What Is the California Consumer Privacy Act (CCPA)?

5 min. read

The California Consumer Privacy Act (CCPA) is a data privacy law enacted in California in 2018, which went into effect on January 1, 2020. The CCPA aims to enhance privacy rights and consumer protection for residents of California. It grants California consumers the right to know what personal information businesses collect about them, how the data is used, and with whom it is shared.

Under the CCPA, consumers have several rights, including the right to access their personal information, the right to request the deletion of their data, the right to opt-out of the sale of their personal information, and the right to nondiscrimination for exercising their CCPA rights.

Organizations subject to the CCPA must comply with these consumer rights and implement appropriate security measures to protect personal data. The CCPA applies to for-profit businesses that collect consumers' personal information, do business in California, and meet certain revenue or data processing thresholds.

California Consumer Privacy Act (CCPA) Explained

The California Consumer Privacy Act (CCPA) is a privacy law that came into effect in 2020. It solidifies consumers' rights to data privacy and creates new obligations for businesses that handle personal data. The CCPA applies if a organization collects personal information from California residents and meets one of the following criteria:

  • Generates over $25M in gross annual revenue
  • Buys or sells personal information from more than 50,000 Californians
  • Creates over 50% of its revenue from selling personal information of California residents

In other words, the CCPA applies to organizations with established revenues or whose business model is built on sharing personal information (as would often be the case in AdTech, for example).

Under the CCPA, organizations must protect the rights of consumers to:

  • Know what personal information the business is collecting
  • Request that the business deletes any of their personal information
  • Opt out of their personal information being collected or sold

Under the CCPA, organizations need to provide clear notice and obtain explicit permission to collect sensitive data, and implement reasonable measures to protect consumer data. Each violation can cost the business up to $7,500 if intentional, or $2,500 for each unintentional violation. Companies can also be liable in civil suits if they suffer a data breach due to insufficient cybersecurity measures.

The CCPA applies when personal information is being stored or processed using a public cloud. Organizations that store personal information of California residents in their cloud accounts are responsible for compliance — e.g., executing disclosure and deletion requests. In order to comply, companies have to be aware of every cloud data store that contains data which might be subject to a CCPA request. DSPM tools can help identify these data stores.

How Does the CCPA Define Personal Information?

Under the California Consumer Privacy Act (CCPA), personal information is defined as any data that identifies, relates to, describes, or can be reasonably linked to a specific California consumer or household. The CCPA provides a broad interpretation of personal information, encompassing various types of data that could be used to identify or associate with an individual.

  • Identifiers: Name, alias, signature, postal address, email address, Social Security number, driver's license number, and passport number.
  • Unique Personal Identifiers: Device identifiers, cookies, IP addresses, and other online tracking technologies.
  • Commercial Information: Records of personal property, products or services purchased or considered, and purchasing or consuming histories or tendencies.
  • Biometric Data: Face, fingerprint, or voice recordings, used to identify an individual uniquely.
  • Geolocation Data, which can pinpoint an individual's physical location.
  • Internet or Other Electronic Network Activity Information: Browsing history, search history, and data on interaction with websites, applications, or advertisements.
  • Professional or Employment-Related Information: Job title, work history, and employer details.
  • Education Information: Student records maintained by an educational institution or party acting on its behalf.

Under the CCPA, even inferences drawn from personal information to create a profile reflecting the consumer's preferences, characteristics, psychological trends, behavior, or attitudes are regulated. The CCPA's extensive definition of personal information underscores the need for businesses to thoroughly review their data collection, storage, and processing practices to ensure compliance with the regulation.


The CCPA and the European Union's General Data Protection Regulation (GDPR) are both data protection laws, but they have different scopes, applicability, requirements, and definitions related to protected information.

Jurisdiction Applies to for-profit businesses that collect California residents' personal information, do business in California, and meet certain revenue or data processing thresholds. Applies to organizations processing personal data of individuals within the European Union (EU), regardless of the organization's location.
Personal Data / Personal Information Covers personal information, which is information that identifies, relates to, describes, or can be reasonably linked to a specific California consumer or household. Covers personal data, which is any information relating to an identified or identifiable individual.
Consumer Rights Rights include access, deletion, and the right to opt-out of the sale of personal information. Additionally, the CCPA prohibits discrimination against consumers who exercise their rights under the law. Rights include access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection to processing, and the right not to be subject to automated decision-making.
Consent and Opt-Out Doesn't have a general consent requirement but mandates the option to opt-out of the sale of personal information, indicated by a "Do Not Sell My Personal Information" link on the business's website. Requires explicit consent from individuals for processing their data and provides the right to withdraw consent at any time.
Data Protection Officer (DPO) Does not have a specific DPO requirement. Requires organizations to appoint a DPO in certain cases, such as when processing large-scale personal data or engaging in regular and systematic monitoring of individuals.
Fines and Penalties Non-compliance can result in fines of up to $2,500 per violation or $7,500 per intentional violation, with additional penalties for data breaches based on individual claims ($100-$750 per consumer, per incident). Non-compliance can result in fines of up to 4% of annual global turnover or €20 million (whichever is greater) for the most severe infringements.

Table 1: Key differences between CCPA and GDPR

Organizations subject to both CCPA and GDPR regulations must carefully address the specific requirements of each law to ensure compliance.

Container Firewall FAQs

Privacy policies are legally binding documents that outline how an organization collects, processes, stores, shares, and protects personal data. These policies inform users about the types of data collected, the purpose of data collection, data retention periods, and the rights of data subjects. Privacy policies also detail the organization's compliance with data protection laws and regulations, such as GDPR, CCPA, and HIPAA. By providing transparency and establishing user trust, privacy policies play a critical role in ensuring responsible data management practices and legal compliance.

A data owner is a stakeholder responsible for the classification, protection, use, and quality of a dataset. Data owners need to consider the interests of the people in the organization who are using the data, as well as those of the data subject (i.e., the individual whose data is being processed). In the context of the GDPR, data subjects are legally viewed as the ultimate owners of their own personal data — giving them the right to request a copy of the data, or its deletion.

The concept of data ownership may be challenging for some in the organization, as there could be different interests at play with regards to a specific dataset or data initiative. However, identifying data owners helps to ensure accountability, define policies, create trusted data, and eliminate redundancies in data management. The data owner doesn't necessarily have to be the person who created the data or the department that uses it most frequently.

Data processing describes the actions required to transform raw data into meaningful information — collecting, structuring, and analyzing the data — as well as interpreting the results to uncover patterns and draw meaningful conclusions. This is typically done using specialized software tools that can perform computational operations on large amounts of data quickly (such as relational databases). The ability to effectively process data while controlling compute overhead is key to most data initiatives, including analytics, machine learning, and cybersecurity.
The CCPA primarily applies to for-profit businesses that meet the criteria regarding revenue, data collection, or data sales. Not-for-profit organizations aren’t generally subject to the CCPA requirements. It’s essential, however, for not-for-profit organizations to review their data collection and processing practices and consult with legal experts to ensure they’re not inadvertently falling under the scope of the CCPA or other data privacy regulations.