The California Consumer Privacy Act (CCPA): What You Need to Know

Before you assume that the CCPA will not affect you because your business is not located in California, know that companies both inside and outside of California will be affected by its requirements.

Do I need to be CCPA Compliant?

The California Consumer Privacy Act (CCPA) will apply to businesses worldwide if they, or an entity they control, or that controls them, receive personal information from California residents, either directly or indirectly, and meet one or more of the following criteria:

CCPA at a glance:

  • CCPA law passed June 2018 (following the footsteps)
  • CCPA did go into effect on Jan 1. 2020

What does the California Consumer Privacy Act do?

1. Gives You Ownership

Protect your right to tell a business not to share or sell your personal information.

2. Gives You Control

Gain control over the personal information that is collected about you.

3. Gives You Security

Hold businesses responsible for safeguarding you personal information.

Comparing Privacy Laws: CCPA vs. GDPR

What to know about CCPA

  • The State of California passed the California Consumer Privacy Act (now known as the CCPA) on June 28, 2018.
  • Slated to go into effect January 1, 2020, the CCPA is set to be the toughest privacy law in the United States.
  • The CCPA broadly expands the rights of consumers and requires businesses within scope to be significantly more transparent about how they collect, use, and disclose personal information.
  • All in scope businesses will need to enhance their data management practices, expand their individual rights processes, and update their privacy policies by the January 1, 2020 deadline.
  • Under the CCPA, businesses are subject to civil action by the California Attorney General’s Office and can face penalties of up to $7,500 per intentional violation or $2,500  per unintentional violation.
  • The CCPA also provides a private right of action to California residents where their personal information is subject to unauthorized access, theft, or disclosure.
  • If the California Attorney General’s Office declined to bring an action, residents could bring a private action, where businesses would face paying between $100 to $750 per resident or incident (regardless of whether actual damages are shown).
  • The CCPA will apply to businesses worldwide if they, or an entity they control or that controls them, receive personal information from California residents, either directly or indirectly, and meet one or more of the following criteria:

    – Annual revenue exceeds US $25 million
    – The entity annually receives, directly or indirectly, the personal information of 50,000 or more California residents, devices, or households

    50% or more of its annual revenue is derived from the sale of personal information about California residents

    **Notably, “Personal Information” and “Sale” are given expansive definitions under the CCPA, which greatly increase the scope of businesses to which CCPA will apply.


ata Portability

  • If the specific data elements of personal information are provided to the requestor electronically, to the extent technically feasible, they must be provided in a readily transferable electronic format.


  • Individuals may request to have their personal information deleted.

Disclosures about Sharing /Sale

  • Individuals may request an accounting of the disclosures, including sale, of personal information made to third parties; this significantly expands upon the existing California “Shine the Light” law.

Opt Out

  • Individuals may object to the sale of personal information about them

Opt In.

  • Minors or their guardian must affirmatively authorize the sale of the minor’s personal information.

Non-Discrimination and Financial Incentives

  • Businesses may not discriminate against consumers for opting out of the sale of their personal information.
  • Businesses may not deny products or services or offer differential pricing or rates, unless directly related to the value of the data to the consumer.
  • Business may offer and enter into fair and transparent financial incentive programs for the collection, sale, and disclosure of personal information with informed consent of consumers.


  • The online privacy policy or other web-based notice must disclose the categories of data collected, sources from which data is collected, purposes for which the data is used, categories of third  parties with whom data is shared, information about individual  rights and how to exercise them, as well as the data collected, sold, or disclosed within the prior 12 months.


  • Specific communications and training obligations for responsible personnel.

Failure To Meet Compliance Standards Can Result in Fines