.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.webp?width=1220&height=1090&name=Osano-guarantee-seal%20(1).webp)
For any business needing to comply with data privacy laws, the California Consumer Privacy Act (CCPA) cannot be ignored.
After being the first to enshrine privacy as an inalienable right in its constitution in 1972, California again led the nation on January 1, 2020, by becoming the first state to enact a data-privacy law (the CCPA) granting residents ownership of their personal information.
But what does the CCPA demand and how does its policies impact your business? We’ll cover all this and more in the following guide.
What Is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a law within the state of California that protects and enforces consumer privacy rights for state residents. It grants them greater control over their personal data and regulates how businesses collect and use it.
The policy went into effect on January 1st, 2020, and businesses must be compliant to avoid potential consequences such as hefty fines, legal action, and reputational damage.
Consumer data is a valuable tool for modern businesses, particularly for marketers who use it to understand customer needs, personalize and target marketing efforts, and make data-driven decisions. But with this comes a great deal of responsibility, including obligations to handle consumers’ personal information ethically and transparently.
Laws such as the CCPA provide essential guidelines for businesses, helping them to build trust with consumers by ensuring responsible data practices.
Is the CCPA Different from the CPRA?
The Consumer Privacy Rights Act (CPRA) amended and expanded the CCPA. It was passed in November 2020, but didn’t go into effect until January 1, 2023. Essentially, it built on the CCPA to strengthen privacy protections and make compliance more rigorous, introducing enhancements such as:
- Expanded definitions: The CPRA introduced “sensitive personal information” (SPI) as a separate category requiring additional protections and expanded the definition of “sharing” data.
- New privacy rights for consumers: It added the right to correct inaccurate PI and the right to limit the use or disclosure of sensitive information.
- Stronger business obligations: The amendment required businesses to minimize data collection, limit retention, and only use data for stated purposes. It also offered clearer opt-out options, including for automated decision making.
- Tougher enforcement: The law established the California Privacy Protection Agency (CPPA) to enforce California privacy regulations in addition to the Attorney General.
Who Falls Under the CCPA’s Protection?
As mentioned, the CCPA protects the residents of California, who are known as consumers under the law. But who exactly counts as a consumer? The term is defined as:
- An individual currently in the state for a purpose that is not temporary or transitory
- A person who is domiciled in California but temporarily outside of the state, for instance, while on a vacation or business trip
A common misconception is that someone is protected if they are simply located within the state when having their data collected, but this is not the case. Individuals must meet the above definition of a Californian resident.
So, to put it simply, the CCPA protects the personal information of Californian residents only, even when they are temporarily outside of the state.
Understanding Which Businesses the CCPA Applies to
Must your company comply with the CCPA? It all depends on what kind of data you collect and how your organization operates. The law applies to for-profit businesses operating within California and collecting personal information from the state’s residents. In addition to this broad criteria, applicable businesses must meet the following requirements:
- Have a gross annual revenue of over $25 million
- Buy, sell, or share the personal information of 100,000 or more California residents or households
- Earn 50% or more of their annual revenue from selling California resident’s personal information
But a business doesn’t strictly have to be located within California for the CCPA to apply to it. It’s enough to merely do business in the state (including offering goods or services to California residents or monitoring their behavior online) and meet at least one of the conditions listed above.
Furthermore, if your business shares common branding, such as a name, service mark, or trademark, with another company that meets any of the criteria above, it must also comply with the CCPA.
This significantly broadens the law’s reach, especially when it comes to ecommerce, digital services, and online advertisers.
What Is Personal Information, as Defined Under the CCPA?
You may already have a general idea of what is meant by “personal data,” but this phrase can be interpreted in different ways by various people. So, to provide clarity and consistent enforcement, the CCPA’s definition of the term is clear.
Personal information (or personal data) is “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
To demonstrate, here are some specific examples of personal information provided by CCPA guidelines:
- Identifiers: Real name, alias, postal address, email address, phone number, passport number, etc.
- Biometric information: Fingerprints, facial recognition data, voice recordings, retina scans, etc.
- Geolocation data: Precise physical location
- Internet activity: Browser or search history, and interactions with a website or application
- Educational or professional information: Job history, employer details, etc.
- Financial details: Bank account information, credit or debit card numbers, etc.
Use of cookies is also an area of concern as they are classed as unique identifiers and therefore come under the category of personal information protected under the CCPA. This includes both first-party cookies set by the website itself and deleted once a user closes the browser, and third-party cookies which are set by external platforms and don’t self-delete.
Learn more about what the CCPA has to say on this matter in our guide to CCPA cookie consent.
Key Rights and Protections Provided by the CCPA
The CCPA protects users’ data privacy by providing them with a set of specific rights when it comes to the collection, storage, and handling of their personal information. These rights include the ability to question how their data is being used and request corrections or changes.
The law specifically outlines that consumers have the right to:
- Prevent the sale of their data to third-party companies
- Restrict how their personal information is used or disclosed
- Ask for their personal data to be deleted, with some exceptions depending on context
- Access the PI that a business holds about them along with the reasons it was collected and who its been shared with (right to know)
- Request corrections to any personal information that’s inaccurate or incomplete
- Be treated fairly and not face discrimination for choosing to exercise any of these rights
CCPA vs GDPR: What’s the Difference?
The General Data Protection Regulation (GDPR) is the EU’s answer to protecting personal data, with its stringent policies being enacted in May 2028.
In many ways, the two regulations are very similar, with both aiming to safeguard people’s personal information. Both give consumers the right to object to data collection and have it corrected if it’s not factual. They also grant the right to access PI, relocate it, or delete it if requested. What’s more, the CCPA and the GDPR demand that consumers be notified in the event of a data breach.
Though their overarching aim is much the same, they have many notable differences, particularly in their scope, terminology, and enforcement.
So, how does the GDPR compare to the CCPA?
|
CCPA |
GDPR |
|
|
Applies to |
Businesses handling personal data of California residents |
Organizations processing data of EU residents, regardless of location |
|
Protected individuals |
California residents (consumers) |
All individuals in the EU (data subjects) |
|
Scope |
For-profit businesses meeting specific revenue/data thresholds |
Any entity (public or private) that processes personal data |
|
Reason for collecting data |
No legal reason needed; focuses on notice and opt-outs |
Requires a legal reason (e.g. consent, contract, lawful obligation) |
|
Consumer rights |
Right to know/confirm, access, correct, delete, portability, opt out of sale/sharing, limit sensitive data processing, object to automated decision-making/profiling |
Right to be informed, access, rectification, erasure, restrict processing, portability, object, rights associated with automated decision-making/profiling |
|
Opt-in vs opt-out |
Mainly opt-out (e.g. sale of personal data) |
Mainly opt-in (e.g. consent must be given explicitly) |
|
Enforcement body |
California Attorney General & California Privacy Protection Agency (CPPA) |
National data protection authorities (e.g. ICO in the UK) |
|
Penalties |
Up to $7,500 per intentional violation; $2,500 for unintentional |
Up to €20 million or 4% of global annual revenue, whichever is higher |
How to Comply With the CCPA: Strategies and Guidance
Map and Classify Your Data
Step one is always to know exactly what data you’re currently collecting and using as well as where it’s being stored. This includes both external information from consumers outside of the company and internal data from employees or job applicants within.
Once you have a clear idea of how you’re currently handling personal information, you can begin to assess whether your practices align with CCPA requirements, identify any gaps, and take steps to organize and catalog the data for better access and protection.
Update Your Privacy Policy
A key part of CCPA compliance involves transparency, and that starts with your privacy policy. This document should outline how you stay compliant with the CCPA, including:
- What CCPA rights consumers have and how to exercise them
- An annually updated list of the categories of personal information you collect, sell, or disclose, including your cookie usage
- The sources from which you collect personal data
- Your purposes for collecting, selling, or sharing personal information
- Categories of third parties to whom you disclose personal information
This document helps you build trust with your consumers and stay accountable.
Inform Consumers About Data Collection
Businesses should notify consumers at or, even better, before the point of data collection, letting them know what personal information is being gathered and for what purpose. Whether you’re collecting data via a website form, app, or in-person interaction, this “notice at collection” ensures that consumers can make informed choices about their own information.
Establish a Process for Handling Consumer Requests
Because many of the CCPA’s protections include giving consumers the right to access and change their data, businesses must have an effective and timely process in place to handle these requests. This means ensuring that internal teams are trained to respond promptly and appropriately and to track and document each request in order to demonstrate accountability if needed.
Manage Consent
Under the CCPA, you have to honor consumers’ requests to opt out of the sale or sharing of their data and limit the use of their sensitive personal information. That means you need to manage consent.
When consumers make their opt-out request, you have 15 days to honor that request. In many digital environments, it won’t be possible to adjust the trackers and tags associated with one individual, or to reclaim data that’s already been shared with an external party. Consent management platforms (CMPs) allow you to automatically honor consumers’ consent preferences with the CCPA and other global privacy laws.
Crucially, they’ll also help you honor universal opt-out signals like the Global Privacy Control, or GPC. Browsers and browser add-ons send these signals so consumers don’t have to interact with a banner every time they visit a website–but your website needs to be prepared to accept and process those signals if it’s to be compliant with California law.
Adopt a Data Minimization Approach
Compliance is a lot easier if you limit the amount of PI collected in the first place to only what’s needed. By developing and adopting a data minimization strategy, you reduce the risk of misuse, privacy breaches, and unnecessary storage costs. Carefully evaluate which information is essential for your business objectives, and avoid collecting anything beyond that.
Additionally, implement retention policies to delete data once it’s no longer needed. Not only does this align with the CCPA’s requirements, but it also builds trust by showing that you respect and protect consumer privacy.
Train Your Teams
It takes the collective effort of all employees, not just a designated officer, to ensure that your business meets CCPA requirements. So, a key aspect of achieving compliance is making sure every team member understands the obligations under the law and how these impact their day-to-day activities.
Building this awareness shouldn’t be a one-off exercise; Instead, foster an ongoing culture of data privacy by offering regular updates through dedicated training sessions, internal comms, and accessible resources, such as webinars. These enable staff to uphold best practices as the CCPA regulations evolve.
Stay Informed on Regulation Updates
Laws and regulations often undergo changes and amendments, and the CCPA is no exception. As a result, it’s essential to stay on the ball when it comes to developments so you don’t risk accidental non-compliance in the future.
Make sure your team keeps a close eye on updates, maybe tasking someone specific with this responsibility, and consider subscribing to regulatory alerts to ensure your approach stays proactive and up to date.
CCPA Enforcement: What are the Penalties for Not Complying?
Failing to comply with the CCPA has some serious consequences. Not only can it significantly damage your reputation as a business, it can come with some hefty fines. Whether through accidental oversight or intentional misuse of personal information, companies that don’t follow the law face enforcement action from regulatory bodies and, in some cases, legal claims from consumers.
The California Attorney General (or, as of the CPRA, the California Privacy Protection Agency, or the CPPA) can issue fines of up to $2,500 per violation or $7,500 per intentional violation. Importantly, each affected consumer counts as a separate violation, so fines can quickly reach the six- or seven-figure range.
Consumers also have the right to take legal action if certain types of personal information are exposed. In these cases, they can claim between $100-750 per instant, or more if actual damages exceed that amount.
In the past, companies were afforded a 30-day “cure period” to fix their violation and avoid the fines. However, this is no longer a guaranteed right since the introduction of the CPRA. Now, the CPPA and Attorney General can take immediate action.
But penalties don’t only come in the form of fines. Unfortunately, non-compliance can erode consumer trust and cause the most damage to your brand’s credibility.
Want to defend yourself? The best way is a proactive, well-documented compliance strategy that demonstrates your commitment to protecting people’s PI.
Want more advice on how to stay on top of your CCPA obligation? Discover our CCPA compliance checklist
CCPA Compliance, Handled
Navigating the CCPA doesn’t have to be complicated. Osano makes compliance simple with tools that automate your privacy compliance processes, including consent management, data mapping, DSAR workflows, privacy impact assessments, and more.
Osano helps you build consumer trust while staying on the right side of the law. Think of us as your privacy partner—always in your corner and always up to speed.
Ready to make compliance easy?
Try Osano today and take the stress out of CCPA compliance.
