Skip to main content

California Consumer Privacy Act

What Is the California Consumer Privacy Act? 

The California Consumer Privacy Act of 2018, or CCPA, is a California data privacy law. This California law gives consumers in the state more control over how their personal data is collected and used by businesses. 

Under the CCPA, Californians have a right to:

  • Know what data businesses collect about them and how it’s used/shared. 
  • Delete data collected about them (with some exceptions).
  • Opt out of the sharing/sale of their personal information to third parties. 
  • Not be discriminated against for exercising their rights under the CCPA.
  • Correct inaccurate information that a business has about them.
  • Limit how businesses use/disclose the sensitive personal information collected about them.

Passed by the California legislature in 2018, the CCPA came into effect on January 1, 2020. 

In 2023, the CCPA was amended by Proposition 24 or the California Privacy Rights Act (CPRA). The CPRA introduced more requirements for businesses (like limited data retention) and consumer privacy rights (including the last two points in the list above). 

California voters approved the amendment in November 2020, and it took effect on January 1, 2023. It applies to consumer data collected on or after January 1, 2022. 

Under the CCPA, consumers also have the right to know that their personal data is being collected (with a privacy notice either before or during data collection), what data is being collected, and what the business intends to do with that data. 

Third-party definition 

The California Consumer Privacy Act (CCPA) is a state-level privacy law for California, which comes into effect in 2020. The law, which is the first state-level privacy law passed in the US, applies to all businesses that collect personal data from Californians. The CCPA mirrors the requirements of the GDPR in many ways, such as establishing the right of users to access personal data and request deletion. – Progress

Who Does the CCPA Apply to?

The CCPA applies to all California residents, i.e., natural persons residing in the state. 

What Businesses Are Subject to the CCPA?

The CCPA applies to for-profit businesses trading within California that meet certain conditions/thresholds, for example, have annual gross revenues of $25+ million. 

Data brokers are also subject to the CCPA, meaning they have to make it clear how consumers can submit requests under the law. 

That said, in 2023, a new law, Delete Act (Senate Bill 362), was passed in California, amending how existing laws in the state of California regulate data brokers and giving Californians the right to delete all personal data collected by brokers registered with the state with a single click from 2026 onward. 

Definition of Personal Information Under the CCPA

Consumers’ personal information is any data that identifies or relates to you or could be linked to you/your household. For example, information such as names, email addresses, internet browsing history, and inferences from other personal information

Sensitive personal information of consumers is defined as a subset of personal information. It includes data like government identifiers (for example, social security number, passport number, or driver’s license number), precise geolocation data, genetic data, biometric information processed for consumer identification, religious or philosophical beliefs, and sexual orientation, among others. 

Publicly available information (like government records) is not treated as personal information under the CCPA. Certain types of additional information, like certain health information and aggregate/de-identified information (data that can’t be linked to a particular consumer), are also not treated as personal information. 

Right to Opt-Out 

Under the CCPA, businesses must have a “Do Not Sell My Personal Information” link on their homepage or some other web page link on their website. 

If you can’t find this link on a business’s website, review its privacy policy (which will also list the business’s privacy practices in general) to see if it sells/shares your data and if the opt-out link is included there.  

If you cannot find a way to send an opt-out request, you can report the business to the Attorney General’s office

Businesses cannot ask you to create an account to opt-out of the sale of your personal information, nor should they request you to verify your identity (although they are permitted to ask basic questions to determine which personal data is linked to you).

For minors, the “right to opt-in” applies instead. Consumers between 13 and 16 years of age must give businesses authorization to sell their personal information. For children under the age of 13, parents/guardians must authorize the sale of personal information. 

Right to Know 

You can request a business to let you know what information they have collected/used/sold/shared about you and why through a designated method, like a toll-free telephone number, email address, or online form.

If you can’t find a business’ methods, check its online privacy policy. 

You can ask the business to know the categories of personal information it collects about you as well as specific pieces of personal information, the categories of sources from which the information came from, why this information was collected, the categories of third parties with whom this data was shared, the categories of information the business disclosed to third parties. 

Right to Delete

You can ask a business and its service providers to delete your personal information through a designated method, which should be outlined in its privacy policy. 

Right to Correct

If a business has inaccurate information about you, you can request that it correct it through a designated method, which should be outlined in its privacy policy. 

Right to Limit

You can ask a business to use your sensitive personal information only in limited cases, such as providing services. 

Denied Requests 

If a business denies your request, you can send it a follow-up and ask why. 

Under the CCPA, some exceptions allow a business to refuse consumer requests, like if they can’t verify your request or if the information is exempt from the CCPA.

Suing a Business Under the CCPA

Consumers can only sue a business under the CCPA if their non redacted or non encrypted personal information was stolen in a data security breach due to the business reasonably failing to protect it appropriately. 

Note that there are specifications as to what personal information had to be stolen for you to be able to sue the business that experienced a data breach. 

Otherwise, consumers can file a complaint with the California Attorney General’s office or the California Privacy Protection Agency, which can take action against non-compliant businesses.