California Consumer Privacy Act CCPA
Stands for: California Consumer Privacy Act
The California state law (in force since 2020, expanded by the CPRA in 2023) granting consumers rights over the personal information businesses collect about them.
Definition
The **California Consumer Privacy Act (CCPA)** was enacted in 2018 and took effect on 1 January 2020, codified at California Civil Code sections 1798.100 et seq. It was substantially expanded by the California Privacy Rights Act (CPRA, Proposition 24, 2020), which fully took effect on 1 January 2023 and created the California Privacy Protection Agency (CPPA) as a dedicated regulator.\n\nCCPA/CPRA gives California residents the right to know what personal information a business collects, the right to delete, the right to correct, the right to opt out of sale or sharing for cross-context behavioural advertising, the right to limit use of sensitive personal information, and the right to non-discrimination for exercising any of those rights.\n\nA business is in scope if it does business in California and meets one of three thresholds: annual gross revenue over 25 million USD, buys or sells the personal information of 100,000 or more California consumers or households per year, or derives 50 percent or more of annual revenue from selling or sharing personal information.
When you'll encounter it
You will encounter CCPA when your website or product reaches California consumers and you cross any of the three thresholds. Practical artefacts include the Do Not Sell or Share My Personal Information link, an opt-out signal handler (Global Privacy Control / GPC), a privacy notice with the 12 prescribed disclosures, and a verified consumer-request workflow.
FAQ
How does CCPA differ from GDPR?
CCPA is opt-out for sale and sharing, whereas GDPR generally requires an opt-in lawful basis. CCPA's definition of sale is broader than the everyday meaning and includes most sharing for monetary or other valuable consideration. CCPA also has narrower extraterritorial reach, covering California consumers rather than all of the United States.
What is the GPC signal?
Global Privacy Control is a browser-level header (Sec-GPC: 1) that the CPPA recognises as a valid universal opt-out signal. Businesses must honour it for California consumers. Several other state privacy laws now recognise GPC as well, making it the de-facto US opt-out mechanism.
Are there fines under CCPA?
Yes. Civil penalties can reach 7,500 USD per intentional violation and 2,500 USD per unintentional violation, plus a private right of action for certain data breaches that allows statutory damages between 100 and 750 USD per consumer per incident. The CPPA can pursue administrative enforcement directly without referral to the Attorney General.
References
- California Civil Code sections 1798.100 et seq. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5
- California Privacy Protection Agency (CPPA) https://cppa.ca.gov/
- California Office of the Attorney General CCPA portal https://oag.ca.gov/privacy/ccpa