CA CCPA

What is the CCPA?

Signed into law in 2018 and effective January 1, 2020, the California Consumer Privacy Act (CCPA) grants California residents a set of privacy rights designed to give individuals more control over their personal information and more transparency about how their data is used and sold. The CCPA has been amended several times since its passing, most notably with the California Privacy Rights Act (CPRA) in November 2020. The CPRA amendments took effect January 1, 2023.

Consumer rights under the CCPA, as amended, now include: 

• The right to know what personal data is being collected and how it is used or shared; 
• The right to delete personal data
• The right to opt out of the sale or sharing of personal data to third parties
• The right to correct inaccurate personal information
• The right to limit the use and disclosure of sensitive personal information
• The right to non-discrimination for exercising any of these rights. 

The CCPA applies to most for-profit businesses that deal with consumers in the state of California.

How does it apply to businesses?

The CCPA applies to for-profit businesses that collect consumers' personal information, do business in California, and meet any one of the following thresholds: 

• Have gross annual revenue of $26.625 million or more (adjusted for inflation as of January 1, 2025)
• Buy, sell, or share the personal information of 100,000 or more California residents or households
• Derive 50% or more of their annual revenue from selling or sharing California residents' personal information. 

Such businesses must provide detailed and prominent explanations of their privacy practices and must respond to consumer requests to exercise their rights. Non-profit organizations and government agencies are not subject to the CCPA. 

The law covers most personal information, including name, social security number, browsing history, purchasing records, geolocation data, and other information related to private preferences established through online activities. It does not cover publicly available information from government records. The CPRA also introduced a category of sensitive personal information, including social security numbers, financial account details, precise geolocation, and biometric data, which is subject to additional protections.

How is the CCPA applied?

Businesses must provide at least two methods for consumers to submit requests, and organizations that operate a website are expected to be clear about how to submit a request. (A common method is through a dedicated email address or web form.) After a request to know has been submitted, the organization has 45 days to respond, with a possible extension to 90 days if they notify the consumer.

Requests to delete information follow the same deadlines. If a consumer is within their rights under the CCPA, a request should typically be granted. The most common reason a request would be denied is if the organization cannot verify the identity of the requester, though other exemptions do exist within the legislation.

The right to opt out of the sale and sharing of personal information is handled differently. Organizations that sell or share consumer data are required to post a clear "Do Not Sell or Share My Personal Information" link on their websites and must not require a consumer to create an account to make this request. Businesses must also honor the Global Privacy Control (GPC) browser signal as a valid opt-out request.

What is the right to non-discrimination?

The right to non-discrimination under the CCPA states that an organization cannot deny a consumer access to goods and services because the consumer exercised their rights. Unless the sale of a consumer's data is a necessary component of the service, the organization is obligated to serve the consumer. Organizations may offer financial incentives in exchange for participation in data collection programs, but only if the incentive is reasonably related to the value of the personal information provided.