Table of Contents
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act, or CCPA, is a legislation active in the state of California in the United States that safeguards privacy and enhances consumer protection within the state. The California Consumer Privacy Act regulations apply to any business or entity that collects consumer data and meets a few criteria.

The CCPA allows residents of California to understand if their data is being sold and the reason behind the collection of the data and requests businesses to delete personal information collected by the business. As long as the business entity is active in California, it has to follow these rules irrespective of its physical presence in the state.
Key Takeaways
- The California Consumer Privacy Act is a framework designed to legally protect the personal information of the residents of the state of California
- and enhance their rights with respect to how their personal information is used.
- These rules apply to companies with an active business within the state irrespective of their physical presence in California.
- The violation of each customer's data could attract up to $7,500 in penalties if found guilty. However, for these rules to be applicable, companies must meet specific criteria.
California Consumer Privacy Act Explained
The California Consumer Privacy Act provides consumers within the state of California greater control over how businesses use their personal information. The law came into enforcement on the 28th of June, 2018.
The CCPA's curation was with the intention of ensuring that the consumers were aware of whether their personal information was used by businesses or any entity that operates with a for-profit motive. Moreover, the California Consumer Privacy Act of 2018 also lets residents of the state find out whether their personal information is sold or disclosed to third parties.
Moreover, the act makes sure that the consumer is still vested with the right to say no to any entity selling their data for business gains. Consumers within California can also request an entity to delete their personal information.
Now, a common question at this point is whether a company can operate out of a new state and make hefty gains by selling data. Right? The answer is a big fat no. Any business that has an active presence in California is required to follow these rules, regardless of their physical presence within the state.
A business must follow these regulations of CCPA if it has a gross revenue of over $25 million in a year, if it purchases, sells, or receives personal data of 100,000 or more customers, or if it earns more than half of the revenue within a year by selling consumer's personal information.
Rights and Protections For Consumers
The rights and protections for companies as per compliance with the California Consumer Privacy Act are discussed below.
- Consumers residing in California have the right to know the details of their personal information's use. As in, when a business collects its personal information, the consumer has the right to know how it is being used or shared.
- They have the right to request companies to delete their personal information, barring a few situations.
- The non-negotiable right to exercise their CCPA rights without any discrimination.
- CCPA gives residents of the state to choose not to be a part of the sharing or selling of their personal information.
- After the approval of Proposition 24, consumers also have the right to correct erroneous or inaccurate information that any entity has recorded about them.
- Consumers also possess the right to limit the disclosure and use of personal information of a sensitive nature.
Companies Subject To CCPA
Irrespective of the company's physical presence within California, they are subject to California Consumer Privacy Act regulations if they meet at least one of the below-mentioned parameters:
- The company generates an annual revenue above $25 million;
- A company whose more than 50% of annual revenue is generated through selling the personal information of consumers or
- Purchases, sells or receives personal data of at least 100,000 households or consumers.
It is important to note that these rules apply to all companies whose services or products are actively being used in the state. They do not have to be physically present within the state.
Responsibilities Of Companies Subject To The CCPA
The companies subject to the California Consumer Privacy Act of 2018 must follow a set of requirements. They include but are not limited to the points below.
- Companies must create a privacy policy that informs the customers about the data collection processes and data sharing strategies.
- They must ensure that consumers have the option to opt out of the request to collect personal information.
- These companies are required to promptly acknowledge requests from consumers regarding the access or deletion of their data.
- They must first verify the identity of the consumers who request access to their data to make sure that it is not illegally acquired by someone else.
- The companies are required to keep data requests data for a minimum of 24 months.
Compliance Strategies
The incorporation of these strategies can ensure that California Consumer Privacy Act compliance is foolproof.
- The foremost step is to check and verify whether the CCPA rules apply to the business based on the essential criteria.
- If the rules do not apply to a particular company, they can continue as usual. However, if the rules apply to the company, they must identify "personal" information and take active steps to protect them.
- The company must make sure that they have a data retention policy that helps them comply with the access to information aspect of the act. The consumer is given the right through CCPA to know how their information is being used or sold.
- Involvement of teams across the company in the curation of a compliance plan allows all individuals within an organization to understand their accountability in this regard.
- A compliance hack that a lot of companies use is to treat every customer as if they were California residents, as it saves high costs and time. Having separate security systems is not cost-efficient and requires different teams to work on them.
- Companies must regularly conduct security and privacy framework audits to make sure they are updated with the latest amendments or regulations.
Exceptions
The data is exempt under CCPA if they meet the following requirements:
- The sale of consumer's personal information in part or whole is within the state of California.
- The consumer's information is collected when they were not residents of California.
- No information collected while the consumer is a resident of the state is sold.
To ensure that the company can take advantage of these exemptions of the California Consumer Privacy Act of 2018, it must build systems that can determine the whereabouts of a consumer, as in when and if they are within or outside California.
Penalties
Violations of the CCPA can attract civil penalties. These penalties can be charged up to $7500 for every intentional violation. For all other violations, the maximum penalty per violation is $2,500.
While these amounts can look like minor punishment for something like a serious privacy breach, it is vital to understand that these amounts can add up to large sums in no time. For every customer's personal data breach, it is considered a single violation. So, if a company violates the data of 100 customers, it is considered 100 violations and would have to pay up to $75,000 in fines.
California Consumer Privacy Act vs. GDPR
The differences between CCPA and GDPR are discussed below.
CCPA
- The California Consumer Privacy Act compliance is a requirement for business entities within the state of California to adhere to a set of rules regarding the sharing, receiving, and selling of personal information of the residents of the state.
- Thresholds regarding the annual revenue, the quantum of data acquired, what is done with the data, and the consumer's geographical location dictate if the company has to adhere to these rules.
- The consumer has the right to access, alter faulty data, and delete data if they are no longer comfortable with the company sharing or selling it.
- The company can be fined up to $7,500 per violation if found guilty of intentional violations of the CCPA laws.
GDPR
- GDPR refers to a set of regulations that can be included by any country that is a member of the European Union as part of their nation's laws.
- These rules apply to companies that have their product or service actively circulated within any EU member country, irrespective of their physical presence within the EU.
- The consumer has the right to rectify, erase, or restrict the use of the data acquired by a business.
- The penalties for a violation concerning GDPR could result in a fine of about 4% of the annual turnover or 20 million Euros.