This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image


California Consumer Privacy Act (CCPA)

Passed June 28, 2018
Effective Date January 1, 2020
Who it applies to
  • Businesses that make $25M+ annual gross revenues, or
  • Businesses that buy, receive, sell, share data of 50,000+ consumers, households, devices, or
  • Businesses that derive 50%+ annual revenues from selling data.
  • Exempt entities include nonprofits, government agencies, and insurance institutions, agents, and support organization
Penalties $2,500 per violation, and up to $7,500 per intentional violation or violation involving children

What’s notable about it:

California was the first comprehensive privacy law in the US. Before the CCPA, U.S. privacy laws only targeted specific industries like health, finance, and education.

With a unique right to “limit the use and disclosure of sensitive personal information” and complex rules on “disclosing personal information for business purposes,” the CCPA looks very different from other state privacy laws. CCPA gives consumers the right to opt out of the monetization of their data. If personal data is shared for contextual advertising, it counts as a sale: consumers have the right to opt out of the “selling” or “sharing” of their data. This covers disclosing personal information to a third party for almost any reason—including advertising, analytics, and other commercial uses.

We’ve already seen enforcement by California’s Attorney General, who is now joined by the state’s own privacy regulator, the California Privacy Protection Agency (CPPA), which has an annual budget of $10M to hire staff, enforce the law, and drive awareness. CCPA also grants residents a limited right to take a company to court over data privacy violations (also known as a “private right of action”). And, in December 2023, it signaled its intent to broadly regulate AI, implementing significant consumer rights to opt out of and access information about businesses’ use of such technology.

California extends rights to Employee, Job Applicant, and B2B Data. Unlike other states, California’s definition of a “consumer” does not exclude people acting in an employment or commercial context. This means you must afford your employees, contractors, job applicants, and business partners the same rights as your customers.
The Strict Spectrum

Less Strict