CCPA / CPRA — California Consumer Privacy Act / California Privacy Rights Act
CCPA (2020) and CPRA (2023) form California's comprehensive consumer data privacy law, granting residents rights over their personal information.
Summary
The California Consumer Privacy Act (CCPA) took effect on 1 January 2020 and is the most comprehensive data privacy law in the US. It was expanded by the California Privacy Rights Act (CPRA), effective from 1 January 2023, which among other things established the California Privacy Protection Agency (CPPA) as an independent data protection authority.
- Right to know: Consumers can find out what data is collected about them and for what purpose.
- Right to deletion: Request deletion of personal information.
- Right to opt out: Opt out of the sale or sharing of personal information.
- Sensitive personal information: CPRA introduces a new category of sensitive data with enhanced protections.
History
The CCPA was passed in June 2018 and took effect on 1 January 2020, after initiative sponsor Alastair Mactaggart threatened to put a stricter measure on the ballot. It was immediately regarded as the strictest data privacy legislation in the US. In November 2020, 56% of Californians voted for Proposition 24 (CPRA), which significantly expanded the CCPA. CPRA provisions became fully applicable from 1 January 2023, and the CPPA began enforcement in 2023.
Scope
CCPA/CPRA applies to for-profit businesses that do business in California or process data of California residents and meet at least one of the following criteria: (1) annual gross revenues over USD 25 million; (2) buy, receive, sell, or share personal information of 100,000 or more consumers or households; (3) derive more than 50% of annual revenues from selling consumer personal information. The law protects California residents regardless of where the business is located.
Key Requirements
- Privacy notice: Clear disclosure of categories of data collected and purposes of use.
- Consumer rights: Right to know, delete, correct, data portability, opt out of sale/sharing, limit use of sensitive personal information.
- "Do Not Sell or Share": Easily accessible opt-out mechanism on the website.
- Response timelines: Response to consumer requests within 45 days.
- Data processing agreements: Contracts with service providers.
- Risk assessments: CPRA requires businesses to conduct annual privacy risk assessments for high-risk processing.
- Fines: Up to USD 2,500 per unintentional violation, USD 7,500 per intentional violation.
Related Frameworks
Corrections & Errata
CCPA is the US equivalent of GDPR — baseline cross-reference was missing. lgpd↔gdpr and appi↔gdpr already existed.
Full details on the errata page →1 update:
- CCPA: New regulations effective January 1, 2026 missing from key_dates