Skip to main content
About Us

California Consumer Privacy Act (CCPA)

TL; DR

The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. It is an important legislation aimed at protecting the personal data of Californians and trying to give them more control over this data. In some aspects, it is the American version of the General Data Protection Regulation (GDPR). And like the GDPR, its effects go far beyond its own borders, its applicability not being conditioned by the territory.

What is CCPA?

The California Consumer Privacy Act (CCPA), enacted in 2018 and effective January 1, 2020, gives California consumers additional rights and protections about how companies can use their personal information. The CCPA imposes many obligations on companies, similar to those imposed by the General Data Protection Regulation (GDPR) adopted by the European Union (EU). However, the CCPA is a little more leniant and focuses more on the potential sale of personal data.

Based on legislation introduced in the summer of 2018, California's new privacy law gives consumers the right to ask a company to disclose details about the personal information it collects about the consumer.

California Consumer Rights

Specifically, the draft law no. 3752 of the California Assembly has the following consumer privacy rights:

  • Californians’ right to know what personal data is being collected about them.
  • Californians’ right to know if their personal information is being sold or disclosed and to whom.
  • Californians’ right to say no to the sale of personal data.
  • Californians’ right to access their personal data.
  • Californians’ right to equal prices and services, even if they exercise their privacy rights.

Who is affected

The CCPA applies to any company that deals with the personal data of California citizens, regardless where they operate from. This is especially important for any websites that Californians may access and inadvertently leave their personal data on (e.g. IP, location etc.).

However, CCPA is considered more leniant as it is applied only to specific companies and it mostly excludes small businesses. The ones targeted are companies:

  • that have gross annual revenues of over $ 25 million;
  • that buys, collect or sell personal information of 50,000 or more consumers or households;
  • that earn more than half of their annual revenue from the sale of consumers' personal information.

Organizations must implement and maintain reasonable security procedures and practices in the protection of consumer data.