What is the CCPA? Overview and compliance requirements for the California Consumer Privacy Act

California was one of the first states in the United States to enshrine privacy as an “inalienable right” of all people when it amended its constitution in 1972.

On January 1, 2020, California became the first state to enact a data privacy law to empower its residents with ownership over their personal information and change the way businesses handle this personal information.

We look at the California privacy law, what it means for your business and website, and steps you can take to achieve and maintain compliance.

What is the CCPA?

The California Consumer Privacy Act (CCPA) is the first comprehensive modern data privacy law in the United States, and came into effect January 1, 2020.

The California Privacy Rights Act (CPRA) amended and expanded the CCPA, enhancing consumer privacy rights for the state’s residents, tightening requirements for businesses that collect and share personal information, and creating a new government agency to enforce California’s privacy laws.

The CPRA took effect on January 1, 2023, and enforcement began in February 2024 after a legal challenge delayed the original enforcement date of July 2023. 

Who does the CCPA protect?

The CCPA, as amended by the CPRA, protects the state’s nearly 40 million residents, known as consumers under the law.

A consumer is a natural person who is either:

• in the state for other than a temporary or transitory purpose 

or 

• domiciled in the state, but temporarily outside of the state, such as on vacation or business trip

It is not enough to simply be located in the state when having one’s data collected — individuals must meet the definition of California resident under the law. Those who are simply passing through, visiting on vacation, or in the state to complete a particular transaction or perform a particular contract are considered to be in the state for temporary or transitory purposes and are not protected by the CCPA/CPRA. This definition is likely to evolve over time, particularly based on case law resulting from lawsuits relating to alleged violations.

The CCPA/CPRA protects the personal information of California residents even when they are temporarily outside the state.

Who does the CCPA apply to?

The CCPA/CPRA applies to for-profit businesses that operate in California and collect the personal information of its residents, if they meet at least one of the following thresholds:

• buy, sell, or share the personal information of more than 100,000 consumers or households annually
• have a gross annual revenue exceeding USD 26,625,000
• derive 50 percent or more of their annual revenue from selling consumers’ personal information

The CCPA/CPRA has extraterritorial application, meaning that a business located in another US state, or even outside the US, must comply with the law if it meets one of these conditions.

Additionally, if your business shares common brandingwith a company that meets one of the above mentioned thresholds, your business will be subject to CCPA compliance. Common branding means that a business shares a name, service mark, or trademark with another business.

Interestingly, a number of more recently passed state-level privacy laws in the US do not include the revenue-only threshold.

What is personal information under the CCPA laws?

The CCPA/CPRA law defines personal information (known as personal data under some laws) as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Personal information under the CCPA/CPRA includes:

• direct identifiers, such as real name, alias, postal address, email address
• unique identifiers, such as cookies, IP addresses, beacons, pixel tags
• biometric data, such as face, retina, fingerprints, and voice recordings
• precise geolocation data used to accurately identify a person within a radius of 1850 feet (563 meters)
• internet activity, such as browsing history, search history, data on interaction with a web page or app
• sensitive personal information, such as Social Security number, racial or ethnic origin, citizenship or immigration status, genetic data, financial information

Personal information also includes data that by inference can lead to the identification of an individual or a household.

Aggregate and anonymous data is exempt from the CCPA/CPRA, unless it is in any way re-identifiable. 

What does the CCPA say about cookies?

Cookies and other website tracking technologies are classified as unique identifiers that form part of the CCPA’s definition of personal information. Cookies are one of the most commonly used technologies for websites to collect personal information on end users.

First-party cookies, set by the website itself, often collect anonymous data for core website functions. They are deleted once a user closes the browser. Third-party cookies, like those set by tech companies, ad networks, and social media platforms, often collect a lot of personal — and sometimes sensitive — information on consumers.

Data collected on your website through cookies can ultimately be considered personal information under the CCPA/CPRA. This information might not in itself constitute personal information, e.g. anonymized analytics data, but it can become personally identifying by inference or in combination with other data, for the purpose of identifying and connecting devices, creating profiles, or serving personalized ads.

What are the CCPA’s consumer rights?

The CCPA/CPRA sets up a legal framework whereby California residents can claim ownership of their data. It also requires organizations that do business in California to provide users with easy ways of exercising their CCPA rights.

The CCPA/CPRA empowers consumers with the following rights:

• right to opt out of having their data sold to or shared with third parties
• right to limit the use and disclosure of their sensitive personal information
• right to know and access personal informationcollected about them, including that collected through cookies, purposes of processing, and to whom the personal information is disclosed
• right to correct inaccurate or incomplete personal information
• right to request deletion of personal information collected from them, with exceptions
• right to know what personal information is sold or shared, and to whom
• right not to be discriminated against if they choose to exercise their rights under the law

Organizations that meet any of the CCPA/CPRA compliance thresholds are liable for personal information collected on California residents via their website’s cookies, if the information is sold or shared. With the CPRA, consumers are now also able to opt out of collection and use of their data for targeted advertising or profiling purposes.

CCPA obligations for businesses

If your business meets any of the three CCPA/CPRA thresholds, you are required to comply with the obligations under the law.

CCPA rules and requirements for consent

The CCPA/CPRA operates under an opt-out consent model, meaning that in most cases, you don’t need to obtain prior consent from users before collecting their personal data through cookies or other tracking technologies. However, there is an exception for personal data belonging to minors under age 13.

If your website has visitors or customers who are minors under the age of 16, you are required to obtain their opt-in (consent) before you can sell or disclose their personal information to third parties. If the minor is under the age of 13, a parent or legal guardian must consent for them.

The California privacy law grants consumers the right to opt out of the sale or sharing of their personal information, and to limit the use or disclosure of sensitive personal information.

CCPA compliance with the rights to opt out and limit

If your business sells or shares consumers’ personal information, your website must feature a link titled “Do Not Sell Or Share My Personal Information,” which consumers can use to make an opt-out request. (“Or Share” was added when the CPRA came into effect.) If such a request is received, you are prohibited from selling or sharing the consumer’s personal information, and must cease those activities if they are already in progress.

Similarly introduced with the CPRA, if your business uses or discloses consumers’ sensitive personal information, your website must feature a link titled “Limit The Use Of My Sensitive Personal Information,” which consumers can use to limit its use or disclosure.

You may use a single link for both purposes if consumers can exercise their right to both — to opt out of sale/sharing/targeted advertising/profiling and limit the use/disclosure of sensitive information — effectively from one link.

The law defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.”

Your business must respect universal opt-out mechanisms, such as Global Privacy Control (GPC) signals, that consumers may use to set their consent preferences once, typically via their browser settings or a browser plugin, which are then communicated automatically across various websites and online services.

CCPA notice at collection

Your website must inform users at or before the point of data collection about the categories of personal information that it collects, including any sensitive personal information, for what purposes, and whether you sell or share consumers’ personal information.

If you sell or share personal information, you must include a “Do Not Sell Or Share My Personal Information” link in the notice at collection.

The notice at collection must also link to your business’s privacy policy.

CCPA privacy policy

Your business must publish a privacy policy that includes: 

• description of consumers’ rights and how to exercise them
• annually updated list of the categories of personal information that your business collects, sells, and/or discloses
• categories of sources from which your business collects personal information
• business or commercial purpose for collecting, selling, or sharing personal information
• categories of third parties to whom your business discloses personal information

Your privacy policy may contain a section detailing your website’s use of cookies and other trackers, or you can create a separate cookie policy with this information.

Businesses usually link to their privacy policy where consumers can easily find it on their website, often in the footer at the bottom of the page, or from a consent banner.

CCPA compliance with consumer requests for rights to know, correct, and delete

Consumer rights requests under the California privacy law must be verifiable before your business has to provide the information. Your business must make available two or more methods for consumers to submit requests and must disclose the required information, correct inaccurate personal information, or delete consumers’ personal information within 45 days of receiving the verifiable request. An extension of 45 days may be taken when reasonably necessary and you must inform the consumer of the extension within the first 45-day period.

You may not require Californian consumers to create a new account to make a request, but they can be required to use an existing account to verify their identity.

The CCPA/CPRA prohibits discrimination against consumers based on their choice to exercise their rights. This means that if a consumer chooses to opt out of the selling of their data to third parties, or if they request their data deleted, you cannot charge different prices for services, provide different levels or quality of services, or deny service.

However, the CCPA does authorize businesses to offer financial incentives, e.g. different prices and quality of service, for the collection, sale, or deletion of personal information, if the differences are reasonably related to the value provided to the business by the consumer’s data.

CCPA obligation of data minimization

Under the CCPA/CPRA, businesses must collect, use, store, and share consumers’ personal information only to the extent necessary to fulfill the original purpose for which the information was collected, or for another compatible purpose. You may not process consumers’ personal information in ways that conflict with these original purposes.

This principle of data minimization also applies when collecting data through cookies and other tracking technologies. You may only use tracking cookies to collect data that is necessary for the specified purposes and must ensure that consumers are informed about the use of such technologies in your cookie policy.

CCPA enforcement and penalties

The enforcement of the CCPA/CPRA lies with two entities: the California Attorney General and the California Privacy Protection Agency (CPPA), the government agency established under the CPRA. This is unique to California, as most other states’ data privacy laws empower the Attorney General of the state with full enforcement authority.

Importantly, while the CPPA has enforcement authority, it cannot limit the Attorney General’s authority and must stay any actions or investigations if the Attorney General requests it. Businesses cannot be penalized by both the CPPA and the Attorney General for the same violation.

The penalties for noncompliance with the CCPA/CPRA can be substantial: 

• up to USD 2,663 for each unintentional violation
• up to USD 7,988 for intentional violations 

If a business commits multiple CCPA/CPRA violations, the fines can accumulate quickly, leading to significant financial repercussions.

The California privacy law also grants consumers the right to to take legal action against businesses in the event of a data breach. Consumers can seek statutory damages ranging from USD 107 to USD 799 per incident or the actual damages incurred, whichever amount is greater, or injunctive relief. California is the only state that grants consumers this private right of action.

Consumers must give businesses 30 days to cure any violations stemming from a data breach before they can take legal action. When the CCPA first went into effect, the 30-day cure period also applied to actions brought by the Attorney General/CPPA. This has now sunset.

How to be CCPA compliant

Here is a non-exhaustive CCPA compliance checklist for your business and its website that covers the central points of the CCPA requirements.

• Feature “Do Not Sell Or Share My Personal Information” and “Limit The Use Of My Sensitive Personal Information” links on your website that consumers can use to opt out of third-party data sales/sharing and use/disclosure of sensitive personal information.
• Provide a notice at or before the point of collection informing consumers of the categories of personal information (including sensitive personal information) your business collects, for what purposes, and whether it shares or sells the personal information.
• Respond to opt-out requests within 15 days of receipt, including stopping further sale/sharing of data and notifying all parties to whom you have sold the personal information in the previous 90 days.
• Obtain opt-in consent from minors age 13 to 16 and from parents or legal guardians of minors under the age of 13 before selling or sharing their personal information.
• Provide consumers with records of the personal information collected in the past 12 months free of charge (including sources, commercial purposes, and categories of third parties with whom it has been shared) if a consumer requests disclosure or deletion. This is for a reasonable number of requests by a consumer annually, and excessive requests can be denied.
• Respond within 45 days of receiving a verifiable request for disclosure or deletion with information on how the request will be processed.
• Establish at least two methods for consumers to exercise their rights, such as a toll-free phone number, email address, or web form.
• Only offer financial incentives (e.g. different prices, rates, and quality) for goods and services if the differences are reasonably related to the value that the consumer’s data brings to the business.
• Refrain from discriminating against consumers who choose to exercise their rights under the law, particularly opting out of data collection and processing.

You must also publish a CCPA privacy policy that includes:

• description of CCPA consumer rights and how to exercise these rights
• annually updated list of the categories of personal information that you collect, sell, or disclose, including through the use of cookies
• categories of sources from which you collect personal information 
• business or commercial purposes for which you collect, sell, or share personal information 
• categories of third parties to whom you disclose personal information

CCPA compliance with Cookiebot CMP

Cookiebot CMP automatically scans your website, finds all cookies and similar tracking technologies in use, and can automatically block them if users opt out. This enables compliance with both the CCPA and the European Union’s General Data Protection Regulation (GDPR).

Cookies, especially those from third parties embedded through plugins, can harvest personal information such as names, physical addresses, IP addresses, and location data, but also sensitive personal data such as religious convictions, political opinions, and/or sexual orientation.

The CCPA requires that businesses enable California residents to opt out of having their personal information sold to third parties, as well as disclosing what data has already been collected and deleting it, if consumers request it.

Cookiebot CMP enables compliance with the CCPA with a specific configuration that detects whether a user is from California, and then displays the required “Do Not Sell Or Share My Personal Information” link on the website’s cookie banner.

You can also fulfill the CCPA/CPRA requirement to inform users about personal information processing at or before the point of data collection by using a cookie banner or cookie notice to display your notice at collection.

California privacy law and the GDPR

When comparing the CCPA/CPRA to the GDPR, it becomes clear that though there are similar intentions and provisions, the two data privacy laws are very different.

GDPR vs. CCPA: Who is protected

Where the GDPR protects anyone in the European Union/European Economic Area (EU/EEA), the CCPA only protects California residents.

It is not enough to be located in the state at the time of collection or processing. According to the CCPA/CPRA laws, you must have a permanent residency in the state in order to be protected.

GDPR vs. CCPA: Consent requirements

The GDPR grants the user the right of consent, meaning that their data cannot be used until the user gives their consentto do so. Prior consentis required by the GDPR, including cookie consent.

Under the CCPA, a business does not need prior consentto handle personal information, nor does a website need to obtain user consent to sell consumers’ data to third parties, with the exception of minors’ data.

GDPR vs. CCPA: Compliance thresholds

The CCPA/CPRA contains specific thresholds that a for-profit business must meet for the law to apply, based on annual revenue, volume of personal information handled, or percentage of revenue from sale of personal data.

The GDPR contains no such threshold and applies to any entity that processes the personal data of individuals located in the EU/EEA. This includes nonprofits and government agencies, which are exempt from CCPA/CPRA compliance.

GDPR vs. CCPA: Legal bases

The GDPR permits the collection of personal data only if one of six legal bases applies, namely explicit consent, to perform a contract, legal obligation, to protect vital interests, in the public interest, or legitimate interest.

The CCPA/CPRA does not require any specific legal basis for collecting personal information.

GDPR vs. CCPA: Fines

GDPR fines are substantial and are among the highest penalties for data protection violations globally. They can reach up to 2 percent of annual turnover or EU 10 million, whichever is higher, for certain violations; and up to 4 percent of annual turnover or EU 20 million, whichever is higher, for more serious violations.

In contrast, CCPA/CPRA fines are up to USD 2,663 per unintentional violation and USD 7,988 per intentional violation, and statutory damages for data breach. However, each individual’s personal information counts as a separate violation, and CCPA civil penalties can quickly add up. Additionally, statutory damages ranging from USD 107 to USD 799, or actual damages suffered, may be applicable in cases of data breaches.

FAQs

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.