California Consumer Privacy Act (CCPA)

The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of the following criteria:

• Generate more than $25 million in annual gross revenue; or

• Buy, receive, sell, or share the personal information of 100,000 or more consumers or households annually; or

• Derive 50% or more of their annual revenue from selling or sharing personal information

The law applies regardless of where the business is located, provided it meets these thresholds and processes the personal data of California residents.

CCPA obligations also extend to:

• Service providers

• Contractors

• Third parties that process personal data on behalf of a business.

Under the CCPA, personal information is broadly defined as any information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household.

Examples include:

• Names and contact details

• Email addresses

• IP addresses

• Device identifiers

• Geolocation data

• Purchase history

• Internet activity (e.g., browsing behavior)

• Financial information

This broad definition reflects the realities of modern digital tracking and data collection.

The CCPA grants California residents several important rights over their personal information.

1. Right to Know

Consumers have the right to request that businesses disclose:

• Categories of personal information collected

• Specific pieces of personal information held

• Sources of the data

• Business or commercial purposes for collection

• Categories of third parties with whom data is shared

2. Right to Delete

Consumers can request that businesses delete personal information collected from them, subject to certain legal exceptions.

Businesses must also instruct service providers and contractors to delete the data where applicable.

3. Right to Opt-Out of Sale and Sharing

Consumers have the right to opt out of:

• The sale of their personal information

• The sharing of personal information for cross-context behavioral advertising

Businesses must provide a clear and accessible “Do Not Sell or Share My Personal Information” mechanism.

4. Right to Non-Discrimination

Businesses may not discriminate against consumers for exercising their CCPA rights. This includes:

• Charging different prices

• Denying goods or services

• Providing a lower level of service

However, certain financial incentive programs are permitted if they are transparently disclosed and compliant.

5. Additional Rights Introduced by CPRA

The California Privacy Rights Act (CPRA), which amends the CCPA, introduces additional rights, including:

• The right to correct inaccurate personal information

• The right to limit the use and disclosure of sensitive personal information

These enhancements significantly expand the original scope of the CCPA.

Organizations subject to the CCPA must implement several key compliance measures.

1. Notice at Collection

Businesses must provide notice at or before collecting personal information, including:

• Categories of data collected

• Purposes for collection

• Whether the data will be sold or shared

This is typically provided through a “notice at collection” and a privacy policy.

2. Privacy Policy Requirements

Businesses must maintain a clear, accessible, and up-to-date privacy policy that includes:

• Description of consumer rights

• Instructions on how to exercise those rights

• Categories of personal information collected, used, sold, or shared

• Retention practices or criteria used to determine retention

Privacy policies must be reviewed and updated at least every 12 months.

3. Consumer Request Handling

Businesses must establish processes to:

• Receive and verify consumer requests

• Respond within 45 days (with limited extensions)

• Deliver requested data securely

Organizations must also maintain records of requests and responses, particularly if handling large volumes of data.

4. Methods for Submitting Requests

Businesses must provide at least two methods for consumers to submit requests, such as:

• A web form

• A toll-free telephone number

If the business operates online, it must include a clear opt-out link for selling or sharing personal information.

5. Data Security Requirements

Businesses must implement reasonable security procedures and practices appropriate to the nature of the data. This includes protecting:

• Web applications

• APIs

• Databases

• Client-side applications and browser environments

• Third-party integrations

Failure to implement adequate security measures may result in liability, especially in the event of a data breach.

6. Third-Party and Service Provider Management

Businesses must establish contracts with:

• Service providers

• Contractors

• Third parties

These contracts must restrict how personal information is:

• Used

• Retained

• Disclosed

Businesses remain responsible for ensuring that third parties process data in compliance with the law.

7. Recordkeeping and Accountability

Businesses handling large volumes of personal data must:

• Maintain records of consumer requests and responses for at least 24 months

• Be able to demonstrate compliance with the CCPA

This supports regulatory audits and enforcement actions.

CCPA compliance requires organizations to address modern security risks across the entire data ecosystem.

Personal information may be exposed through:

• Client-side vulnerabilities

• Third-party scripts

• API misconfigurations

• Browser-based attacks

• Insecure integrations

Organizations must implement comprehensive application security strategies to protect personal data throughout its lifecycle—from collection to storage and processing.

The California Privacy Rights Act (CPRA), effective January 1, 2023, significantly expands the CCPA by:

• Introducing Sensitive Personal Information protections

• Expanding opt-out rights to include data sharing

• Adding the right to correct personal information

• Strengthening data minimization and retention requirements

• Creating the California Privacy Protection Agency (CPPA)

• Enhancing enforcement and compliance obligations

Together, the CCPA and CPRA form a more comprehensive privacy framework for California.

The California Consumer Privacy Act (CCPA) represents a foundational shift in U.S. privacy law, empowering consumers and holding businesses accountable for how personal data is handled.

With the enhancements introduced by CPRA, organizations must adopt comprehensive legal, operational, and technical measures to ensure compliance.

By implementing strong privacy and security practices, businesses can not only meet regulatory requirements but also build trust, improve resilience, and responsibly manage personal data in the modern digital landscape.