What is the California Consumer Privacy Act?

The California Consumer Privacy Act (CCPA), the latest data privacy law in the Golden State, went into effect on January 1st, 2020. Some have compared it to the UK’s GDPR (General Data Protection Regulation), and they’re not far off – like the GDPR, the CCPA is intended to protect individuals’ private data by making data collection and usage more transparent between consumers and companies.

What is the CCPA?

The CCPA is a California law that aims to give Californian consumers ownership over personal data that is collected by businesses. Even before this act, California had the strongest data privacy rights in the US, and the CCPA adds new rights to Californians’ arsenal:

The right to know

Californians have the right to know what data a business collects and why, as well as any personal data they use, share, or sell.

To comply, organizations must:

  • Notify consumers up front about what information is being collected and stored;
  • Inform customers of how the business uses this information, including what external companies use or buy this data;
  • Create processes that customers can use to request the data you have about them and ensure that your business can respond to these requests;
  • Verify the identity of persons requesting their information.

The right to delete

Have you ever wished you could delete something from the internet? If you’re a California resident, you can! Businesses must now delete information about you if you ask them to (within reason) – including information the business has given to any third-party enterprises.

Your business can comply by:

  • Developing a procedure to quickly locate and delete personal data about a person;
  • Simplifying your method of safely disposing of customer information when requested to do so;
  • Ensuring you can appropriately audit your records to find all personal data, including any external companies you’ve shared information with.

The right to opt out

If your business shares or sells personal data, consumers have the right to withdraw consent from having their data sold. Make sure you’re meeting CCPA requirements by:

  • Ensuring that any consumers under 16 opt in to sharing and selling their data, and that a parent or guardian of children under 13 consents on their behalf;
  • Giving customers an easy out: provide a clear “how-to” to opt out of data sharing;
  • Responding to requests within 45 days.

As part of all these rights, Californians are also protected from discrimination for choosing to view or limit data a business has collected about them, or for choosing to opt out of data re-selling.

Who does the CCPA apply to?

If your organization collects California residents’ information, it’s possible that you must adhere to the CCPA, even if your business is not physically located in California. The law outlines three points that determine whether the CCPA applies to a business:

  • If gross annual revenue is over $25 million;
  • If the business buys, sells, or in other ways receives personal information of more than 50,000 consumers, households, or devices;
  • If 50 percent or more of the business’ annual revenue is derived from selling consumers’ personal information.

Whether just one or all three of the requirements above apply to your business, you must comply with CCPA. However, any information already covered by federal or California privacy laws, like HIPAA or the Gramm-Leach-Bliley Act (GLBA) is exempt.

What personal information is covered by the CCPA?

The CCPA has one of the broadest definitions of personal information, which includes any:

  • Personally, identifiable information, including name, birthdate, address, and any state or federally issued identification numbers.
  • Biometric information.
  • Protected classes a person falls into.
  • Information about a person’s location, education, property ownership, and employment.
  • Internet activity.
  • Audio, electronic, visual, thermal, or olfactory information.

Are there penalties associated with the CCPA?

Yes! Starting July 1, 2020, the Attorney General of California will begin to enforce action under the CCPA. Both individuals and regulators can contest how companies manage personal data and follow the CCPA.


The CCPA is designed to protect consumers and gives them several options for contesting how businesses use their data. CCPA allows for class action lawsuits for damages in the case of a data breach – a first among consumer data privacy laws like the GDPR and PIPEDA. Even without a data breach, consumers may sue companies if the CCPA guidelines are violated.

Further, if consumers can’t easily figure out how to request or delete their data or opt out of data sharing, they can sue businesses for not adhering to the law.


If a regulator notifies your business of a CCPA violation, you have 30 days to comply with the law. After 30 days, your business can incur fines of up to $7,500 per record for any violation: up to $2,500 per unintentional violation, and up to $7,500 per intentional violation.

In the case of unauthorized access, including data breaches or other any lack of proper security practices, businesses are liable for damages or penalties of $100 to $750 per consumer per incident, whichever is greater.

The bright side

Insecure handling of personal data and high profile data breaches have led to an increase in the exposure of personal records in the US – and the public has taken note. By taking proactive steps to safeguard your customers’ data, you’re helping to build a better rapport with your current and future customers.

Plus, you’ll be ready when other states start to implement similar laws.