What is CCPA?

CCPA, California Consumer Privacy Act. Protection of comsumer personal data.

The California Consumer Privacy Act (CCPA) is a state-based data privacy law controlling how organizations handle personal information (PI) of California residents. It came into effect on January 1, 2020, marking the first comprehensive modern data privacy law in the U.S. The California Privacy Rights Act (CPRA), which took effect on January 1, 2023, expands and modifies the CCPA.

The CCPA applies to for-profit businesses worldwide that process information of over 50,000 California residents annually, have gross annual revenue exceeding $25 million, or derive over 50% of their revenue from selling California residents’ personal information. The act grants Californians several rights over their data and outlines specific website requirements for compliance. Non-compliance can lead to significant fines.

Get a Free Cookie Banner now

Why wait when its free? It makes absolutely no sense to wait following the law.
It doesn't matter if your are in the US, Europe or anywhere else.
Be compliant in minutes

Key Takeaways:

  1. Applicability and Scope:
    • The CCPA applies globally to for-profit businesses processing personal information of more than 50,000 California residents, earning over $25 million annually, or deriving more than half their revenue from selling resident data.
  2. Consumer Rights:
    • California residents have rights to opt-out of data sales, request access to collected data, request data deletion, be notified, and be free from discrimination for exercising these rights.
  3. Compliance Requirements:
    • Businesses must update privacy policies, provide a “Do Not Sell Or Share My Personal Information” link, obtain opt-in consent from minors under 16, and inform users about data collection and its purposes.
  4. Personal Data Definition:
    • Personal data includes direct identifiers (e.g., names, social security numbers), unique identifiers (e.g., cookies, IP addresses), biometric data, geolocation, internet activity, and sensitive information like health and financial data.
  5. CPRA Enhancements:
    • The CPRA includes data sharing, expands consumer rights (e.g., right to correction, limit use of sensitive data), and creates the California Privacy Protection Agency (CPPA) for oversight. It applies to businesses processing or sharing information of over 100,000 residents and emphasizes responsible cookie data management.

When does CCPA apply?

The CCPA applies to for-profit businesses worldwide if they:

  • Process personal information of more than 50,000 California residents annually
  • Have annual gross revenue over $25 million
  • Earn more than 50% of their annual revenue from selling personal information of California residents
  • The CCPA defines “sale” of personal information as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information for monetary or other valuable consideration.

Under the CCPA, California residents (consumers) have the right to:

  • Opt out of having their data sold
  • Request disclosure of collected data (right of access)
  • Request deletion of collected data
  • Be notified and not be discriminated against for exercising their rights
  • Non-compliance can lead to fines: $7,500 per violation and $750 per affected user in civil damages.

How to make your website CCPA-compliant?

If your business meets any CCPA thresholds and has a website, you need to:

  • Inform users at or before data collection about what types of personal information are collected and why
    Feature a “Do Not Sell My Personal Information” link for users to opt out of third-party data sales. (Post-CPRA, this must read “Do Not Sell Or Share My Personal Information.”)
  • Get opt-in consent before selling or disclosing personal information of minors under 16. For minors under 13, a parent or guardian must consent.
    Update your privacy policy to detail consumer rights and how they can exercise them, and include an annually updated list of collected, sold, and/or disclosed personal information categories
  • Provide, free of charge, records of personal information collected in the past 12 months if requested by a consumer. This includes sources, commercial purposes, and third-party sharing categories.
  • Not discriminate against consumers who exercise their rights to opt out, request disclosure, correction, or deletion.

What is personal data?

Personal data, as defined by CCPA, is any information that identifies, relates to, describes, or can be associated with a particular consumer or household. This includes:

  • Direct identifiers like real name, postal address, or social security numbers
  • Unique identifiers like cookies, IP addresses, or account names
  • Biometric data like face and voice recordings
  • Geolocation data like location history
  • Internet activity like browsing history, search history, and interaction data
  • Sensitive information like health data, personal characteristics, behaviors, religious or political beliefs, sexual preferences, and employment and education data
  • Personal information also includes data that can identify an individual or household by inference. Aggregate and anonymous data are exempt unless they can be re-identified.

What does the CCPA say about cookies?

Cookies and other tracking technologies are unique identifiers under the CCPA’s definition of personal information. They are commonly used on websites to collect personal information. First-party cookies collect anonymous data for essential website functions and are deleted when the browser is closed. Third-party cookies often collect personal information, which can be kept for up to 100 years.

Data collected via cookies on your website can be considered personal information under the CCPA. Even anonymized analytics data can identify individuals when combined with other data.

What changed for businesses and residents of California on January 1, 2023?

With the CPRA, for-profit organizations must comply if they:

  • Have annual gross revenue over $25 million
  • Earn more than 50% of their annual revenue from selling or sharing personal information of California residents
  • The CPRA also increases the threshold to processing and/or sharing personal information of over 100,000 California residents or households. It covers
  • B2B data and creates the California Privacy Protection Agency (CPPA) for oversight and enforcement. CPRA extends CCPA’s coverage to data sharing
  • and expands consumer rights, adding new rights to correction, limit the use of sensitive personal information, request information on automated decision-making, and opt-out of such processes.

Businesses must handle cookie-collected data responsibly. Consumers can request disclosure, correction, or deletion of data collected in the last 12 months. Your organization must know and manage what data is collected through your website, its purpose, and third-party sharing.

Our Consent Management Platform (CMP) helps you maintain compliance with GDPR, CCPA, CPRA, and other regulations. The CMP scans your website for cookies and tracking technologies, informing you and your users about collected personal information and its use. It also provides the necessary “Do Not Sell Or Share My Personal Information” link and opt-in/out banners for minors under 16.

More from the Conzent Blog

POPIA – South Africa’s Data Protection Act

The Protection of Personal Information Act (POPIA) is a significant data privacy legislation in South Africa that became effective on July 1, 2020, with ...
LGPD - Brazilian Data Protection Authority DPA, rights under the Lei Geral de Prote o de Dados

LGPD Data Protection Law in Brazil

Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) is an extensive data protection law enacted in August 2020 and enforced from August 2021, ...

Virginia Consumer Data Protection Act (VCDPA)

With no equivalent federal law, the VCDPA adds another layer to U.S. data privacy regulations. It came into effect on January 1, 2023. If ...

Start for free now

Why wait when its free? It makes absolutely no sense to wait following the law.
It doesn't matter if your are in the US, Europe or anywhere else.
Conzent got your back