What is CCPA/CPRA? California Privacy Law Explained

CCPA (California Consumer Privacy Act)

The California Consumer Privacy Act, as amended by the CPRA, is a comprehensive US state privacy law that grants California residents rights over their personal information, including the right to know, delete, opt out of sale, and non-discrimination. It applies to businesses meeting revenue, data volume, or data sale thresholds.

CCPA

CPRA

California

US privacy

consumer rights

Why It Matters

The CCPA (as amended by the CPRA in 2023) is the most comprehensive privacy law in the United States and has inspired similar legislation in over a dozen other states. Unlike GDPR, which applies based on the data subject's location, CCPA applies based on the business's relationship with California consumers. With California's economy being the 5th largest in the world, most large businesses must comply.

Consumer Rights

California residents have the right to:

Right to know — what personal information a business collects, uses, and shares
Right to delete — request deletion of personal information
Right to opt out — of the sale or sharing of personal information
Right to correct — inaccurate personal information (added by CPRA)
Right to limit — use and disclosure of sensitive personal information (added by CPRA)
Right to non-discrimination — businesses cannot deny services or charge more for exercising rights
Right to data portability — receive personal information in a portable format

Who Must Comply

Businesses that meet any one of these thresholds:

Annual gross revenue exceeding $25 million
Buy, sell, or share personal information of 100,000+ consumers or households per year
Derive 50% or more of annual revenue from selling or sharing consumer personal information

CCPA vs GDPR

Aspect	CCPA/CPRA	GDPR
Scope	Businesses meeting thresholds + California consumers	Any organization processing EU data
Legal basis	Opt-out model (process until consumer says stop)	Opt-in model (need legal basis before processing)
Consent	Required for minors; opt-out for adults	Required as one of six legal bases
Sensitive data	Right to limit use	Processing generally prohibited without explicit consent
Enforcement	CPPA + private right of action for breaches	National DPAs
Penalties	$2,500–$7,500 per violation	Up to €20M or 4% of turnover

Penalties

$2,500 per unintentional violation
$7,500 per intentional violation or violations involving minors
Private right of action for data breaches: $100–$750 per consumer per incident
Enforced by the California Privacy Protection Agency (CPPA) since July 2023

Key Regulation

California Civil Code §§ 1798.100–1798.199.100 — CCPA/CPRA text
CPRA — California Privacy Rights Act (amended CCPA, effective January 2023)
CPPA regulations — implementing rules by the enforcement agency

CCPA (California Consumer Privacy Act)

Why It Matters

Consumer Rights

Who Must Comply

CCPA vs GDPR

Penalties

Key Regulation

GDPR (General Data Protection Regulation)

Personal Data

Consent (GDPR)

Right to Erasure (Right to Be Forgotten)

Data Minimization

Want to learn more?

CCPA (California Consumer Privacy Act)

Why It Matters

Consumer Rights

Who Must Comply

CCPA vs GDPR

Penalties

Key Regulation

GDPR (General Data Protection Regulation)

Personal Data

Consent (GDPR)

Right to Erasure (Right to Be Forgotten)

Data Minimization

Want to learn more?