What is the California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA) is a privacy law that gives California residents more control over how businesses collect and use their personal information. Today, the CCPA law is one of the most important privacy frameworks in the United States.
At its core, the law is about transparency and choice, and gives people the right to ask businesses:
- What personal data they collect
- Why they collect it
- Who they share it with
- Whether it can be deleted
The law was signed in 2018 and came into effect in 2020. It applies to many businesses that collect data from people in California, even if those businesses are based somewhere else.
It was one of the first major privacy laws of its kind in the United States, often referred to as the California CCPA, and helped change how businesses think about consumer data.
In 2020, California voters approved an update to the law, the California Privacy Rights Act (CPRA). This strengthened the original law and introduced additional privacy protections.
Together, the CCPA and CPRA now form California’s main privacy framework. You might also see this referred to more broadly as the California Privacy Act.
In this in-depth guide, we’ll walk through what these laws cover, who they apply to, and what they mean in practice. For a shorter overview, take a look at our CCPA explainer post.
How the CPRA expanded the CCPA
The California Privacy Rights Act builds on the original California Consumer Privacy Act and strengthens it in a few crucial ways.
It introduced new consumer rights, added stronger protections for sensitive personal information, and created a dedicated privacy regulator.
Because of these changes, many businesses now refer to the framework as CCPA/CPRA. Here’s a quick look at how the two compare.
Key differences between CCPA and CPRA
| Area | CCPA | CPRA |
|---|---|---|
| Effective timeline | 2020 | Expanded rules starting in 2023 |
| Enforcement | California Attorney General | California Privacy Protection Agency and Attorney General |
| Consumer rights | Access, deletion, opt out | Adds correction and limits on sensitive data |
| Sensitive personal information | Not clearly defined | New category with stronger protections |
Note: the CPRA did not replace the original law. It expanded it and added more protections for consumers. For a detailed breakdown of how the two laws differ in practice, this guide to CCPA vs CPRA is a good place to start.
What counts as personal information under the California Consumer Privacy Act?
Under the California Consumer Privacy Act, personal information includes any data that identifies, relates to, or could reasonably be linked to a person or household.
Examples include:
| Category | Example |
|---|---|
| Identifiers | Name, email address, phone number |
| Online identifiers | IP address, device ID |
| Internet activity | Browsing history, search history |
| Location data | GPS or location tracking |
| Commercial data | Purchase history |
The CPRA also introduced a new category called sensitive personal information. Consumers have additional rights when it comes to this type of data, including:
- Social security numbers
- Financial account details
- Precise location data
- Health information
- Racial or ethnic origin
Note: If it can’t reasonably be linked back to an individual, it’s generally not considered personal information.
Consumer rights under the California Consumer Privacy Act and CPRA
The CCPA gives California residents several rights over their personal data.
These rights are designed to give people more visibility and more control over how their information is used.
Right to know
Consumers can ask what personal information a business has collected about them, how it is used, and who it is shared with.
Right to delete
Consumers can ask businesses to delete personal information collected about them, although some exceptions apply.
Right to opt out of data sales or sharing
Consumers can tell a business to stop selling or sharing their personal information with third parties.
Right to correct inaccurate information
The CPRA introduced the right to request corrections if a business holds inaccurate personal data.
Right to limit the use of sensitive personal information
Consumers can also limit how businesses use sensitive personal information.
Right to non-discrimination
Businesses cannot penalize consumers for exercising their privacy rights.
How consumers exercise these rights
Consumers usually exercise these rights by submitting a request directly to the business.
Businesses typically provide ways to do this through:
- Online request forms
- Support email addresses
- Toll-free phone numbers
They also need to verify who is making the request and respond within the timeframes set by law.
Does the CCPA apply to your business?
The CCPA applies ot your business if it operates in California and meets at least one of the following conditions:
- Earns more than 25 million dollars in annual revenue
- Processes personal data from 100,000 or more California residents or households per year
- Generates 50% or more of its revenue from selling personal data
Even if a company is based outside the state, it may still need to comply if it collects personal data from California residents.
The California Privacy Protection Agency
The California Privacy Protection Agency (CPPA) was created by the CPRA to oversee and enforce the state’s privacy laws.
The agency can:
- Investigate privacy violations
- Issue regulations and guidance
- Conduct audits
- Enforce penalties
In practice, that means privacy enforcement in California now has a dedicated regulator.
CCPA compliance checklist for businesses
If your business falls under the CCPA, compliance usually involves a few practical steps. If you want a more detailed walkthrough, this CCPA compliance guide breaks the process down step by step.
Map the personal data you collect
Start by identifying what personal information your business collects, where it comes from, and how it is used.
Update your privacy policy
Your privacy policy should clearly explain what data you collect, why you collect it, and how consumers can exercise their rights. If you’re updating your notice for Californian users, this guide to creating a CCPA privacy policy can help.
Provide consumer request mechanisms
Consumers need a clear way to submit requests to access, delete, or opt out of data sharing.
Review vendor relationships
If third parties process personal data on your behalf, your contracts should reflect the relevant privacy obligations.
Train employees
Teams that handle customer data or respond to privacy requests should understand the law and know how to respond.
Monitor compliance regularly
Privacy rules change often, so it is worth reviewing your setup regularly.
Frequently asked questions about penalties and enforcement
Who enforces the CCPA and CPRA?
The CCPA and CPRA can be enforced by both the California Attorney General and the California Privacy Protection Agency (CPPA).
The Attorney General handled enforcement when the CCPA first came into effect.
The CPRA later introduced the CPPA, which now plays a central role in enforcing California privacy law and investigating potential violations.
What happens if a business does not comply?
If a business fails to meet its obligations under the law, it can face regulatory action, financial penalties, and, in some cases, legal claims from consumers.
Civil penalties can reach:
- $2,500 per violation
- $7,500 per intentional violation
That can add up quickly, especially when large volumes of user data are involved.
Can consumers sue businesses under the CCPA?
In some cases, yes.
The CCPA includes a private right of action for certain data breaches. This means consumers may be able to take legal action if their personal information is exposed because a business failed to implement reasonable security measures.
Has the law already been enforced in practice?
Yes. California regulators have already taken action against businesses that failed to meet privacy requirements.
Enforcement has focused on issues such as:
- Missing or incomplete privacy disclosures
- Failure to provide clear opt-out options
- Poor handling of consumer rights requests
- Non-compliant cookie and tracking practices
What are the real risks beyond fines?
For many businesses, the bigger risk is losing trust.
If customers feel their personal data is being collected without transparency or handled carelessly, that can affect brand reputation, customer loyalty, conversion rates, and long-term growth.
Employee and B2B data: special considerations
Privacy compliance doesn’t stop with customers and website visitors.
The CCPA and CPRA can also affect how businesses handle data related to employees, job applicants, contractors, and business contacts.
Does CCPA/CPRA apply to employee data?
In many cases, yes.
When the CCPA first took effect, some employee and HR-related data were temporarily exempt from certain parts of the law. Over time, that has changed.
Under the CPRA, many of those exemptions have expired, meaning employee-related personal data is now more clearly within scope.
This can include information collected during:
- Hiring and recruitment
- Onboarding
- Payroll and HR processes
- Performance management
- Internal communications
If your business collects personal information from employees or job applicants in California, that data may now fall under the same broader privacy framework.
What about B2B data?
Business-to-business data was also treated differently under the original CCPA for a period of time, but those exemptions didn’t last forever.
Today, many businesses need to think more carefully about how they collect and manage data from suppliers, partners, contractors, business contacts, leads, and sales prospects.
If your business handles contact details or personal information in a professional context, that doesn’t automatically place it outside the law.
What does this mean for HR and internal teams?
It means privacy compliance needs to go beyond the marketing team or website setup. HR and people operations teams should consider what employee data is being collected, where it is stored, who has access to it, how long it is kept, and how employees can exercise their rights where applicable
This is especially important for businesses using multiple internal tools or third-party HR systems.
CCPA/CPRA vs GDPR: how California compares to Europe
If your business operates internationally, there’s a good chance you’ve also come across the General Data Protection Regulation (GDPR), but where and how do the CCPA and GDPR differ?
The GDPR is the European Union’s main privacy law, and while it shares some goals with the CCPA and CPRA, the two frameworks are not the same.
Both are designed to give people more control over their personal data, but they take different approaches to rights, consent, and business obligations.
CCPA/CPRA vs GDPR
| Area | CCPA/CPRA | GDPR |
|---|---|---|
| Geographic scope | Applies to certain businesses handling data from California residents | Applies to organizations handling data from people in the EU |
| Main approach | Focuses on transparency and consumer control | Focuses on lawful processing and consent |
| Consumer rights | Access, deletion, opt-out, correction, limit sensitive data use | Access, deletion, correction, portability, restriction, objection |
| Consent requirements | Often based on opt-out, especially around sale or sharing | Often requires prior consent before processing |
| Sensitive data | Special protections under CPRA | Special category data has stricter rules |
| Enforcement | CPPA and California Attorney General | National data protection authorities across the EU |
| Potential fines | Lower than GDPR, but still significant | Can be much higher depending on the violation |
| Data Protection Officer | Not generally required | May be required in some cases |
Which law is stricter?
In general, the GDPR is broader and more demanding when it comes to legal basis, consent, and documentation.
The CCPA and CPRA, on the other hand, focus more heavily on transparency, user rights, and control over the sale or sharing of personal data.
While the GDPR is often seen as stricter overall, California’s privacy framework still imposes significant obligations on businesses.
What does this mean for international businesses?
If your business serves users in both California and Europe, you may need to comply with both frameworks.
That usually means putting processes in place to support clear privacy notices, valid consent where needed, rights request handling, vendor oversight, and ongoing legal updates
For many businesses, the challenge is in building a privacy setup that works across different rules without becoming difficult to manage internally. This is where having the right digital tools in place can make a real difference.
This is where iubenda can help. Instead of managing privacy requirements manually across different tools, businesses use iubenda to generate and maintain privacy documents, manage consent, and support user rights requests in one place.
Final thoughts on the CCPA and CPRA
The California Consumer Privacy Act and the California Privacy Rights Act have raised the bar for how businesses handle personal data.
For businesses, the takeaway is clear: privacy can no longer be treated as a one-off legal task. It needs to be built into how data is collected, managed, and communicated over time.
The good news is that compliance becomes much more manageable once the basics are in place, from clear privacy disclosures to simple processes for handling user rights and keeping documents up to date. iubenda can help by bringing those moving parts together in one place, automated and with room to grow. Create a new project to get a free website compliance report.
Privacy laws will continue to evolve, but the underlying expectation is unlikely to change: businesses should be transparent, responsible, and clear about how they use personal data.