OptOutWidget/Blog

What Is CCPA? A Complete Guide to the California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is one of the most comprehensive data privacy laws in the United States. If your business collects personal information from California residents, understanding CCPA is essential. This guide explains everything you need to know.

What Does CCPA Stand For?

CCPA stands for the California Consumer Privacy Act. It was signed into law on June 28, 2018, and went into effect on January 1, 2020. The law was later amended by the California Privacy Rights Act (CPRA), which took effect on January 1, 2023, expanding consumer protections and creating the California Privacy Protection Agency (CPPA).

Who Does CCPA Apply To?

The CCPA applies to for-profit businesses that collect personal information from California residents and meet any one of these thresholds:

  • Annual gross revenue exceeding $25 million
  • Buy, sell, or share the personal information of 100,000 or more California consumers, households, or devices per year
  • Derive 50% or more of annual revenue from selling or sharing consumers' personal information

Importantly, your business does not need to be located in California. If you collect data from California residents and meet any of the above criteria, you are subject to CCPA.

What Rights Does CCPA Give Consumers?

The CCPA grants California residents several important rights over their personal information:

  • Right to Know: Consumers can request details about what personal information a business has collected, used, shared, or sold about them.
  • Right to Delete: Consumers can request that a business delete their personal information, with some exceptions.
  • Right to Opt-Out: Consumers can direct a business to stop selling or sharing their personal information.
  • Right to Non-Discrimination: Businesses cannot penalize consumers for exercising their CCPA rights.
  • Right to Correct: Consumers can request that a business correct inaccurate personal information (added by CPRA).
  • Right to Limit Use of Sensitive Information: Consumers can limit how a business uses their sensitive personal information (added by CPRA).

What Is Considered "Personal Information" Under CCPA?

The CCPA defines personal information broadly. It includes any information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household. Examples include:

  • Name, email address, phone number, and mailing address
  • Social Security number, driver's license number, and passport number
  • Purchase history and browsing history
  • Geolocation data and IP addresses
  • Biometric data such as fingerprints and facial recognition
  • Professional or employment-related information
  • Inferences drawn from the above to create consumer profiles

Key Business Obligations Under CCPA

  • Provide a clear "Do Not Sell or Share My Personal Information" link on your website
  • Respond to verifiable consumer requests within 45 days
  • Disclose data collection practices in your privacy policy
  • Maintain records of consumer requests for at least 24 months
  • Implement reasonable security measures to protect personal information
  • Update your privacy policy at least annually
  • Train employees who handle consumer inquiries about CCPA

Penalties for Violating CCPA

The California Attorney General can impose fines of $2,500 per unintentional violation and $7,500 per intentional violation. Consumers also have a private right of action for data breaches resulting from a business's failure to maintain reasonable security, with statutory damages of $100–$750 per consumer per incident.

CCPA vs CPRA: What Changed?

The California Privacy Rights Act (CPRA) amended the CCPA and went into effect on January 1, 2023. Key changes include:

  • Created the California Privacy Protection Agency (CPPA) for enforcement
  • Added the right to correct inaccurate personal information
  • Added the right to limit use of sensitive personal information
  • Introduced "sharing" as a regulated activity alongside "selling"
  • Expanded data minimization requirements
  • Added requirements for data processing agreements with service providers

How to Comply with CCPA

Getting compliant with CCPA involves several steps: auditing your data practices, updating your privacy policy, implementing consumer request processes, and adding required opt-out mechanisms to your website. For a detailed walkthrough, see our CCPA Compliance Checklist.

Simplify CCPA Compliance with OptOutWidget

OptOutWidget provides an embeddable opt-out widget that makes it easy to add CCPA-compliant opt-out functionality to your website. Our dashboard tracks consumer requests, manages response deadlines, and helps you stay compliant without the complexity.

Start your free 14-day trial →
← All ArticlesHome