Privacy Essentials: The California Consumer Privacy Act (CCPA)
This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.
The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.
Over the last several years, we’ve started to peek behind the curtain of Big Data – and most people are not pleased with what they see. Few are comfortable with the idea that their private information can be sold. And even if consumers are not aware of how their data is being used, they are at least aware their data is being collected.
Enacted in 2018, the California Consumer Privacy Act (CCPA) is one of the most robust and broad privacy laws in the United States. Although similar to the European Union’s General Data Protection Regulation, the CCPA is a separate framework that imposes (in some cases) additional obligations. The law officially took effect on January 1, 2020, with full compliance expected by July 2020.
Consumer Rights Under the CCPA
The CCPA grants California consumers four rights:
- The right to know what personal information is collected, used, shared, or sold
- The right to access their data and able to request for a company to delete it
- The right to opt-out of having their data sold
- Freedom from discrimination in terms of price or services if they exert one of the other privacy rights
Are All Businesses Subject to the CCPA?
A business must comply with the CCPA if it meets one or more of the following criteria:
- Gross annual revenues of more than $25 million
- 50% or more of yearly revenue derives from selling consumers’ personal information
- It buys, sells, or receives the personal information of 50,000 or more consumers, households or devices
Draft regulations released in October 2019 outline additional obligations for entities that handle the personal information of more than 4 million consumers.
What Obligations Do Businesses Have Under the CCPA?
Businesses subject to the CCPA have obligations in six categories:
- Notice
- Procedures
- Response
- Verification
- Disclosure
- Record-keeping
Under the CCPA, companies have a responsibility to provide notice to customers before or at the time their data is collected. They must have procedures in place to respond to consumer requests regarding their personal information. When consumers exert their CCPA rights, businesses have to verify their identity – even if they do not have a password-protected account.
The draft regulations also require businesses to disclose any financial incentives related to the retention or sale of consumers’ personal information, as well as how they calculate the value of the data. Finally, they must maintain records of consumer requests and the responses for two years to demonstrate compliance.
What Does All This Mean For Attorneys?
Although most law practices will not fall under the purview of the CCPA, this privacy law is worth brushing up on. It will certainly not be the last state law to take on data privacy, and federal legislation is likely on the horizon. The CCPA may generate significant litigation in the wake of data breaches, opening up a whole new world of cases for those inclined to take them on. From social media to e-commerce, consumers are already exerting their rights over their data – and there’s no putting the lid back on that box.
Stay Up-to-Date With How the Law Affects Your Life
Enter your email address to subscribe:

Enter your email address to subscribe:
Learn more about FindLaw’s newsletters, including our terms of use and privacy policy.