California Consumer Privacy Act (CCPA) : What You Need to Know

The first of its kind in the United States, the CCPA is a landmark law securing new privacy rights for Californian consumers. It is widely considered a game-changer for data privacy in the U.S., much like the GDPR was in Europe.

‍

It was notably amended by the California Privacy Rights Act (CPRA), which took effect on January 1, 2023 (enforcement began on March 29, 2024), significantly expanding privacy protections for California residents.

‍

What are the CCPA requirements, and who needs to achieve CCPA compliance? From a consumer side, what changes regarding California residents' personal information? And, from a business side, how can companies protect themselves against a CCPA violation

‍

Carry on reading for a crash course in all you need to know.

‍

Note: For more information on data privacy in the United States, check out our dedicated article, which includes a comprehensive map and tracker:

{{us-map-link}}

What is the CCPA? 

The California Consumer Privacy Act (CCPA) was enacted to give Californians greater transparency and control over their personal information. Passed unanimously by Californian residents in 2018, the CCPA passed into California law via a ballot initiative and became effective on January 1, 2020. The first of its kind in the United States, this landmark law secures new privacy rights for California consumers.

‍

Businesses must disclose specific categories of personal information they collect and the associated purposes for such collection.

‍

According to the Standardized Regulatory Impact Assessment conducted by Berkeley Economic Advising and Research, LLC, the CCPA regulations will protect more than $12 billion worth of personal information used for advertising each year in California.

‍

From a company perspective, this regulation allows enterprises to ensure their data practices promote transparency and protection, also protecting sensitive information against data breaches. 75% of consumers say they won’t purchase from a company they don’t trust with their data (Harris poll for IBM, 2018). The benefits of a redefined data strategy are threefold: regulatory, ethical, and monetary.

‍

Put simply, transparent personal data collection will not harm annual revenue.

‍

CCPA timeline and implementation

Here are the key dates for CCPA:

‍

• January 1, 2023: CPRA amendments took effect
• March 29, 2024: Enforcement of new regulations begins
• July 1, 2023: The look-back period for consumer rights requests began
• Ongoing: CPPA continues to issue new regulations and guidance

‍

How does the CCPA give consumers control over their data? 

What do we mean when we talk about “CCPA rights”? There are two main ways in which CCPA changes the game for the end user.

• The “CCPA request”: Under CCPA legislation, Californian citizens are entitled to demand to see all the personal information, personal data, and consumer data a company has saved on them, as well as a full list of all the third parties the data is shared with. Additionally, individuals may request that businesses reveal what personal data they have collected and the purpose of its collection. This is known as a CCPA-verifiable consumer request.
• The right to sue: The CCPA also allows consumers to sue companies if the privacy guidelines have been breached.

‍

Key Provisions of the CCPA

The CCPA establishes seven fundamental rights for consumers, empowering them with greater control over their personal information:

1. The right to know what personal information is being collected about them.
2. The right to know whether their personal information is being sold or shared.
3. The right to access their personal information.
4. The right to delete their personal information.
5. The right to opt out of the sale of their personal information.
6. The right to non-discrimination for exercising their privacy rights.
7. The right to appeal a business's decision regarind their privacy requests,

‍

With the introduction of the CPRA, two additional rights were added:

1. The right to correct inaccuracies in their personal information.
2. The right to limit the use and disclosure of their sensitive personal information.

‍

These provisions ensure that consumers have comprehensive control over their data, from knowing what is collected to correcting and limiting its use.

‍

What categories of personal information are affected by CCPA?

Under the scope of the CCPA, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Therefore, we’re not just talking about personal data such as names and addresses or other general contact information/online contact details.  The law specifically defines “sensitive personal information” as including:

‍

• Government-issued identifiers, including driver's license number
• Financial account information
• Precise geolocation
• Racial or ethnic origin
• Religious beliefs
• Union membership
• Private communications
• Genetic data
• Biometric information
• Health information, including consumer's health
• Sexual orientation

‍

Ultimately, the CCPA text left no stone unturned. This (lengthy) list ensures that personal data & customer data, of all types, belong strictly to the consumer. Not only does this definition of personal data encompass data often collected for marketing and advertising purposes, it also seeks to protect users against data breach. The CCPA purpose is to be all-encompassing.

‍

To learn more about the varying definitions of sensitive personal information under the different U.S. state laws, check out our article on the topic:

‍

{{sensitive-personal-information-us}}

‍

What are the obligations for businesses under the CCPA?

So, we now know why the CCPA came into being and what kind of data it concerns. But what exactly are the CCPA requirements for organizations? What constitutes reasonable security procedures? 

According to California's Office of the Attorney General, to remain CCPA-compliant under California law, businesses must pay specific attention to the following:

‍

• Implementing and maintaining reasonable security measures
• Conducting regular cybersecurity audits and risk assessments
• Following CCPA data minimization principles:
  • Collect only data necessary for specific purposes
  • Process personal information only for disclosed purposes
  • Retain data only for the time needed
  • Implement technical safeguards to enforce these principles
• Providing clear notice of retention periods for each category of personal information
• Implementing mechanisms to honor opt-out preference signals
• Including "Limit the Use of My Sensitive Personal Information" links
• Conducting impact assessments for high-risk processing activities
• Maintaining detailed records of processing activities
• Including specific privacy disclosures for automated decision-making

‍

Who is required to comply with CCPA? 

We’re here to answer the question on everyone’s lips: “Do I have to comply with the CCPA?”.

‍

Every company should be working to value consumer data rights from both a reputational and ethical standpoint. However, not every company is required to comply with the CCPA.

‍

If one (or more than one) of the following is true, your business will require CCPA certification:

• You earn 50% or more of your revenue from selling or sharing consumers’ personal information
• You are a for-profit business making at least $25 million in gross annual revenue
• You hold more than 100,000 users’ or devices’ data

‍

Businesses that are exempt from the CCPA include:

• Financial institutions covered by Gramm-Leach-Bliley
• Credit reporting agencies under the Fair Credit Reporting Act
• Health providers and insurers already under HIPAA

‍

Those are the rules. However, with 93% of consumers reporting that they would switch to a company prioritizing consumer data privacy (Data Privacy Feedback Loop 2020), there’s a clear reputational, ethical (and financial) incentive for every company to get on board.

‍

What are the risks of CCPA non-compliance? (CCPA enforcement and penalties)

Two entities now handle enforcement of California privacy law:

‍

• California Privacy Protection Agency (CPPA) - primary enforcement authority
• The California Attorney General

‍

Penalties for CCPA non-compliance can include:

‍

• Up to $2,500 per violation for unintentional violations
• Up to $7,500 per intentional violation or violations involving minors' personal information
• Private right of action for data breaches, with statutory damages of $100-$750 per incident

‍

Enforcement of new regulations has begun on March 29, 2024. Businesses receive a 30-day cure period only for violations involving minors' data.

‍

What are consumer rights under the CCPA?

These are the boxes companies must tick for CCPA certification and data protection. But how does this translate into consumer CCPA rights?

Under current California privacy law, consumers have the following rights:

‍

• The right to know what consumer's personal information is collected, used, shared, or sold
• The right to delete personal information (with some exceptions)
• The right to correct inaccurate personal information
• The right to opt out of sale and opt out of sales of personal information
• The right to limit the use and disclosure of sensitive personal information
• The right to opt out of automated decision-making and profiling
• The right to data portability (receiving data in a usable format)
• The right to non-discrimination for exercising privacy rights

‍

Right to Non-Discrimination

The CCPA includes a strong non-discrimination clause to protect consumers who exercise their privacy rights. Businesses are prohibited from denying goods or services, charging different prices, or providing a different level or quality based on consumer exercising their CCPA rights.

However, there are some nuances. If a consumer refuses to provide personal information or requests its deletion or cessation of sale, the business may be unable to complete certain transactions. Despite this, businesses can still offer promotions, discounts, and other deals in exchange for collecting, retaining, or selling personal information, provided that the financial incentive is reasonably related to the value of the personal information.

‍

By understanding and adhering to these provisions, businesses can remain compliant with the CCPA while respecting consumer rights and maintaining trust.

‍

Are there cookie consent requirements in the CCPA?

What is the CCPA's stance on cookies? The fundamental purpose of CCPA is for companies to be more transparent in collecting and using consumer data. Therefore, if your website uses cookies, you must inform visitors.  Under current California law, businesses must:

‍

• Provide clear notice at collection about tracking technologies
• Honor global privacy controls (opt-out preference signals) for sharing and selling data
• Allow consumers to opt out of all automated decision-making and profiling
• Ensure third parties respect consumer privacy choices
• Maintain records of consumer choices for compliance purposes
• Include specific disclosures about automated decision-making technology
• Provide multiple opt-out methods beyond just cookie banners

‍

To comply with CCPA requirements on cookies and consent collection, organizations are advised to adopt a Consent Management Platform (CMP). Check out ours at Didomi:

‍

{{learn-more-about-our-cmp-solution}}

‍

Is there an easy way to comply with CCPA? 

We’re coming to the end of our CCPA crash course. But, we’re now reaching the most important part.

‍

It’s all very well knowing the CCPA requirements, but how can companies implement these effectively and fool-proof at every point of data collection and classification? How can organizations’ data be managed effectively without affecting annual gross revenue?

‍

CCPA compliance should not be a matter of guesswork. At least certainly not if you want to avoid data breaches and government records. Is there an easy way to comply with the CCPA? Yes. This is when Didomi steps in.

‍

Didomi allows companies to show exemplary compliance and reduce legal risk by collecting consent across every touchpoint. It’s about building a reputation as an exemplary organization & never being associated with rogue data practices. Our consent and preference management solutions allow companies to comply with CCPA regulations, allowing them to:

‍

• Build real-time, customer-friendly interfaces to inform their users about the data collected and allowing them to personalize their consent choices and preferences;
• Effectively collect, store, manage and provide proof of user consent across digital assets and physical data collection points;
• Prove the robustness of their data practices to users and regulators thanks to a clear data inventory that allows for CCPA consumer requests.

‍

Organizations must understand the implications of cookies and respect consent, paying particular attention to how they collect, store, and deploy personal data through their web trackers and mobile apps.

It’s not a question of no longer collecting data. It’s a question of collecting data in a way that ensures consumer data rights and builds user trust.

Contact Didomi with any CCPA compliance queries or for more information on our solutions. We’ll ensure you achieve CCPA compliance. Additionally, explore our consumer resources on CCPA to help you understand your rights and protections under this law.

‍

{{talk-to-an-expert}}

‍

Frequently asked questions (FAQ)

What is the CCPA, and how does it differ from the CPRA?

‍The CCPA is a California privacy law granting consumers rights over their personal data. The CPRA, effective January 1, 2023, amended the CCPA to add rights such as correcting personal information and limiting sensitive data use.

‍

Who needs to comply with the CCPA?‍

Businesses must comply if they meet one or more of these criteria:

• Annual gross revenue exceeds $25 million.
• Process data of 100,000+ consumers annually.
• Derive 50% or more of annual revenue from selling or sharing consumers' personal data.

‍

What rights do California consumers have under the CCPA?‍

Consumers have the right to:

• Know what personal data is collected.
• Delete their personal data.
• Correct inaccuracies in their personal data.
• Opt out of the sale or sharing of their data.
• Limit the use of sensitive personal information.
• Appeal denied requests.

‍

What is Global Privacy Control (GPC), and how does it relate to CCPA compliance?

‍GPC is a browser-based signal allowing users to automatically opt out of the sale or sharing of their personal data. Under the CCPA, businesses are required to honor GPC signals.

‍

What are the penalties for non-compliance with the CCPA?

‍Penalties include:

• Up to $2,500 per unintentional violation.
• Up to $7,500 per intentional violation or violations involving minors' data.
• Statutory damages of $100-$750 per consumer in the event of data breaches.

‍

Are there specific rules for cookies under the CCPA?

‍Yes. Businesses must:

• Provide clear notice about cookie usage.
• Honor Global Privacy Control (GPC) signals.
• Allow users to opt out of automated tracking and profiling.
• Ensure third parties respect consumer preferences.

‍

How can businesses simplify CCPA compliance?

‍Companies can use Consent Management Platforms (CMPs), like Didomi, to:

• Manage consent effectively.
• Provide transparent privacy notices.
• Maintain detailed compliance records.