California Consumer Privacy Act

The California Consumer Privacy Act (CCPA), enacted in 2018 and taking effect on January 1, 2020, gives consumers in California additional rights and protections regarding how businesses may use their personal information.

I. CCPA Scope

Material scope. The CCPA, also called AB375, applies to a “business.” A “business” for the purposes of the CCPA satisfies at least one of the following thresholds :

  • Annual gross revenue in excess of 25 million

  • Buy or sells the personal information of 50,000 or more consumers or households

  • Earns more than half of its annual revenue from selling consumers' personal information

CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

A lengthy list of examples is provided, which could potentially make the Californian definition even broader than GDPR. Examples include real name, alias, postal address , Internet Protocol address, email address, account name.

Territorial scope. The CCPA applies to certain organisations who ‘do business in the State of California’ regardless of where they are located. This is limited to businesses that process the personal data of Californian residents. The Act defines a “consumer” as “a natural person who is resident" as defined in the California Code of regulations. Unlike the GDPR, the bill exempt employee data in most instances.

II. Consumers' Rights

Right to information. A business must tell the consumer that it collects personal information about them either before or as that information is collected.

It must also tell the consumer the types of third parties it shares your personal information with, but it's up to the consumer to ask for this information. This is a part of CCPA that some criticise, like Professor Jennifer King from Stanford University, saying that the CCPA falls short on the protection of people : it belongs to the consumer to take action on their own, this information is not given by default.

Right to opt-out. Businesses must give the consumer ways to opt out of having their personal information sold to third parties. Businesses must put a link to their opt-out page on their homepage.

Right of access. Businesses must offer ways to request a copy of the personal information they have collected about the consumer, and must provide it free of charge within 45 days.

Right to portability. The CCPA provides that Californian residents that exercise their right of access must receive the data “by mail or electronically and if provided electronically, the information shall be in a portable (...) in a readily usable format that allows the consumer to transit this information to another entity without hindrance”.

Right to request deletion. A consumer shall be able to request the deletion of his personal information to any business. There are also exceptions to this right.

Right to an equal service. The CCPA prohibits businesses from discriminating against consumers by denying goods or services, providing a different level or quality of goods or services based upon a consumer’s exercise of any CCPA rights.

This provision is likely the most misunderstood section of the CCPA. A business may offer financial incentives for the collection and sale of data, but only with the consumer’s prior opt-in consent which can be withdrawn at any time, and where the price or difference is directly related to the value of the consumer’s personal information.

III. Sanctions

Governmental Enforcement. Violations of the CCPA are subject to enforcement by the California attorney general’s office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided.

Consumer Enforcement. In addition, private plaintiffs may bring a civil action against a business in the event of a data security breach that results in unauthorised access and exfiltration, theft, or disclosure of the individual’s personal information. The statute allows for recovery of up to $750 per consumer per incident.

- Hadrien Rose


  • (1) PRESTON BUKATY, "The California Consumer Privacy Act (CCPA): An implementation guide", IT Governance Publishing

  • (2) Natasha Singer, "What Does California’s New Data Privacy Law Mean? Nobody Agrees", The New York Times, December 14, 2019

  • (3) Daphne Leprince-Ringuet, "We are ready, says Facebook as California prepares for new privacy law", ZDNet, December 16, 2019

  • (4) Mark Bridges, "CCPA – CALIFORNIAN CONSUMER PRIVACY ACT: 5 KEY IMPACTS", Data protection network, July 2019

  • (5) Emily Bruemmer, "Consumer Rights Under the CCPA, Part 1: What Are They?", Davis Wright Tremaine LLP, 07.10.19

  • (6) Geoffroy De Cooman, "What is CCPA and why should it matter to you?", Proxyclick, Septembre 29, 2019

  • (7) Maria Korolov, "California Consumer Privacy Act (CCPA) : What you need to know to be compliant", October 4, 2019

  • (8) Sara Morrison, "Califonia's new privacy law, explained", VoxMedia, December 30, 2019