What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is the first modern and comprehensive state-level data privacy law in the United States. It took effect on January 1, 2020 and governs the collection, processing, and selling of California residents’ personal information.
The CCPA empowers California residents (referenced as “consumers” under the law) with several rights regarding their personal information.
- Right to know: Consumers can request information about the collection, use, and sharing of their personal data by businesses.
- Right to delete: Consumers can ask businesses to delete their personal information, with certain exceptions.
- Right to opt out: Consumers can opt out of the sale to or sharing of their personal information with third parties.
- Right to nondiscrimination: Businesses cannot discriminate against consumers who exercise their CCPA rights.
- Right to correct: Consumers can ask businesses to correct inaccurate or incomplete information about them.
- Right to limit: Consumers can request to limit the use of sensitive personal information collected from/about them, such as Social Security Number or financial account information, for restricted purposes.
The CCPA regulation took effect January 1, 2020, though enforcement by the California Attorney General’s office did not start until July 1 of that year. The CCPA regulation specifies practical and technical aspects of how to achieve compliance.
What is the California Privacy Rights Act (CPRA)?
On November 3, 2020, the California Privacy Rights Act (CPRA), which amended and expanded the CCPA, was passed into law in a general election.
The CPRA expanded the rights of California residents, created additional business requirements and compliance thresholds, and established the California Privacy Protection Agency (CPPA) to take over enforcement and other functions from the Attorney General.
The CPRA took full effect on January 1, 2023 and was supposed to become enforceable on July 1, 2023, though applicable to data collected and shared from January 2022. However, due to legal challenges, enforcement did not begin until February 2024.
What is personal information under the CCPA? Examples and definition
Personal information is the crux of the CCPA’s regulatory function, as it was enacted to protect consumers’ personal information and regulate the collection, use, and sharing of it.
The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Categories of personal information, for example, as outlined in in CCPA privacy policies, include:
- direct identifiers (names, addresses, IP addresses, email, Social Security numbers, etc.)
- sensitive information, i.e. that which could enable particular harm to a person if it was misused, thus requiring certain restrictions and special handling (age, ethnicity, religion, political affiliation, health and healthcare, gender, sexual orientation, etc.)
- commercial information (credit card history, transaction details, payment info, etc.)
- geolocation data, if used for the purposes of identifying someone
- professional, employment, or education information
- inferences from any of above for the purpose of profiling
Information that is made lawfully available from federal, state, or local government records, information that is made publicly available (e.g. by a person’s online activities), or information that is deidentified or aggregated, is not considered personal information under the law.
Purposes of collecting personal information
Common purposes why businesses may collect personal information include:
- to operate, manage and maintain the business
- to process transactions and provide the consumer with a product or service
- for product development based on customer feedback and usage data
- to personalize user experience on websites or apps based on preferences and behaviors
- for marketing and advertising to target specific customer segments
- website analytics
- to comply with legal and regulatory requirements
Who must comply with the CCPA?
A for-profit entity that does business in California and handles personal information of California residents must comply with the CCPA if it meets any one of the following criteria:
- gross annual revenue of over USD 25 million
- buys, sells, or shares the personal information of 100,000 or more California residents or households
- derives 50 percent or more of their annual revenue from selling California residents’ personal information.
Companies that meet any of these conditions must comply with the CCPA, even if the business is not located in California. It only matters if the people whose data is being processed are located in that state.
The CCPA/CPRA also apply to data brokers, defined by the California Civil Code as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
Businesses that are required to comply with the CCPA must notify consumers about data that is collected, how, for what purposes, and who may have access to it. They must also notify consumers about their rights and how they can exercise them via a privacy policy or privacy notice. Typically this is a page on a website.
CCPA privacy notices requirements
There are two types of privacy notices required under the CCPA: a ”notice at collection” and a ”privacy policy”.
The notice at collection requires you to inform consumers, at or before the point of collection of personal information, about:
- categories of personal information, including sensitive personal information, that you will collect
- purpose(s) for which you will collect or use the personal information
- how long you will keep each category of personal information
If you sell consumers’ personal information, your notice at collection must include a link to a web page that enables consumers to exercise their right to opt out of sale, sharing, targeted advertising, or profiling. The link must use the specific words “Do Not Sell or Share My Personal Information”. In most cases it is not required to obtain prior consent before collecting and processing personal information, though there are exceptions.
The notice at collection must also link to your privacy policy, which provides more detail about how you collect and use consumers’ personal information (including sale or sharing), consumers’ rights, and how to exercise them.
Personal information from consumers online is often collected through the use of tracking technologies such as cookies. A cookie banner can be used to fulfill the notice at collection requirements by providing clear information about cookie usage and opt-out options, and directing users to the full CCPA privacy notice or policy for more details.
Achieve compliance with Cookiebot CMP – implement CCPA-specific settings on your cookie banner
CCPA privacy policy requirements
If you collect or process data from European Union (EU) residents, your website may already have a privacy policy, which is also a requirement of other international data privacy laws like the EU’s General Data Protection Regulation (GDPR), which preceded and influenced the CCPA.
However, the CCPA has specific requirements for what your privacy policy must include. To achieve CCPA compliance, you’ll need to amend and update your privacy policy to reflect California law or publish a separate privacy policy for the processing of personal information belonging to California residents.
Let’s look at the CCPA’s privacy policy requirements.
1. Easy for consumers to access
Companies must provide a clear and prominent link to your privacy policy on the website, and the link must include the word “privacy” in it. “Privacy Policy”, “California Privacy Policy”, or “California Privacy Rights” are all acceptable under the CCPA.
The privacy policy should be accessible and legible regardless of the device consumers using, including smartphones, tablets, and desktop computers. It should also be reasonably accessible to consumers with disabilities.
2. Include information about consumer rights
The privacy policy must inform consumers about their rights under the CCPA and how they can exercise these rights.
Some rights, such as the right to delete, correct, or access information, require provision of two methods by which consumers can exercise their rights, which the privacy policy must communicate. An exception to this requirement is businesses that operate exclusively online, which only need to provide an email address for submitting these requests.
The “Do Not Sell or Share My Personal Information” link should also be included in the privacy policy to enable consumers to opt out of the sale of their personal information. Businesses that process sensitive personal information have to implement a link reading “Limit the Use of My Sensitive Personal Information” or comparable as long as it enables consumers to opt out or limit disclosure of their sensitive personal information.
3. Inform consumers about how you use their personal information
A CCPA privacy policy must provide details about your personal information handling and privacy practices, including:
- categories of personal information collected in the last 12 months
- categories of sources from where personal information is collected
- specific purposes for which personal information is used
Companies that disclose, sell or share personal information must also inform consumers about:
- categories of personal information disclosed, sold, or shared in the last 12 months
- to whom the personal information was disclosed, sold, or shared
- specific purposes for which the disclosure, sale, or sharing was done
- whether the company has actual knowledge of the sale or sharing of personal information of minor consumers under the age of 16 years
Personal data of children (minors) does require prior consent from a parent or legal guardian before collection or processing. If consent is declined, the request cannot be made again for 12 months.
Selling has a broad definition in the CCPA that includes disclosure and sharing personal information “for monetary or other valuable consideration“. Categories of personal information that companies disclosed to third parties, e.g. through third-party cookies on the website, should, therefore, be included in the privacy policy even if the company did not make money from sharing the personal information.
4. Update every 12 months
The CCPA requires companies to review and update their privacy policy every 12 months so that consumers are made aware if the business starts collecting new categories of personal information, or if it starts collecting personal information with a different purpose than before.
If there are changes to how you handle consumers’ personal information in the interim, it is good practice (though not legally required) to update your privacy policy at the time of the change so that it always reflects the current state of your privacy practices.
Your CCPA privacy policy should also include the date on which it was last updated.
5. Easy to understand
Write the privacy policy in clear, straightforward language that anyone can understand without requiring specialized legal knowledge. Ensure that it’s easy for consumers to navigate, using clear headings and subheadings to organize the information effectively.
If the website caters to a multilingual audience, the company must provide the privacy policy in all the languages offered on the site.
CCPA vs GDPR privacy policy requirements
The GDPR, one of the world’s most stringent privacy laws, requires businesses to have a privacy policy regarding the processing of personal data of EU residents. Both the GDPR and CCPA require that privacy policies be written in simple language that is easy for anyone to understand without requiring technical or legal knowledge. However, there are also several differences between their requirements.
| CCPA | GDPR | |
|---|---|---|
| Content | Requires disclosures of:
| Requires disclosures of:
|
| Consent and opt-out or withdrawal | As the law incorporates an opt-out model for the sale of personal information, it requires a link to a web page for consumers to exercise this right, with the specific words “Do Not Sell or Share My Personal Information” linked. | The privacy policy must explain how users can give or reject consent for collection and processing of their personal information at a granular level, and can change or withdraw consent for any processing based on consent. |
| Updating frequency | Stipulates that privacy policies must be updated at least once every 12 months. | Does not specify a mandatory update frequency but requires that information be kept up to date and accurate. User consent should also be refreshed regularly, e.g. every 12 months, or if processing conditions change. |
| Transparency and detailing | Focuses on informing consumers about the business’s data collection practices and consumer rights. | Requires more detailed explanations, including specifics about data transfer to third countries and the safeguards in place. |
CCPA privacy policy checklist
Here is a CCPA privacy policy checklist of what you must include in order to achieve compliance with California’s data privacy law.
Your CCPA privacy policy must:
- be prominently linked to on your website, with the word “privacy” included in the link
- include detailed information about CCPA consumer rights and how to exercise them
- include a link titled “Do Not Sell or Share My Personal Information” that goes to a web page where consumers can opt out of the sale of their personal information
- include a link titled “Limit the Use of My Sensitive Personal Information” if the company processes sensitive personal information, enabling consumers to opt out or restrict processing of it
- provide a list of all categories of personal information collected in the last 12 months
- specify categories of sources from where personal information is collected
- disclose the specific purposes for which personal information is used
- detail categories of personal information disclosed, sold, or shared in the last 12 months, including recipients and purposes
- be updated at least every 12 months to reflect any new data collection or usage purposes and include the last update date within the policy
- be written in clear, straightforward language accessible to all readers
- available in all languages available in the website
Privacy policy tips for CCPA compliance
Here are some steps your business can take to comply with the CCPA privacy policy requirements.
- Audit and map out all data collection activities to understand what personal information is being collected, used, and shared, including through cookies.
- Display a notice at the point of collection, using a cookie banner with straightforward text, that informs consumers about collection, use, and sharing of personal information.
- Ensure your privacy policy is updated to include CCPA-required information, such as descriptions of consumer rights and how to exercise them, every 12 months.
- Establish a straightforward and easily accessible process for consumers to exercise their CCPA rights, including requests to access, delete, or opt out of the sale of their personal information, and share this in the privacy policy.
- Develop a procedure to verify the identity of individuals making requests related to their personal information to prevent unauthorized access or deletion.
- Regularly review and update data protection practices to ensure ongoing compliance with the CCPA, CPRA, and any future amendments or regulations
- Use a consent management platform (CMP) like Cookiebot CMP to streamline the process of managing user consents and preferences in line with CCPA requirements, for transparent and user-friendly consent experiences.
Learn more about all the steps you can take to achieve CCPA compliance beyond the privacy policy
FAQ
The California Consumer Privacy Act (CCPA) is a data privacy law that governs the personal information of California residents and how businesses are allowed to collect, share and sell it. The CCPA empowers California residents with a set of rights over their own personal information, such as the right to opt out of third-party data sales and the right to have collected personal information deleted. The CCPA also sets out specific rules for which businesses must comply and how businesses are allowed to handle the personal information of California residents.
A CCPA-compliant privacy policy must inform consumers of what categories of personal information the business collects, including the specific purposes of collection and sources for each category of personal information. A CCPA privacy policy must also inform consumers of what categories of personal information the business has sold to or shared with third parties in the last 12 months. A CCPA privacy policy must be updated annually and be easily accessible from the website’s front page.
A for-profit business that collects personal information of California residents and meets at least one of the three following thresholds must create a CCPA privacy policy:
- has an annual gross revenue exceeding USD 25 million
- derives 50% or more of its annual revenues from selling the personal information of California residents
- buys, receives, sells or shares the personal information of 100,000 or more California residents annually.
A company doesn’t have to be based in California to be liable under the CCPA. If a company in Texas or Europe meets any of the three thresholds above, it must meet CCPA requirements for compliance.
Yes, the CCPA is designed to protect the privacy rights of California residents specifically. It applies to businesses that collect personal information from residents of California, regardless of where the business itself is located. It is likely that more specific definitions of “California resident” will come with the establishment of case law around the CCPA, e.g. is a college student who resides in California only part of the year a resident?
The CCPA empowers California residents with the following rights:
- the right to opt out of having their personal information shared with or sold to third parties
- the right to know about the collection, sharing and selling of their personal information
- the right to have already collected data deleted
- the right to equal services and prices regardless of whether they choose to exercise any of these rights (anti-discrimination)
- the right of have inaccurate information about them corrected
- the right to limit the use of their sensitive personal data collected
The penalty for not having a CCPA/CPRA privacy policy can result in penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation. These fines can escalate rapidly, as each individual consumer’s rights violation constitutes a separate violation. Additionally, failure to comply with the privacy policy requirements, such as maintaining a CCPA/CPRA-compliant privacy policy and responding to consumer requests, can also result in penalties.