The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the leading US state privacy law. It gives California consumers rights over their personal information and imposes obligations on businesses, enforced by the California Privacy Protection Agency (CPPA).
Who must comply
For-profit businesses handling California residents’ personal information that meet at least one threshold: annual gross revenue above the statutory limit; buying/selling/sharing the personal information of 100,000+ consumers/households; or deriving 50%+ of revenue from selling/sharing personal information. Extraterritorial — applies to non-US businesses meeting the criteria.
Consumer rights
| Right | What it allows |
|---|---|
| Know / access | What personal information is collected, used, shared or sold |
| Delete | Request deletion of personal information |
| Correct | Correct inaccurate personal information (CPRA) |
| Opt-out | Opt out of the sale or sharing of personal information |
| Limit | Limit use of sensitive personal information (CPRA) |
| Non-discrimination | Not be discriminated against for exercising rights |
Business obligations
- Provide privacy notices and a "Do Not Sell or Share My Personal Information" mechanism.
- Honour consumer requests within statutory timelines.
- Implement reasonable security; apply data minimisation and purpose limitation (CPRA).
- Manage service-provider/contractor and third-party contracts.
- Conduct risk assessments and cybersecurity audits for high-risk processing (as required by CPPA rules).
Penalties
- Administrative fines per violation (higher for violations involving minors), enforced by the CPPA and Attorney General.
- A private right of action for certain data breaches.
Frequently asked questions
Need help with CCPA / CPRA?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
