked to a person, given available information.

That definition pulls in behavioural data, browsing history, purchase history, location data, and inferences drawn from any of the above to create profiles. Household-level data is explicitly included, which GDPR doesn't cover. IP addresses, device identifiers, and cookie data are personal information under CCPA when they can be associated with a consumer.

So a company that believes its analytics data is anonymous because it doesn't include names may still be handling CCPA-covered personal information if that data could reasonably be linked back to individuals.

The consumer rights CCPA creates

CCPA grants California residents five categories of rights that businesses must operationally support.

Right to know

Consumers can request disclosure of what personal information a business has collected about them, the sources, the business purposes, the third parties it was shared with, and the specific pieces of information held. Businesses have 45 days to respond.

Right to delete

Consumers can request deletion of personal information a business has collected. The business must comply and must direct service providers to do the same. Exceptions exist for data necessary to complete transactions, detect security incidents, comply with legal obligations, and a few others.

Right to opt-out of sale or sharing

Consumers can direct a business to stop selling or sharing their personal information with third parties. Businesses must provide a "Do Not Sell or Share My Personal Information" link on their homepage. This right operates continuously, not as a one-time consent event.

Right to correct

Consumers can request correction of inaccurate personal information. Businesses must take reasonable steps to correct it and direct service providers to do the same.

Right to limit use of sensitive personal information

CPRA added a category of sensitive personal information with heightened protection: social security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric data used for identification, health information, and data about sexual orientation. Consumers can limit how businesses use this sensitive subset.

Each right creates an operational requirement. The right to know requires knowing what data you have and where it lives. The right to delete requires finding every copy across every system and deleting it. The right to opt-out requires tracking data sharing in real time. None of these are fulfillable without a current, comprehensive data inventory.

How CCPA differs from GDPR

Both laws protect consumer privacy. The operational differences matter for companies building multi-jurisdictional compliance programmes.

Consent model

GDPR requires a lawful basis for processing, with consent as one option. CCPA doesn't require consent to collect or process personal information. It requires notice and gives consumers the right to opt out after the fact. That's a fundamental architectural difference. GDPR is consent-first by default in many contexts. CCPA is notice-and-opt-out.

Household data

CCPA explicitly covers household-level data. GDPR focuses on natural persons. A household's purchase history, household location patterns, or household income estimates fall under CCPA's scope in ways they don't clearly fall under GDPR's.

Sale of personal information

CCPA's right to opt out of "sale or sharing" has no direct GDPR equivalent. The sale concept captures data sharing arrangements where value is exchanged, even non-monetary value, which catches some business practices that organisations hadn't previously considered regulated.

Enforcement

GDPR is enforced by government regulatory bodies with fines up to €20 million or 4% of global turnover. CCPA is enforced by the California Attorney General and the California Privacy Protection Agency (CPPA), with fines of $2,500 per unintentional violation and $7,500 per intentional violation. The per-violation structure means scale matters: 50,000 non-compliant records can produce substantial aggregate exposure.

What CCPA operationally requires from data security

Two compliance obligations drive the most operational work for data security teams.

Consumer rights fulfilment at scale

A right-to-know request requires surfacing every piece of personal information held about a specific California consumer across all systems: CRM, analytics, data warehouse, backup, SaaS integrations, and any development environment that received a data copy. A right-to-delete request requires finding all of those locations and deleting from each. Without a continuously maintained, comprehensive data inventory, both obligations are either incomplete or operationally unsustainable at volume.

Data breach notification

CCPA has a private right of action for consumers whose unencrypted or non-redacted personal information is subject to a breach resulting from a business's failure to implement reasonable security procedures. Unlike GDPR's regulatory fine structure, CCPA allows consumers to sue directly, with statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater. Class action exposure makes data breach risk under CCPA a financial risk that boards understand immediately.

The reasonable security requirement creates the same evidence standard as HIPAA and GDPR: being able to demonstrate, after an incident, that appropriate controls were in place. Continuous monitoring, access controls, and immutable audit trails are the evidence base.

Frequently asked questions

What is CCPA?

CCPA is the California Consumer Privacy Act, a state privacy law giving California residents rights over their personal information including the right to know what is collected, the right to delete it, and the right to opt out of its sale or sharing. Amended by CPRA effective January 2023, it applies to for-profit businesses meeting specific revenue or data processing thresholds that handle California consumers' personal information.

Who does CCPA apply to?

For-profit businesses that collect California consumers' personal information and meet at least one threshold: annual gross revenues over $25 million, processing personal information of 100,000 or more California consumers or households per year, or deriving 50% or more of annual revenue from selling or sharing California consumers' personal information.

What counts as personal information under CCPA?

CCPA defines personal information broadly as any information that identifies, relates to, describes, or is reasonably capable of being associated with a particular consumer or household. This includes direct identifiers like names and emails, as well as browsing history, purchase history, location data, IP addresses, device identifiers, and inferences drawn from any of the above to create consumer profiles.

What is the difference between CCPA and GDPR?

Both protect consumer privacy but differ in consent model, scope, and enforcement. CCPA uses a notice-and-opt-out model; GDPR requires a lawful basis for processing including consent in many contexts. CCPA covers household-level data; GDPR focuses on natural persons. CCPA has a specific right to opt out of "sale or sharing" with no direct GDPR equivalent. Enforcement differs: GDPR uses regulatory fines; CCPA has both regulatory fines and a private right of action for data breaches.

What are CCPA penalties?

$2,500 per unintentional violation and $7,500 per intentional violation, enforced by the California Attorney General and the California Privacy Protection Agency. CCPA also provides a private right of action for consumers affected by data breaches resulting from inadequate security, with statutory damages of $100 to $750 per consumer per incident.