California Consumer Privacy Act (CCPA)

    United States of America (USA)

    California Consumer Privacy Act (CCPA)

    A comprehensive privacy law in California. Gives California residents a set of new rights with respect to the personal information businesses collect or sell about them.

    Last Updated: July 30, 2019

  • General

    The California Consumer Privacy Act of 2018 (CCPA) gives California residents (i.e. consumers) a set of new rights with respect to the personal information businesses collect or sell about them.

    The CCPA applies to businesses, which are defined as for-profit organizations that collect personal information about residents in California, determine the purpose and means of the processing, do business in the State of California, and that meet one or more of (i) annual gross revenues in excess of twenty-five million dollars ($25,000,000), (ii) alone or in combination, annually buys, receives, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives fifty percent or more of its annual revenues from selling consumers’ personal information. More details about the CCPA application including exceptions where the Act does not apply can be found under the OneTrust CCPA Handbook.

    Personal information under the CCPA is defined very broadly as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:

    • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
    • Characteristics of protected classifications under California or federal law.
    • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
    • Biometric information.
    • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
    • Geolocation data.
    • Audio, electronic, visual, thermal, olfactory, or similar information.
    • Professional or employment-related information.
    • Education information.
    • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

    The CCPA will not come into effect before 1 January 2020.  During this period, there are to be expected some changes because the law sets forth regulations to be passed. At a minimum, we can expect some corrections to be made during the next legislative process. The first set of (mostly technical) corrections was contained in the California SB 1121 Bill, published by the California legislature on September 24, 2018 to amend the CCPA.

    While SB 1121 does not change the original operative date of 1 January 2020, it clarifies that it is taking effect immediately to prevent the enactment of conflicting local laws regarding the collection and sale of personal information. One other noticeable change the bill contains is that it delays the timeline for enforcement. The Bill extends by six months the deadline for the California Attorney General (AG) to draft and adopt the law’s implementing regulations (from 1 January 2020 to 1 July 2020). It also delays the AG’s ability to bring enforcement actions under the CCPA until six moths after the passing of the final regulations or 1 July 2020, whichever happens first.

    In addition to SB 1121, the 2019 California legislative session has seen the introduction of several new amendments to the CCPA. You can learn more about these amendments by visiting our CCPA Amendments Tracker.

  • Lawfulness, Fairness and Nondiscrimination

    Although the Lawfulness principle is not expressly set out in the CCPA, it is an underlying requirement for the companies to process personal data in accordance with the law.

    The CCPA explicitly outlines the prohibition for a business from discriminating against a consumer because the consumer exercised any of the consumer’s rights under the CCPA. The Act also outlines several examples of more subtle discrimination that are all forbidden, for example suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services [1798.125].

    The Act does not specifically concern itself with legal bases for personal data processing, but it establishes a ‘business purpose’ which is understood as the use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes provided that the use shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected [1798.140]. Furthermore, while the CCPA does not stipulate preconditions for a valid consent, it focuses on right to opt-out and a right to deletion that can be built on previous consent.

  • Transparency and Free Access

    As a general rule, businesses must honor consumer requests under the CCPA free of charge. A business may charge a reasonable fee for requests that are manifestly unfounded or excessive (in particular because they are repetitive). The business must then take into account the administrative costs or refuse to act on the request and notify the consumer of the reason for refusing the request. In such case, businesses are responsible for demonstrating the excessive or unfounded character of the request [1798.145(g)(3)].

    Related Resources


  • Purpose Specification, Use Limitation and Suitability

    Businesses should follow the principle of purpose limitation, which consists of collecting personal information for one specific purpose, except if prior notice is given to the consumer [1798.100(b)].

    Additionally, data recipients are prohibited from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including for a commercial purpose [1798.140(w)(2)(A)(ii)].

  • Data Minimisation, Storage Limitation and Accuracy

    Businesses should follow the principle of data minimisation, which consists of not collecting more personal information than needed for a particular purpose [1798.100(b)].

  • Privacy by Design

    Businesses are responsible for ensuring that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA are informed of all requirements and how to direct consumers to exercise their rights [1798.130 (a) (6), and 1798.135 (a) (3)].

  • Consumer Rights

    The CCPA establishes new rights for consumers that the businesses have to honor and that, as a result, closely correspond with new obligations of businesses. These rights include:

    1. the right to be informed with regards to personal data collection;
    2. the right to request information;
    3. the right to opt-out of consumer’s personal information sale by a business to third parties;
    4. the right of deletion of personal data (exceptions apply);
    5. the right not to be discriminated against by a business for exercise of the consumer rights; and
    6. direct right of action in case of breach involving nonencrypted or nonredacted personal information that is not cured by business within 30-day period.
  • Vendor Management

    The CCPA prescribes for a written contract between a business and a vendor receiving consumer’s personal information. In the contract, a vendor must certify to adhere to contractual obligations of processing the personal information. A business shall not be liable if the vendor uses it in violation of the restrictions set forth in the contract, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.


  • Enforcement

    Direct right of action for consumers

    Any consumer whose nonencrypted or nonredacted personal information, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

    • To recover damages (*In an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.)
    • Injunctive or declaratory relief
    • Any other relief the court deems proper


    Limitation for action based on statutory damages on individual or class-wide basis: Business’ 30-day cure period

    Before filing action for individual statutory damages or class-wide statutory damages, a consumer must notify the business of the alleged violation. If the business cures the alleged violation within 30 days and provides the consumer with an express written statement that the violations have been cured and that no other violations will occur, consumer cannot initiate any action. If the business breaches the express written statement, the consumer may initiate an action seeking statutory damages for each breach of the statement and any other violation of the CCPA that occurred after the written statement.

    However, no notice from the consumer is required for action seeking actual pecuniary damages suffered as a result of the alleged violation of the Act.

    Injunction and Civil Penalties

    Upon notification of alleged violations of the CCPA by a business, the business has a 30-day period to cure the violations. If it fails to do so, it is subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or up to $7,500 for each intentional violation to be assessed and recovered in a civil action brought by the Attorney General.


  • Regulations to be Adopted by the Attorney General

    The CCPA sets forth that the Attorney General, on or before 1 July 2020, is to solicit broad public participation and adopt regulations to further the purposes of the Act. It provides a non-exhaustive list of what those regulations should cover.

    Some notable ones include:

    • Establishing rules and procedures for the following:
      • To facilitate and govern the submission of a request by a consumer to opt out of the sale of personal information
      • To govern business compliance with a consumer’s opt-out request
      • The development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt out of the sale of personal information
    • Establishing rules and procedures to govern a business’ determination that a request for information received by a consumer is a verifiable request, including:
      • treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable request, and
      • providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’ authentication of the consumer’s identity


Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.