Why It Matters
The CCPA (as amended by the CPRA in 2023) is the most comprehensive privacy law in the United States and has inspired similar legislation in over a dozen other states. Unlike GDPR, which applies based on the data subject's location, CCPA applies based on the business's relationship with California consumers. With California's economy being the 5th largest in the world, most large businesses must comply.
Consumer Rights
California residents have the right to:
- Right to know — what personal information a business collects, uses, and shares
- Right to delete — request deletion of personal information
- Right to opt out — of the sale or sharing of personal information
- Right to correct — inaccurate personal information (added by CPRA)
- Right to limit — use and disclosure of sensitive personal information (added by CPRA)
- Right to non-discrimination — businesses cannot deny services or charge more for exercising rights
- Right to data portability — receive personal information in a portable format
Who Must Comply
Businesses that meet any one of these thresholds:
- Annual gross revenue exceeding $25 million
- Buy, sell, or share personal information of 100,000+ consumers or households per year
- Derive 50% or more of annual revenue from selling or sharing consumer personal information
CCPA vs GDPR
| Aspect | CCPA/CPRA | GDPR |
|---|---|---|
| Scope | Businesses meeting thresholds + California consumers | Any organization processing EU data |
| Legal basis | Opt-out model (process until consumer says stop) | Opt-in model (need legal basis before processing) |
| Consent | Required for minors; opt-out for adults | Required as one of six legal bases |
| Sensitive data | Right to limit use | Processing generally prohibited without explicit consent |
| Enforcement | CPPA + private right of action for breaches | National DPAs |
| Penalties | $2,500–$7,500 per violation | Up to €20M or 4% of turnover |
Penalties
- $2,500 per unintentional violation
- $7,500 per intentional violation or violations involving minors
- Private right of action for data breaches: $100–$750 per consumer per incident
- Enforced by the California Privacy Protection Agency (CPPA) since July 2023
Key Regulation
- California Civil Code §§ 1798.100–1798.199.100 — CCPA/CPRA text
- CPRA — California Privacy Rights Act (amended CCPA, effective January 2023)
- CPPA regulations — implementing rules by the enforcement agency