California Consumer Privacy Act

California Consumer Privacy Act (CCPA) is a state-wide law regulating companies that use Californians’ data. CCPA law applies to any for-profit business which falls under one or all of the following categories:

  • The entity collects data from 50,000 California residents,
  • It has a gross annual revenue of $25 million, and
  • The organization earns 50% of its profits from selling the personal info of Californians.

Under the CCPA compliance, Californians have the following rights:

  • Right to opt out from getting their data sold,
  • Right of disclosure to data collected,
  • Right to request deletion,
  • Right to be notified, and
  • Right to equal services and prices.

If a business fails to comply with CCPA compliance, it can result in fines, i.e., $7500 per violation and $750 per affected customer.

However, there have been several changes in CCPA law since January 2023. First, the law tweaked the first threshold, i.e., the business should now collect data from a minimum of 100,000 residents.

Secondly, the B2B data is also governed under CCPA, and a new oversight body, CPRA, has been established, which deals with sharing data. Furthermore, the rights of customers have been improved and modified. In addition to the existing laws, the customers now have the right to:

  • Correction of inaccurate data collected,
  • Limit the use of data categorized as sensitive,
  • Request information on automated decision-making.

California Consumer Privacy Act


  • Who does California Consumer Privacy Act apply?

    CCPA currently applies to any for-profit enterprises in California that:

    • Collects, shares, or sells personal data of California consumers
    • Has gross revenues exceeding $25 million or
    • Holds personal information of 50,000+ households, customers, or devices.
  • Does the CCPA apply to businesses outside of California?

    Yes, the CCPA applies to businesses outside of California only if they collect or sell personal information of California residents, conduct business in the State, and meet at least one of the following:

    • Gross annual revenue exceeds $25 million
    • Commercially trades personal information 50,000+ CA residents.
  • Which states follow CCPA?

    California is the gold standard for state privacy laws since the State has recently formulated the California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA). Colorado and Virginia also have created comprehensive privacy laws, which will be enforced in 2023.

  • What are the rules of CCPA?

    The CCPA requires business to include consumers’ privacy rights information and the procedures to exercise the rights in their privacy policies. Some rights include:

    • Right to Know
    • Right to Non-Discrimination
    • Right to Opt-Out of Sale
    • Right to Delete
  • What does California's CCPA provide to California consumers?

    This law provides comprehensive privacy rights for California consumers, which primarily include:

    • The right to know how a business collects, uses and shares personal info
    • The right to delete personal information collected; exceptions exist.
  • What is the difference between GDPR and CCPA?

    The GDPR is an EU law enacted in May 2018, and it’s uniformly binding all 27 member states. Essentially, the GDPR law oversees how websites and different corporations handle personal data, including emails, browser history, and location data of EU visitors.

    On the other hand, CCPA is a state-wide privacy law in the US, empowering Californians with new rights to handle their data collected by third-party websites.

    Secondly, GDPR focuses on creating a privacy-by-default framework in the EU, whereas CCPA law is about developing transparency and granting rights to Californians.

  • Which businesses are exempt from the CCPA data privacy law?

    There are few business organizations exempt from the CCPA law even if they collect the personal data of Californians and meet the CCPA criteria. They include:

    – Nonprofits: Exempted because they don’t fall under the prescribed definition of business.

    – Government agencies: They are exempt because such organizations inadvertently require personal information for investigations and lawful matters. The parties exempted under this category include the federal, state, and local agencies’ bodies.

    – Insurance institutions: CCPA exempts insurance institutions and their agents because they are governed by other laws, which, in this case, California’s Insurance Information and Privacy Protection Act (IIPPA).


  • Is GDPR or CCPA more strict?

    The GDPR is stricter since it requires users to give their consent before collecting their data. In contrast, CCPA requires consent only for data disclosure or selling to third parties.