Skip to Main Content
Main Menu

California Consumer Privacy Act (CCPA)

California’s comprehensive privacy law creates data privacy rights for Californians and data protection obligations for organizations. If your organization collects personal data from consumers, employees, or customers, it’s crucial to understand and adhere to these obligations to avoid fines/penalties.

Are you subject to the CCPA?

The CCPA applies to any organization and vendor who does business in California and meets any one of the following criteria.

Answering “yes” to any of the three questions below impacts your organization.

Does my company generate over $25 million annual gross revenue?

Does my company processes data of over 100,000 California consumers, households, or devices?

Does my company derive 50% of annual gross revenue from the sale or share of personal information?

    Obligations & rights under the CCPA

    This data privacy and protection law requires organizations to ensure consent mechanisms are in place (e.g. GPC Signal, Do Not Sell/Share opt-out links), notice requirements, and vendor management requirements while providing Californians with the ability to exercise six individual rights.

    Consents & opt-outs

    The CCPA outlines several consent and opt-outs requirements. Such as parental or guardian consent to share data from minors under 13 years old, and affirmative consent from minors between 13 and 16 years old. A company’s website homepage must require a “Do Not Sell or Share My Personal information” link. An organization must also include opt-outs for targeted advertising, sales, and the right to limit use of and disclosure of sensitive personal information. Universal opt-outs requests must also include Global Privacy Control signal (GPC).

    Data subject rights & requests

    Businesses must be able to fulfill and address requests within 45 days. Data subject requests include the request to know what personal information has been collected, request to delete any personal information collected, request to opt out of the sale of their personal information, request to correct inaccurate personal information, and the request to limit use and disclosure of sensitive personal information.

    Policies & notices

    Privacy policies must be regularly updated every 12 months with required information and be easily accessible, with alternative formats for accessibility clearly called out.

    Vendor management

    Under the CCPA, businesses must perform regular reviews of third-party vendors and have contracts in place to ensure continued compliance. Includes annual cybersecurity audit and risk assessments.


    Guide to Data Inventory and Mapping for GDPR & CCPA Compliance

    One of the most important steps to design and build a data privacy program is to create a data inventory of all of the business processes within an organization.


    • What is the California Privacy Rights Act (CPRA) and how is it related to the California Consumer Privacy Act (CCPA)?

      The CPRA is an amendment to the CCPA law that adds additional consumer privacy rights and obligations for businesses. It also established the agency (California Privacy Protection Agency) to implement and enforce the law, while educating the public on their rights and obligations under the law. The CPRA amendments to the CCPA went into effect on January 1, 2023.

    • Who has privacy rights under the CCPA?

      The CCPA provides privacy rights to California residents including residents who are employees or job applicants, and contacts for business customers, vendors, or independent contractors.

    • What is personal information and sensitive personal information under the CCPA?

      Personal information is information that identifies, relates to, or could reasonably be linked to a particular consumer of a household. Examples include a first and last name, email address, geolocation data, fingerprints, and internet browsing history.

      Sensitive personal information includes examples like social security number, driver’s license number, precise location, genetic data, biometric information, racial or ethnic origin, information about a consumer’s health, religious beliefs, and citizenship or immigration status. Under CCPA, consumers have the right to limit a business’s use and disclosure of their sensitive personal information.

    The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

    Back to Top