California privacy law

The CCPA, or California Consumer Privacy Act, is a state regulation specifically designed to safeguard the personal data of California residents, granting consumers more control over how businesses collect and process their sensitive information.

Jonathan Joseph

Head of Solutions

The California Consumer Privacy Act (CCPA)

The CCPA applies to for-profit organizations operating in California that collect, store, share, or sell sensitive personal data of consumers and meet one of the following criteria:

Annual gross revenue of over $25 million
Access to the personal information of over 50,000 California consumers, households, or devices
Earnings of more than half of the company's revenue from the sales of consumers' personal information

It is also important to note that CCPA compliance rules apply to entities that share common branding with a company covered by the regulation. Understanding CCPA requirements helps companies ensure that their practices meet the latest requirements based on their operations and alignment with the data privacy act.

Keep reading: Who does the CCPA apply to?

CCPA Regulations

The CCPA provides businesses with guidelines on improving data governance practices to meet the standards set by the act. The CCPA highlights four rights that organizations must provide to consumers/data subjects:

The right to know

Consumers have the right to request information about the personal information a company processes. The information disclosed should include the type of data, specific details involved, the purpose of data processing, and details of third parties involved in data sharing.

The right to delete

Consumers have the right to request the deletion of their collected personal data. Some exemptions to this request exist, such as business security practices and medical information. Keep reading: Understanding the CCPA right to deletion.

The right to opt-out

Consumers have the right to instruct companies to stop selling or sharing their personal data. California's Attorney General approved a uniform opt-out button that businesses can display on their websites to promote this right. The image also includes alternative text: "California Consumer Privacy Act (CCPA) Opt-Out Icon," complying with user accessibility standards.

The right to non-discrimination

The CCPA provides consumers with the right to protect themselves against any discrimination resulting from invoking their data privacy rights. Businesses cannot deny consumers' decisions to invoke other rights in the regulation unless special circumstances apply.

Companies covered by the CCPA must inform consumers of these rights and provide clear guidance for enforcing them. Specifically, CCPA-covered businesses must prominently display a "Do Not Sell My Personal Information" notice, a privacy policy, and a toll-free hotline for handling consumer requests.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) superseded the CCPA on January 1, 2023, and expands upon CCPA regulations. It applies to businesses that process personal data for activities like targeted advertising.

The CPRA covers a wide range of revisions that provide consumers with greater control over their personal data. It includes the mandatory use of opt-out preference signals and introduces streamlined consumer request handling. The California state government created the CPRA to ensure comprehensive protection of California residents' privacy rights.

CCPA vs CPRA

The CPRA extends CCPA laws to cover joint ventures and partnerships (i.e., companies with less than 40% interest in a business) within California. Both CCPA and CPRA include the rights to know, delete, opt-out, and non-discrimination. The CPRA introduces two additional consumer rights:

The right to correct

Consumers have the right to request corrections to inaccuracies within collected personal information.

The right to limit

The CPRA empowers consumers with the right to limit a company's use of sensitive personal information collected from them. CPRA regulations identify data as sensitive personal information if it includes government ID, geolocation, health records, biometric data, private communication, union membership, racial and ethnic background, or sexual orientation. Limiting the use of sensitive personal information requires companies to inform consumers about how they intend to use the data and how long they will retain it.

The CPRA also has different requirements from the CCPA, applying to businesses that:

Have access to the personal information of over 100,000 California consumers, households, or devices
Earn at least 50% of their annual revenue from selling or sharing the personal information of California residents

California Privacy Protection Agency

The state of California established the California Privacy Protection Agency (CPPA) as a separate regulatory body to oversee the enforcement of the CPRA. The CPPA functions through a five-member board and staff to provide optimal support to California citizens in protecting their privacy rights.

CPPA members uphold the standards outlined in the CPRA through practices such as conducting hearings for non-compliance, issuing new rules as situations evolve (e.g., defining precise geolocation and ensuring the user-friendliness of opt-out mechanisms), and imposing fines for violations, ranging from $2,500 to $7,500 per charge.

The CPPA actively fulfills its duty, as seen in high-profile cases like the one with cosmetic giant Sephora. Sephora received a $1.2 million fine for unauthorized sharing of consumers' sensitive personal information, including location details and purchase details, with third-party companies. The ruling also mandated that Sephora needed to disclose its sale of personal information, conduct regular website reviews, and submit reports to the California Attorney General for a few years.

Keeping up with California privacy regulations

While transitioning from CCPA to CPRA may seem overwhelming, there is still time to make the necessary adjustments for compliance. A Superior Court of California judge has delayed the enforcement of CPRA regulations, providing a one-year enforcement leeway.

Ketch is a Data Permissioning platform that helps companies achieve a state of permissioned data across their data ecosystem, complying with data collection and usage requirements in regulations like CCPA/CPRA and GDPR. With sustainable compliance, a “clicks-not-code” interface, and easy implementation, Ketch helps teams achieve immediate compliance. Request a demo with Ketch to discover how you can get started today.