The United States does not yet have a single federal data protection law. To date, an increasing number of states have passed their own laws and/or updated existing ones, and bills have been introduced, are in progress, or have failed in many others.
There are a number of other long standing privacy laws that target specific types of information or human demographics in the US, like the Health Insurance Portability and Accountability Act (HIPAA) for health and the Children’s Online Privacy Protection Act (COPPA) for children’s safety. This does not make it easy to keep track of all or achieve compliance for all relevant regulations that address personal data.
The first and most influential state-level consumer privacy law passed in the United States is the California Consumer Privacy Act (CCPA). It takes some influence from the European Union’s General Data Protection Regulation (GDPR) and has, in turn, influenced privacy bills drafted by other states, including the Virginia Consumer Data Protection Act (VCDPA).
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a US state-level consumer privacy law that was passed in 2018 and came into effect on January 1, 2020. It applies exclusively to residents of California, known as ”consumers” under the law, and regulates the protection of their personal information.
It’s worth noting, however, that California is the most populous US state, with a population of over 39 million people, as well as having the world’s fifth largest economy, and a number of the world’s largest and most influential tech companies are headquartered there. So the state has an outsized influence on many fronts.
A consumer under the law is a natural person who is a resident of California, however identified, including by means of a unique identifier. A “resident” means:
- every individual who is in the State for other than a temporary or transitory purpose
and
- every individual who is domiciled in the state who is outside the state for a temporary or transitory purpose
The CCPA was amended and expanded by the California Privacy Rights Act (CPRA), which took effect on January 1, 2023, and granted additional rights to consumers and established the California Privacy Protection Agency (CPPA), among other things. Enforcement of the CPRA began in February 2024 after a legal challenge. Enforcement had been scheduled to begin on July 1, 2023.
Definitions under the California Consumer Privacy Act (CCPA) data privacy law
The CCPA, as amended by the CPRA, defines several terms that cover the data it protects and data processing activities. Unlike most other data privacy laws, California does not use the terms “controller” or “processor”.
Personal information under the CCPA/CPRA
The CCPA/CPRA law defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA/CPRA’s definition of personal information is wide ranging, and examples under the law include, among other things:
- IP address, real name, alias, postal address, Social Security number, and email address
- biometric information that can establish individual identity, such as imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, as well as sleep, health, or exercise data that contain identifying information
- electronic activity information, such as browsing history or interactions with online ads
- professional or employment-related information
Personal information is known as personal data under many international and other state-level data privacy laws in the US.
Sensitive personal information under the CCPA/CPRA
Sensitive personal information is that which can cause harm to a consumer if misused, and includes, among other things:
- driver’s license, state ID card, passport, or Social Security number
- precise geolocation data that can accurately identify a person within a radius of 1850 feet (563 meters)
- racial or ethnic origin
- debit card or credit card number in combination with any required password or credentials that provide access to the account
- genetic data
- contents of a consumer’s postal mail, email, and text messages
Unique identifier under the CCPA/CPRA
The CCPA/CPRA law defines a unique identifier or “unique personal identifier” as “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services.”
The law specifies that a family means a custodial parent or guardian and any children under 18 years of age who are in their custody.
Examples of unique identifiers are:
- device identifier
- IP address
- cookies, beacons, pixel tags, mobile ad identifiers, or similar technology
- customer number, unique pseudonym, or user alias
Consent under the CCPA/CPRA
The law defines consent as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.“
The following does not constitute valid consent under the CCPA/CPRA:
- acceptance of a general or broad terms of use or similar document
- hovering over, muting, pausing, or closing a piece of content
- agreement obtained through dark patterns
Sale under the CCPA/CPRA
The law defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.”
A business is not considered to have sold information when:
- a consumer uses or directs the business to intentionally disclose or interact with third parties
- the business uses or shares an identifier for the consumer, for the purpose of informing others that the consumer has opted out of the sale of or limited the use of their personal information
- the business transfers personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business
Who must comply with the California Consumer Privacy Act (CCPA)?
The CCPA/CPRA law applies to for profit businesses that operate in California and collect the personal information of the state’s residents, if they meet any one the following thresholds:
- annual gross revenues exceeding USD 25 million for the previous calendar year
- receive, buy, sell, or share personal information of 100,000 or more consumers or households
- earn more than half of their annual revenue from the sale of consumers’ personal information
Interestingly, more recently passed privacy laws in other states have abandoned the revenue-only compliance threshold. Whether or not the company is headquartered in or has an office in California is not relevant to compliance. All companies that meet the threshold must meet CCPA/CPRA obligations if they are doing business with California residents, regardless of where in the world they are based.
What are consumers’ rights under the California Consumer Privacy Act (CCPA) laws?
The CCPA, as amended by the CPRA, grants consumers several rights to enable them to protect their personal information and control how it’s used.
- Right to delete: consumers can request businesses to delete their personal information that was collected from the consumer.
- Right to correct: consumers can request a business to correct any incomplete or inaccurate personal information that it holds.
- Right to know and access: consumers have a right to know and access the categories of personal information the business holds about them, the purposes for collecting the information, where the business obtained the information from, categories of third parties who receive the information, and the specific personal information the business has collected about the consumer.
- Right to know regarding sale or disclosure: consumers have the right to know what categories of personal information the business holds; the categories of personal information sold, shared, or disclosed; and the categories of third parties to whom it is sold, shared, or disclosed.
- Right to opt out: consumers have the right to opt out of the sale or sharing of their personal information.
- Right to limit: consumers have the right to limit the use or disclosure of their sensitive personal information.
- Right of nondiscrimination: consumers have the right not to be discriminated against for exercising any of their rights under the law.
In addition to these rights that are explicitly stated in the CCPA/CPRA, consumers also have the right to data portability. Where a consumer has exercised their right to know and access personal information, businesses must present the consumer’s specific personal information in a “structured, commonly used, machine-readable format.”
Obligations under the California Consumer Privacy Act (CCPA) Rules
Businesses have specific CCPA/CPRA obligations to protect consumers’ personal data, ensuring transparency and accountability in their data handling practices.
Notices required under the CCPA/CPRA
The CCPA/CPRA requires businesses to provide two distinct notices to consumers: a notice at collection and a privacy policy.
A notice at collection must be displayed to consumers at or before the point where the business collects their personal information. This notice must clearly list:
- categories of personal information collected, including sensitive personal information, if any
- purposes for which personal information will be used, including sensitive personal information, if any
- whether personal information or sensitive personal information is sold or shared
- how long the business will retain the personal information and sensitive personal information
- If the business sells or shares personal information, the notice must include a link with the specific words “Do Not Sell Or Share My Personal Information”, enabling consumers to easily opt out of such transactions.
The notice at collection should contain a link to the business’s privacy policy.
The CCPA privacy policy must include:
- a description of consumers’ privacy rights and how to exercise them
- categories of personal information collected, sold, or shared in the preceding 12 months
- categories of sources from which personal information is collected
- business or commercial purpose for collecting, selling, or sharing personal information
- categories of third parties to whom personal information is disclosed
Businesses commonly make their privacy policy accessible on their websites, typically found via a link in the footer so that consumers can easily find and review the privacy policy.
Consent requirements under the CCPA/CPRA
In most cases, the CCPA/CPRA does not require explicit consent from consumers for the collection, use, or sharing of their personal information. It operates on an opt-out model, where consumers are assumed to consent to data use unless they choose to opt out. There is an exception for the personal information belonging to minors:
- For minors aged 13 to 16, businesses must obtain explicit, opt-in consent from the minor before selling or sharing their personal information
- For minors under 13 years of age, businesses must obtain explicit consent from a parent or guardian before collecting or selling their data
Consumers have the right to opt out of the sale and several other uses of their personal information and to limit the use or disclosure of sensitive personal information.
Opt-out requests under the CCPA/CPRA
Businesses must provide options for consumers to opt out of:
- sale or sharing of their personal information (and targeted advertising and profiling under the CPRA)
- use or disclosure of their sensitive personal information for unauthorized purposes
The law mandates specific ways for businesses to provide consumers with opt-out options.
- Through a clear and conspicuous link on the business’s homepage titled “Do Not Sell Or Share My Personal Information,” which directs consumers to a page from which they can opt out of the sale or sharing of their personal information.
- Through a clear and conspicuous link titled “Limit The Use Of My Sensitive Personal Information,” which enables consumers to limit the use or disclosure of their sensitive personal information.
- If a business prefers, it can use a single link that combines both functions, as long as it effectively enables consumers to opt out of both, the sale, sharing, targeted advertising, or profiling from their personal information, and limiting the use or disclosure of their sensitive personal information.
Businesses must also respect universal opt-out mechanisms, such as Global Privacy Control (GPC) signals, through which consumers can set their consent preferences once and communicate them automatically across various websites and online services.
Consumer requests for right to know, correct, and delete
Consumers have the right to request information about the personal data collected about them, as well as to correct inaccuracies or to delete that data.
The law requires businesses to provide at least two designated methods for consumers to submit their requests, which must include a toll-free telephone number. For businesses that operate exclusively online and have a direct relationship with consumers, an email address is sufficient.
If a business maintains a website, it should enable consumers to submit requests for information, correction, and deletion directly through the site.
Consumers can request data that was collected up to 12 months prior to the date of their request. Businesses have 45 days from the date of the request to disclose the requested information, and they may seek an extension of an additional 45 days under certain circumstances
While businesses may require consumers to login to an existing account to verify identity and submit a request, they cannot require consumers to create a new account for this purpose.
Contracts under the CCPA/CPRA
Businesses that collect consumers’ personal information sometimes sell or share consumers’ personal information with a third party, or disclose the personal information to a service provider or contractor for business purposes.
The CCPA/CPRA requires businesses to enter into agreements with these third parties, service providers, or contractors. The agreement must outline that:
- the personal information is sold, shared, or disclosed only for limited and specific purposes
- the third party, service provider, or contractor must comply with the CCPA/CPRA obligations applicable to them
- the third party, service provider, or contractor must provide the level of data privacy protection required by the law
- the business is entitled to take “reasonable and appropriate steps” to ensure that any third party, service provider, or contractor uses the personal information shared in a way that aligns with the business’s CCPA/CPRA obligations
- the third party, service provider, or contractor must inform the business if it cannot meet its legal obligations
- the business has the right to take reasonable and appropriate steps to stop and remedy any unauthorized use of personal information, after providing notice
Contracts with service providers and contractors must also prohibit them from:
- selling or sharing personal information
- retaining, using, or disclosing personal information for any purpose other than that specific in the contract
- combining the personal information received from the business with personal information received by any other means, except for purposes exempted under the law
Data security under the CCPA/CPRA
Businesses that collect consumers’ personal information are obligated to safeguard the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure. The CCPA/CPRA requires businesses to implement “reasonable security procedures and practices” for this purpose.
Data minimization under the CCPA/CPRA
Under the CCPA/CPRA, businesses can collect, use, store, and share consumers’ personal information only to the extent needed to achieve the original purpose for collecting the information, or for another compatible purpose. The personal information must not be processed in ways that conflict with the original purposes.
This requirement is a key aspect of data minimization, which means that companies must limit their handling of personal data to what is essential for the intended purposes.
The CPPA, in its Enforcement Advisory No. 2024-1, has highlighted the various CCPA regulations that reflect the principle of data minimization by prohibiting businesses from requiring consumers to share additional information “beyond what is necessary.”
Enforcement and penalties under the California Consumer Privacy Act (CCPA)
The CCPA/CPRA has certain unique characteristics when it comes to enforcing the state’s consumer privacy law.
Unlike most states, where the Attorney General has sole enforcement authority, California permits both the Attorney General and CPPA to enforce the law. However, the CPPA cannot limit the Attorney General’s authority and must stay an administrative action or investigation when requested. A business cannot be penalized by both the Attorney General and the CPPA.
Violations of the CCPA/CPRA attract civil penalties of up to:
- USD 2,500 per non-intentional violation
- USD 7,500 per intentional violation and violation involving the personal information of minors
The CCPA/CPRA is also the only consumer privacy law in the US that grants consumers a private right of action, although it is limited to specific situations. Consumers can sue businesses in the event of a data breach or personal security information breach, which occurred because the business failed to implement reasonable security measures to protect the personal information and that results in non-encrypted or non-redacted data being stolen.
Consumers must give businesses 30 days to cure the violation in the event of a data breach before they can bring an action against the business. Of note is that when the CCPA came into effect, the Attorney General also provided a 30-day cure period; however, that has now sunset.
Consumers can bring an action:
- to recover damages between USD 100 and USD 750 per incident, or actual damages suffered, whichever is greater
- for injunctive or declaratory relief
If a consumer believes their rights, other than those arising out of a data breach, have been violated, they may file a complaint with the Attorney General or the CPPA.
GDPR vs. CCPA: a summary
The EU’s General Data Protection Regulation (GDPR) and the CCPA/CPRA are landmark regulations when it comes to protecting data privacy.
The GDPR is considered one of the most stringent data protection regulations worldwide, and has influenced many other regulations, such as Brazil’s General Data Protection Law (LGPD) and the CCPA.
The CCPA was the first state-level consumer privacy law passed in the US and has many unique provisions, such as dual enforcement and private right of action.
We look at the two regulations side by side to examine some of the similarities and differences.
| CCPA | GDPR | |
|---|---|---|
| Scope and applicability | Applies to for-profit businesses that collect personal information from California residents and either: – have annual gross revenues exceeding USD 25 million for the previous calendar year – receive, buy, or sell personal information of 100,000 or more consumers or households – earn more than half of their annual revenue from the sale of consumers’ personal information It applies to any business that meets these conditions, regardless of where the business is located (extraterritoriality). | Applies to any entity that processes the personal data of individuals located in the EU/EEA and either: – offers them goods and services – monitors their behavior Like the CCPA, it applies regardless of where the business is located (extraterritoriality). The GDPR applies to non-profit organizations and government agencies as well as for-profit businesses. |
| What it protects | Personal information of California residents, known as consumers, even if they are temporarily outside the state. Personal information includes that which can be linked to a consumer or a household. | Personal data of individuals located in the EU territory, known as data subjects. Applies to individuals only and does not extend to households. |
| Consent | Operates on an opt-out consent model and doesn’t require prior consent to collect and process data in most cases. Consumers can opt out of the use of their data in specific cases. | Operates on an opt-in consent model, meaning that organizations cannot collect or process data unless the user gives their explicit consent. |
| Legal bases | There are no specific legal bases for collecting personal information. | Personal data can only be collected if there is a legal basis: – consent – to perform a contract – legal obligation – to protect vital interests – in the public interest – legitimate interest |
| Enforcement authority | California Attorney General and California Privacy Protection Agency (CPPA). | Data Protection Authorities (DPA) of the EU Member States. |
| Private right of action | Consumers can directly sue businesses only in the event of a data breach caused by a failure to take security measures, in specific circumstances. | Data subjects can lodge complaints with the DPA in their state and receive compensation if they have suffered material or non-material damage. |
| Civil penalties | Up to USD 2,500 per non-intentional violation and USD 7,500 per intentional violation, and statutory damages for data breach. | Up to 2 percent of annual turnover or EU 10 million, whichever is higher, for certain violations. Up to 4 percent of annual turnover or EU 20 million, whichever is higher, for more serious violations. |
What does the CCPA/CPRA mean for companies’ websites?
If a business meets one of the CCPA/CPRA thresholds and has an online property, it must take several steps to meet CCPA/CPRA obligations.
- The website must present visitors with a notice at collection that lists the categories and purposes of the personal data collected, whether personal information is sold or shared, and how long the business will retain the personal information.
- The website must include a privacy policy that informs consumers of their privacy rights and how to exercise them, as well as the business’ privacy practices in more detail.
- If the business sells or shares personal data, it must present a link titled “Do Not Sell Or Share My Personal Information” to enable users to opt out of the sale of their personal data. It must also present a link titled “Limit The Use of My Sensitive Personal Information” to enable users to opt out of the use of their sensitive personal information.
- For personal information of minors, businesses must obtain explicit consent from the consumer (between 13 and 16 years) or their parent or guardian (when the minor is below 13 years) before their personal information can be shared or sold.
Businesses can use a consent management platform (CMP) like Usercentrics CMP to achieve CCPA compliance.
A CMP enables websites to display cookie consent banners with straightforward links or buttons that enable users to opt out of data processing. It can also handle cookies and other tracking technologies, blocking their use when a consumer exercises their right to opt out.
CMPs also help websites provide clear information to users about the types of data being collected, the purposes for collection, and the third parties that may receive this data, in accordance with the CCPA/CPRA and other data privacy laws.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
