By Edward Kost on Sunday, 02 April 2023
Category: Compliance

What is the CCPA? Definition and Compliance Guidelines for 2023

The California Consumer Privacy Act of 2018 (CCPA) was signed into law in June 2018 and put into effect on January 1st, 2020, to respond to growing instances of businesses exploiting data privacy through poor data handling policies or data breaches.

The CCPA gives Californian consumers greater transparency into how their sensitive personal information is handled. California was the first state to implement such strong data collection and handling laws, and its data security framework will likely become a blueprint for all other states.

Under the CCPA, California residents have a right to:

As part of California's new privacy law movement, this landmark move mirrors the consumer data protection posture outlined in the European Union’s General Data Protection Regulation (GDPR) and Canada's propositions in Bill C-11. CCPA regulations also offer Californian businesses guidance on adhering to this law.

In November 2020, the California Privacy Rights Act (CPRA) was passed as an amendment to the CCPA, adding many additional consumer privacy rights. CCPA and CPRA are often used interchangeably, both discussing the same privacy regulations.

Similar data privacy laws are either being considered or are already implemented in Nebraska, New York, and Washington. This article will examine how this law could impact businesses and how your organization can become CCPA-compliant.

Important: The provisions of the CCPA have been amended and expanded in the California Privacy Rights Act (CPRA). To learn about the CPRA, read this post.

Who Must Comply with the California Consumer Privacy Act?

The CCPA applies to for-profit businesses that have business operations in California and meet any of the following criteria:

  1. Gross annual revenue of $25 million or more.
  2. Process personal information for over 50,000 Californian residents, households, or devices (including buying, receiving, or selling data).
  3. Attribute the sale of California residents' personal data to at least 50% of their annual gross revenue.


CCPA compliance is not limited to businesses physically located in California.


Any business located outside of California must still comply with CCPA regulations if it:


The CCPA does not apply to non-profit businesses.


How Does the CCPA Define Personal Data?

The enforcement of this law depends on the CCPA's classification of personal data. Under the CCPA, a consumer's personal information includes any data that identifies, connects, or relates to an individual and/or their household.


This includes the following categories of personal information:



How Does the CCPA Differ From the GDPR?

The CCPA has a broader classification of personal data compared to the European Union's (EU) GDPR.

Unlike the GDPR, the CCPA expands its threshold of privacy practices to also households. Any data subject identifying an individual or household could be liable to CCPA regulations.

Another difference between the two regulations is that the (GDPR) applies to any organization establishing a private data inventory for EU citizens. CCPA compliance, however, is only expected of businesses that meet any of CCPA's three thresholds.


Learn more about the GDPR here.


CCPA and the Current California Data Breach Notification Law

The CCPA does not impact current data breach notification obligations under Section 1798.82 in the State of California, meaning organizations are not required to report data breaches under the CCPA. However, businesses and state agencies must still notify California residents whenever an unauthorized party gains access to their unencrypted personal data in a data breach under the current California Data Breach Notification Law. Businesses can submit data breach notifications via this online portal.

Businesses suffering a breach impacting more than 500 California residents must submit a sample copy of the breach notifications to the California Attorney General. This notification must exclude any personal information identifiers.

The CPRA also established the California Privacy Protection Agency (CPPA) to help the California Attorney General enforce the notification laws.

California residents have the right to access all data breach notification submissions via this search engine.

How Should Businesses Respond?

In response to this provision, businesses should:



Under the CCPA, consumers have the private right of action to request the deletion of all collected personal data.

In most situations, businesses must immediately comply with these requests. However, exceptions apply for the following scenarios:

How Should Businesses Respond?

In response to this provision, businesses should:


The CCPA empowers consumers to opt out of the sale of their personal data at any time.

Before any customer PII is sold, businesses must provide ample notice to impacted consumers of their intention to sell, alongside instructions on how to opt-out of the inclusion of their data in the sale.

Any third-party service provider that purchased consumer data cannot resell that data unless impacted consumers are given clear notice and provided with an opportunity to opt out of the sale.

How Should Businesses Respond?

In response to this provision, businesses should:

Should a consumer, or website visitor, elect to exercise their reasonable security rights outlined in the CCPA, the requestee must not:

Penalties for Non-Compliance

Organizations have up to 45 days to respond to consumer requests under the CCPA.

If these requests are not actioned within 30 days, the offending business may be charged a maximum penalty of $7,500 per violation.

Consumers impacted by the unauthorized handling of their data, as outlined in the CCPA, can exercise a private right of action, entitling them to $750 in recovery damages per violation.

Leave Comments