What is the CCPA?
The CCPA (California Consumer Privacy Act) is a California law aimed at guaranteeing residents’ privacy rights and consumer protections. The CCPA regulates the collection, processing, and sale or trade of personal information. The Act applies to companies that handle California residents’ private data.
The California Consumer Privacy Act was the first comprehensive state data privacy law in the US. The CCPA was heavily influenced by the EU General Data Protection Regulation (GDPR). In November 2020, the CCPA was amended to become the California Privacy Rights Act (CPRA), which came into effect in 2023.
How does the California Consumer Privacy Act compare to other state privacy laws?
As the first such data privacy law in the US, it’s the other state privacy laws that are most often compared to the CCPA (and CPRA). Other state data privacy legislations, like those in Virginia, Utah, and Colorado, had the opportunity to build on and optimize what the CCPA started. Here are some of the key differences:
The CCPA applies to businesses that have annual gross revenues of more than $25 million, those that buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices annually, and those that derive 50% or more of their annual revenues from selling California residents’ personal information.
In contrast, the Virginia Consumer Data Protection Act (VCDPA) applies to businesses that process the personal information of at least 100,000 Virginia consumers or that process the personal information of at least 25,000 consumers and derive more than 50% of their revenue from the sale of personal information.
The Colorado Privacy Act (CPA) applies to businesses that conduct business in Colorado, collect personal data from Colorado residents, and either (1) control or process the personal data of 100,000 or more consumers per year, or (2) derive revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.
The Utah Consumer Privacy Act (UCPA) applies to any person or entity that processes personal data and either (1) conducts business in Utah or (2) produces or delivers products or services that are targeted to residents of Utah and that require the processing of personal data.
The CCPA grants California residents several rights, including the right to know what personal information is being collected about them, the right to request that their personal information be deleted, and the right to opt-out of the sale of their personal information.
Similarly, the VCDPA grants Virginia residents the right to access their personal data, correct inaccuracies, delete data, and obtain a copy of their data. The CPA grants Colorado residents the right to opt-out of the processing of their personal data for targeted advertising, profiling, or the sale of their data, and the right to access, correct, or delete their personal data.
The UCDPA grants Utah residents the right to access, correct, or delete their personal data, and the right to opt-out of the processing of their data for targeted advertising or the sale of their data.
Personal and sensitive information
Something that’s common to most state data privacy laws in the US is the fact that a consumer’s personal information includes a special category: sensitive information. Sensitive personal information is a subcategory of personal information. Most data privacy laws have this distinction.
The CCPA defines personal information as information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household. This includes, but is not limited to, names, addresses, email addresses, Social Security numbers, and IP addresses. Sensitive personal information is a special type of personal information. It’s defined by the CCPA as information that reveals a consumer’s Social Security number, driver’s license number, passport number, financial account information, medical information, or health insurance information.
The VCDPA defines personal data as any information that is linked or reasonably linkable to an identified or identifiable natural person. This includes names, addresses, email addresses, and IP addresses. Under the VCDPA, sensitive personal data is defined as data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
The CPA defines personal data as information that identifies, relates to, describes, or is capable of being associated with a particular individual. This includes names, addresses, email addresses, and IP addresses. Sensitive personal data is defined as information that reveals a consumer’s social security number, driver’s license number, passport number, financial account information, precise geolocation data, biometric data, or data revealing a consumer’s race, ethnicity, religion, or sexual orientation.
The UCDPA defines personal data as information that identifies, relates to, describes, or is capable of being associated with a particular individual. This includes names, addresses, email addresses, and IP addresses. Sensitive personal data is defined as data revealing a consumer’s social security number, driver’s license number, passport number, financial account information, precise geolocation data, biometric data, or data revealing a consumer’s race, ethnicity, religion, or sexual orientation.
All four laws define personal information or personal data as information that identifies or is capable of identifying a particular individual. However, the specific types of information that are included in this definition vary between the laws. The CCPA and VCDPA include Social Security numbers and medical information in their definition of personal information, while the CPA and UCDPA include precise geolocation data and biometric data.
The definitions of sensitive personal information are also similar between the laws, with all four laws including Social Security numbers, financial account information, and passport numbers. However, the CPA and UCDPA also include precise geolocation data and data revealing a consumer’s race, ethnicity, religion, or sexual orientation in their definition of sensitive personal data.
The CCPA makes exceptions for some forms of personal information as well as some entities that handle and trade in personal information. These include, first and foremost, those already covered by other state and federal laws, like:
- FCRA (Fair Credit Reporting Act) compliant data brokers and credit reporting agencies
- Banks and financial institutions subject to Gramm-Leach-Bliley
- Healthcare providers and medical insurers already covered by HIPAA
There are many other differences between the CCPA and other data privacy laws throughout the United States. See US data privacy laws for a brief overview.
What rights did the California Consumer Privacy Act guarantee?
The CCPA codified the following rights for California consumers:
- The right to know
- The right to delete
- The right to opt out
- The right to opt in
- The right to nondiscriminatory treatment
- The private right of action
The CPRA added two more rights:
- The right to correct inaccurate personal information
- The right to limit the use and disclosure of sensitive personal information
The right to know refers to the right of California consumers to request information about what personal data a company has about them, how this personal information was collected, why it was collected, and where it was sold, if anywhere.
The right to delete gives consumers a mechanism to have personal data held by a company deleted. When a consumer requests the deletion of their personal information, the CCPA (and CPRA) requires that the company in question honors that request.
The right to opt out of the sale of personal information means that companies that generate revenue by selling consumers’ personal information have to stop doing so when requested. The trade in consumer data can be extremely lucrative and most companies have to be legally compelled to stop.
The right to opt in allows California residents under the age of 16 to opt in to the sale of their personal information. Minors under the age of 16 are excluded from such data collection and sale.
The right to non-discriminatory treatment applies to California consumers who have opted out of having their personal information collected, processed, and/or sold or shared. It makes it illegal for companies to then retaliate against them through discriminatory pricing or other means.
The right to initiate a private cause of action gives consumers in the state of California the right to sue companies bound by the CCPA for statutory damages resulting from a data breach. Although confirmed by the CCPA, this right stems from a statute that predates the California law.
The right to correct inaccurate personal information allows California residents to do just that, while the right to limit the use and disclosure of sensitive personal information allows them to protect this particularly personal information.
More privacy law resources
- Colorado Privacy Act
- California Privacy Rights Act (CPRA)
- Utah Consumer Privacy Act (UCPA)
- Connecticut Data Privacy Act (CTDPA)
- New York SHIELD Act
- Health Insurance Portability and Accountability Act (HIPAA)
What is CCPA?
The CCPA is a statute in the US state of California. It was passed in 2018 and was the first comprehensive data privacy law in the US. The CCPA was amended and expanded in 2020 to become the CPRA (California Privacy Rights Act) which is administered by the California Privacy Protection Agency.
What does CCPA stand for?
CCPA stands for California Consumer Protection Act. This piece of data privacy legislation has since been amended to the California Privacy Rights Act (CPRA) which has been in effect since January 1, 2023. The CCPA was the first comprehensive data privacy law in the US, the CPRA is now one of several such state laws.
What is sensitive personal information under the CCPA?
Personal information includes a range of identifying information like your full name, aliases, postal address, any unique personal identifiers, online identifiers like an IP address, your email addresses, account names, Social Security numbers, driver’s license numbers, and passport numbers.
Sensitive personal information is a subset of personal information and includes things like your religious or philosophical beliefs, medical information, health insurance information, credentials allowing access to online accounts, electronic network activity information, browsing history, and biometric data.
Sensitive personal information is subject to greater protections and restrictions under the CCPA. The way sensitive information is defined and handled varies across data privacy laws. Also, the CPRA includes changes to both of these aspects over the CCPA.