What Is CCPA? California Privacy Laws and How They Protect Consumers

The California Consumer Privacy Act (CCPA) protects California residents and their data when provided to companies. The legislation is a set of individual rights and business obligations to protect personal data. Signed into law in 2018, the CCPA went into effect on January 1, 2020.

Californians also approved a ballot measure that expands the CCPA with the California Privacy Rights Act (CPRA). The CPRA adds additional protections for consumers.

If you live in California or collect data from California residents for your business, here’s what you need to know about the CCPA and how to comply.

What is CCPA?

Like the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) seeks to protect consumers’ personal data while giving businesses a set of standards to follow to ensure they are also working to protect the data they collect.

The CCPA protects individuals in California by giving them the following rights:

• The right to know about the personal information collected by businesses
• The right to delete personal information collected
• The right to opt out of personal information being sold
• The right to opt in to the sale of personal information
• The right not to be discriminated against for opting out
• The right to initiate a private cause of action for data breaches

The CCPA applies to businesses, as well as service providers or third parties that interact with the personal data of California consumers. The CPRA also adds contractors to the list of entities that need to comply. 

"Since its enactment, the scope of the CCPA’s consumer rights — particularly regarding 'sale' and 'sharing' of data — has broadened significantly," explains Liscah Isaboke, Managing Attorney at Isaboke Law Firm. "Regulators now view many common digital marketing activities (e.g., cross-context behavioral advertising) as a form of 'data sharing' requiring clear opt-out mechanisms."

Companies that don’t comply with the CCPA may be fined civil penalties up to $7,500 per intentional violation or $2,500 per unintentional violation. Companies do have 30 days to fix any alleged violation.

Consumers who directly sue a company for a data breach may be entitled to statutory damages, which are damages with pre-established amounts set by statute, up to $750 per incident or actual damages, whichever is greater.

What is the California Privacy Rights Act (CPRA)?

California voters passed the CPRA, an amendment to the CCPA intended to further protect consumers.

The CPRA adds two new consumer rights to the CCPA, including:

1. The right to correct inaccurate information
2. The right to limit the use and disclosure of personal information

The CPRA also introduced a new category of personal data, known as sensitive personal information (SPI). As Isaboke further explains, "The CPRA introduced the concept of SPI, which includes geolocation, racial or ethnic origin, health data, and more. Mishandling SPI, such as collecting it without purpose limitation or failing to honor opt-out requests, can result in heightened regulatory scrutiny and enhanced statutory penalties, especially if minors’ SPI is involved."

Under the CPRA, sensitive personal information includes:

• “Social Security, driver’s license numbers, state identification card, and passport numbers;
• financial account, debit card, or credit card numbers in combination with required security or access codes, passwords, or credentials allowing access to an account;
• account login in combination with required security or access codes, passwords, or credentials, allowing access to the account;
• precise geolocation (i.e., information used or intended to be used to locate a consumer within a geographic area equal to or less than approximately 1/8 square mile);
• information about racial or ethnic origin, religious beliefs, philosophical beliefs, or union membership;
• contents of consumers’ mail, emails, or text messages, unless the business is the intended recipient of that information; and
• genetic data;
• the processing of biometric information for the purpose of uniquely identifying a consumer; and
• information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation.”[1]

CPRA and dark patterns

One of the primary objectives of the CPRA is to limit the use of dark patterns that mislead consumers. "CPPA regulations prohibit interfaces that impair user autonomy — such as pre-checked boxes, confusing toggles, or excessive steps to opt out," explains William J. Roberts, a partner at Day Pitney LLP and Adjunct Professor of data privacy law at the University of Connecticut School of Law. "Regulators use consumer behavior analysis and design audits to assess compliance."

Dark patterns are a way of using the user interface or design to influence consumer behavior. Essentially, dark patterns are unethical UX tactics designed to deceive consumers into taking an action that benefits the business.

"[In 2024], the CPPA issued an enforcement advisory opinion on dark patterns," adds John Pavolotsky, a partner at Stoel Rives with a focus on data privacy and information security. "For example, requiring the consumer to unnecessarily wait on a webpage as the business processes the CCPA request may be in violation."

There are several different tactics considered dark patterns that can mislead consumers into opting for unknown products or services. One of those techniques is confirmshaming, which happens when a company offers you a discount or some other incentive in exchange for opting in.

Another common dark pattern is when a company requires you to input personal information to continue to its website. Requiring an email address or other personal information to access the website is called forced continuity. Another example is needing your credit card information for a free trial.

Companies employ various dark patterns to collect customers' personal information. The CCPA and CPRA limit these types of data collection to further protect consumers' data.

Businesses that sell consumer data must include a "Do Not Sell" link

If a business sells personal information, it must include a clear and obvious “Do Not Sell My Personal Information” link on its website. 

As Isaboke explains, "Many SMBs mistakenly assume that if they don't 'sell' data in the traditional sense, the law doesn’t apply to them. But under the CCPA (and even more so under CPRA), 'sharing' data for behavioral advertising or using certain analytics tools may still trigger compliance obligations. Businesses under the 100,000-consumer threshold can still fall within the CCPA’s scope if they engage in targeted marketing."

What are CCPA regulations?

The CCPA is based on protecting consumers’ personal information. It defines personal information as information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[3]

To ensure compliance with the CPRA and CCPA, businesses must understand the types of consumer data they collect. It is also crucial for a business to understand its privacy and cookie policies to ensure that both meet the necessary standards.

Once a business understands the data it collects, it should also examine how that information is transmitted and stored, as well as determine who has access to the data. "Privacy notices are not one-size-fits-all," Pavolotsky emphasizes. "Additionally, these notices need to be revisited at least annually. But, getting the notice right is only part of the compliance requirement. Equally important is ensuring that if a business sells or shares personal information, the opt outs function as intended, CCPA requests are honored, and so on. [...] Unless a privacy notice covers all collection and use of personal information from California consumers, who are not only online customers and visitors, but also offline customers and visitors, employees, contractors, and others, there will need to be additional notices for those individuals."

 Finally, a business should outline processes to respond to consumer demands for information and a plan in case of a data breach.

CCPA and data brokers

Data brokers are also a part of the CCPA. Data brokers collect personal information and sell that data to other companies. Data brokers and people search sites aggregate public records to create digital profiles of you that they can share or sell. 

The CCPA requires these data brokers to register with the Attorney General. The Attorney General publishes a database of brokers to help consumers exercise their rights under the CCPA. Residents can find contact information for the data brokers on the California Data Broker Registry.

Isaboke advises that "[b]usinesses should maintain data maps of what’s collected, how it’s used, and where it’s shared." Additionally, businesses need "records of consumer requests and response timelines, training logs for staff handling data, vendor contracts with CCPA-specific data processing terms, and version history of privacy policies and notices."

Who needs to comply with California data privacy law?

These privacy regulations apply only to California residents. The CCPA defines a California resident as a person, not a business or corporation, who resides in the state of California. Residents who are temporarily out of the state are also protected.

The CCPA regulations apply to any for-profit companies that do business in California and meet any of the following criteria:

• “Have a gross annual revenue of over $25 million;
• Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
• Derive 50% or more of their annual revenue from selling California residents’ personal information.”[4]

How to comply with the CCPA

For businesses to comply with the CCPA, they must protect the rights of consumers outlined in the CCPA. To do so, businesses must have a website privacy policy that complies with CCPA standards and is updated at least annually. 

It's also essential to have a cookie policy that explains how your website uses its users' personal data.

Businesses must notify consumers at or before the time of data collection about the types of data that will be collected and how it will be used. Companies also need to be prepared to disclose, at the request of a consumer, the following information:

• Specific types of personal information that have been collected
• Sources where personal data was obtained
• Purpose of collecting the data
• Third parties who may have had access to the data

The CCPA also requires businesses to provide a history of all personal data collected for a given consumer. Additionally, consumers should have the option to request the removal of their personal information from a business's database.

If a consumer does not want their personal information stored or used in a specific way, businesses are prohibited from discriminating against them by providing different services, changing prices, or restricting access to goods or services.

Experts weigh in on the most common ways businesses fail to comply with regulations. Ankit Gupta, Principal Security Engineer and privacy strategist, outlines common pitfalls businesses must avoid: "Frequent missteps include cookie banners that fail to honor Global Privacy Control (GPC) signals, ambiguous language regarding data sharing, or notices lacking SPI disclosures. Many businesses also forget to link to the opt-out request page in their notices, or they group it with other preferences, undermining its visibility." 

Roberts adds, "Failing to provide clear, conspicuous links for 'Do Not Sell or Share My Personal Information' is another major issue."

What happens if you don’t comply with CCPA?

The Attorney General of California is tasked with enforcing the CCPA. According to the Attorney General’s website, “Using consumer complaints and other information, the Attorney General may identify patterns of misconduct that may lead to investigations and actions on behalf of the collective legal interests of the people of California.”[5]

Pavolotsky advises that "failing to accurately disclose what sensitive personal information will be collected or how it will be used could expose a business to a CCPA violation claim. [...] All things being equal, a regulator may be more apt to investigate companies that process sensitive personal information.”

Individual consumers can only sue a company under the CCPA if a data breach has occurred.

Roberts elaborates: "The CCPA includes a limited private right of action — but only for breaches involving nonencrypted, nonredacted personal information. Plaintiffs must demonstrate failure to implement reasonable security and actual harm, both of which are legal hurdles. Most cases to date have been dismissed or settled early due to these high thresholds."

If an individual sues based on a data breach, they can sue for actual monetary damages suffered or statutory damages of $750 per incident.

If a consumer wishes to sue, they must provide the company with a written statement specifying which sections of the CCPA were allegedly violated. They must give the company 30 days to fix the problem and respond with a written statement. The statement should also note that no further violations will happen.

To sue a company for a data breach, specific types of information must have been stolen, including your first and last name, as well as any of the following:

• “Your Social Security number
• Your driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person's identity
• Your financial account number, credit card number, or debit card number, if combined with any required security code, access code, or password that would allow someone access to your account
• Your medical or health insurance information
• Your fingerprint, retina or iris image, or other unique biometric data used to identify a person's identity (but not including photographs unless used or stored for facial recognition purposes)”[6]

To sue for damages resulting from the data breach, the personal information must have been stolen in a non-encrypted and non-redacted form.

As part of the CCPA, the California Privacy Protection Agency was established to help enforce the CCPA and has the authority to do so.

CCPA vs. GDPR

The General Data Privacy Regulation and the California Consumer Privacy Act share many commonalities. They both protect consumers' personal data and regulate how businesses use and protect that data.

The GDPR applies to all European Union countries and any company providing goods or services to individuals in the European Union. The CCPA applies to all residents of California and any company that provides goods or services to California residents.

The GDPR regulates businesses of all sizes as long as they do business with anyone in the European Union. The CCPA only applies to companies of a certain size or revenue metric. It also does not apply to non-profits or government entities.

The enforcement of both of these regulations also varies. Until 2021, California's Attorney General was responsible for upholding the state's CCPA regulations. Now, the California Privacy Protection Agency helps implement and enforce the CCPA. Each country in the EU has its own data authority to investigate GDPR complaints and impose fines on companies.

Is GDPR compliance a safe baseline for CCPA?

According to Pavolotsky, "GDPR is a good starting point, [but] a business, a defined term under the CCPA, should map the requirements under the CCPA and the regulations under it to its current practices. Based on that gap analysis, a compliance plan can be prepared and implemented." This means that businesses can't solely rely on the GDPR and need a separate framework. 

"U.S.-based companies need a U.S.-centric privacy framework layered atop GDPR to fully meet CCPA obligations," added Isaboke. 

Other digital privacy and security experts agree, with Gupta elaborating: "The GDPR provides a robust framework, particularly for data subject rights and consent. However, the CCPA and CPRA differ in terminology, scope (with a focus on “sale/share”), and SPI-specific rights. For complete compliance, companies should map GDPR efforts to CCPA/CPRA requirements and address gaps through a U.S.-specific privacy program."

FAQs

Bottom line

The California Consumer Privacy Act and the California Privacy Rights Act work in tandem to help California residents protect their private data. The CCPA grants consumers six rights to help them understand how their personal data is being used, requires consumers to opt-in for any sale of their data, and provides additional protections.

The CPRA also adds additional protections, allowing consumers to update any incorrect information and limiting the use or disclosure of sensitive personal information.

If your business is unsure whether it complies, you should audit the current data being collected, ensure that customers have all the rights protected by the CCPA, and create a plan for addressing any potential data breaches. Data privacy compliance companies, such as Termly, can help ensure your website meets the relevant regulations.

Meet the experts