Skip to main content


What Is the CCPA? 

The CCPA stands for California Consumer Privacy Act. This California data privacy law gives consumers in the state more rights about how businesses collect and use their data. 

The CCPA was amended by the California Privacy Rights Act (CPRA), passed by California voters in 2020. 

The CCPA outlines consumer privacy rights for Californians, including the right to know what information a business has collected about them, the right to correct any inaccurate data, and the right to delete their personal information (with some exceptions). Californians can also opt out of information sharing and selling and limit how their sensitive information is used and disclosed.

    The CCPA applies to for-profit businesses that meet certain conditions and thresholds, for example, have annual gross revenues of more than $25 million. It also applies to data brokers – companies that collect, aggregate, and sell your information to third parties. The CCPA does not typically apply to government agencies and nonprofits. 

    Some have called The CCPA “California GDPR” after the European General Data Protection Regulation. However, while there are some similarities between the two laws, they are also vastly different. 

    Third-party definition

    The California Consumer Protection Act (CCPA) was signed into law on June 28, 2018, making it the first state-level privacy law in the US. The CCPA applies to businesses that collect California residents’ personal information. Later, in 2020, California passed the California Privacy Rights Act (CPRA), which amends the CCPA by adding additional protections, obligations, and clarifications. – Osano

    CCPA Consumer Rights

    The CCPA outlines the following consumer privacy rights for Californians: 

    • Right to know. You can request a business to tell you the specific pieces/categories of personal information they’ve collected about you, the categories of sources for that information, how they’re using that information, what categories of third parties they disclose that information to, and what categories of information they disclose/sell to third parties. 
    • Right to delete. You can request a business to delete the personal information they’ve collected from you and tell their service providers to delete it. Note that there are some exceptions to this right. 
    • Right to opt out of the sale/sharing. You can request a business to stop selling or sharing your personal data through a “do not sell my personal information” link on their homepage, some other web page, or a privacy policy. Businesses have to honor consumer requests to opt-out of the sale of their personal information and can’t share/sell it until you opt-in again. 
    • Right to correct. You can request a business to amend inaccurate information they have on you.
    • Right to limit the use and disclosure of sensitive information. You can request businesses to use your sensitive personal information, like your Social Security number, for limited reasons. 

    Definition of Personal Information Under the CCPA

    Under the CCPA, a consumer’s personal information includes (but is not limited to) name, email address, telephone number, IP address, Social Security number, geolocation data, driver’s license number, biometric information, commercial information like products/services bought, and inferences from other personal data. 

    Sensitive personal information is government identifiers, debit/credit card numbers, precise geolocation, genetic data, and sexual orientation, among others. 

    Publicly available information and certain kinds of additional information (like certain medical information or aggregate/de-identified consumer information) are not considered personal information under this California law. 

    CCPA and Consumer Discrimination  

    A business can’t discriminate against consumers in the state of California who exercise their rights under the CCPA. In other words, they can’t charge different prices for products, deny products/services, or provide a different level of quality. 

    However, businesses can give consumers discounts and deals for collecting, keeping, and selling personal data, but only if the financial incentive they provide is of reasonably similar value to your personal information. 

    CCPA Violations and Consumer Rights 

    The CCPA’s private right of action lets consumers bring a private legal case against a company under specific circumstances. 

    If your non-redacted/non-encrypted personal information is stolen in a data breach because a business failed to protect it through reasonable security measures, you might be able to sue it. However, there are specifications as to what data had to be stolen. 

    It is up to the California Attorney General or the California Privacy Protection Agency to investigate other violations.