The CCPA Explained

Clients Rate Lawyers on our Platform 4.9/5 Stars
based on 4,036 reviews

Jump to Section

Need help with a Privacy Policy?

Post Project Now

Post Your Project (It's Free)

Get Bids to Compare

 Hire Your Lawyer

What Is the CCPA?

The CCPA, more officially known as the California Consumer Privacy Act or AB 375, is a state-wide data privacy law in California. It is the first law of its kind in the U.S.

ContractsCounsel CCPA

Image via Unsplash by rupixen

The CCPA regulates how businesses worldwide can handle personal information, or PI, of California residents. Though the CCPA was passed by the California state legislature in 2018, it first came into effect on January 1, 2020. The law became enforceable on July 1, 2020.

Who Does the CCPA Affect?

The CCPA is similar to the General Data Protection Regulation, or GDPR, in the European Union. As with the GDPR, the CCPA deals with consumers' data privacy rights. The law forces many organizations to protect the privacy rights of their consumers.

The CCPA specifically covers consumers who are California residents. However, businesses around the world must comply with CCPA regulations if they have consumers from California. Businesses do not need to be based in California to fall under the law. Companies do not even need to have a physical presence in California or in the United States to fall under this law if they meet certain requirements.

Requirements for Businesses

Not all businesses must comply with the regulations in the CCPA. The CCPA applies if a company fits in one or more of the following categories:

  • The business buys, sells, or receives personal information of 50,000 or more devices, consumers, or households.
  • The business derives half or more of its revenue from selling personal information of consumers.
  • The business has a gross annual revenue that exceeds $25 million.

Under the CCPA, businesses that handle personal information for more than four million consumers have additional obligations as well.


Volume 0%

A later amendment exempts insurance institutions, agents, and organizations that already fall under similar regulation of the Insurance Information and Privacy Protection Act, or IIPPA, in California.

Additionally, the following businesses are exempt from the CCPA as they are covered under federal data security laws already:

Protections for Consumers

The CCPA allows any California consumer to:

  • Demand to see all information a company has saved about them.
  • Demand to see a full list of all third parties a company shares their data with.
  • Sue companies in cases when privacy guidelines are violated, and consumers can sue companies even if no breach occurs.

California residents, or consumers, have the right to:

  • Opt out of having data sold to third parties.
  • Request disclosure of data that has already been collected.
  • Request that data collected be deleted.
  • Be notified and receive equal prices and services — companies cannot discriminate against consumers based on a consumer's choice to exercise these rights.

What Happens When a Company Is Not in Compliance With the CCPA?

Once regulators notify a business of a violation, the company has 30 days to comply with the law. If the issue is not resolved in that time, businesses are subject to a fine per record.

Fines may be between $100 and $750 per consumer per alleged violation, or the actual damages — whichever amount is greater.

Consumers also have the right to sue businesses if they believe their privacy rights were violated. The CCPA allows for class action lawsuits as well.

Data the CCPA Covers

The CCPA covers personal information. Examples of what the law considers personal information includes:

  • Biometric information.
  • Geolocation data.
  • Characteristics of protected classifications under federal or California law.
  • Identifiers, including:
    • Driver's license number
    • Social Security number
    • Passport number
    • Account name
    • Postal address
    • Email address
    • Online identifier IP address
    • Real name
    • Alias
  • Commercial information, including:
    • Products purchased, obtained, or considered
    • Services purchased, obtained, or considered
    • Records of personal property
  • Purchasing/consuming histories/tendencies.
  • Internet/electronic network activity such as:
    • Browsing history
    • Search history
    • Information about the consumer's interaction with applications, advertisements, or websites
  • Education information, as defined in the Family Education Rights and Privacy Act (FERPA) as not publicly available PII, or personally identifiable information.
  • Audio, electronic, olfactory, thermal, visual, or similar information.

The CCPA also covers inferences drawn from the above information to create a consumer profile reflecting things such as a consumer's:

  • Abilities
  • Aptitudes
  • Attitudes
  • Behavior
  • Characteristics
  • Intelligence
  • Predispositions
  • Preferences
  • Psychological trends

Key Provisions of the CCPA

The CCPA stipulates that companies covered by the law must allow consumers to choose not to have data shared with third parties. In practical terms, that means companies now must be able to separate data they collect following their users' privacy choices.

Companies are not required to report breaches under this law. Additionally, before fines are possible, a consumer must file a complaint.

Enforcement of the CCPA

In addition to granting Californians the right to sue businesses that do not take reasonable precautions to prevent data breaches, the CCPA can be enforced. The Office of the Attorney General of California has the power to enforce the CCPA. However, the state has limited enforcement capabilities, as there are not enough resources to ensure that all companies comply with the law at the same time that they manage non-compliance cases.

What Must a Business Do to Be In Compliance With the CCPA?

If your business falls under the CCPA, you are required to:

  • Allow consumers to deal with their personal data in the business's storage in the following ways:
    • Choosing to opt-out
    • Choosing to read the data
    • Choosing to delete the data
  • Disclose financial incentives for your business to sell or retain a consumer's personal data as well as how you value the data.
  • Respond to requests from consumers within specific timeframes.
  • Verify the identity of any consumer who requests to read/delete their information; this is the case even if the consumer has a password-protected account.
  • Keep records of access requests and how your business responded for 24 months.

You must ensure that your company's website:

  • Includes a "Do Not Sell My Personal Information" link so that users may opt out of third-party data sales.
  • Informs users about categories of personal information collected (and for what purposes) at or before the point of data collection.
  • Obtains opt-in/consent before selling or disclosing personal information of minors under the age of 16; parents or legal guardians must opt in for minors under 13.
  • Updates its privacy policy to include:
    • A description of consumer's rights
    • An explanation of how to exercise rights
    • A list, updated annually, of personal information categories the company collects/sells/discloses
  • Shows consumer privacy settings that signal the choice to opt out.

If your company gets a verifiable request from a consumer requesting disclosure of personal information your business has collected, you must provide records of personal information that have been collected in the past 12 months. You must do this free of charge. These records include:

  • Categories of third parties that have received the records
  • Commercial purposes
  • Sources

Your company must not discriminate based on a consumer's decision to exercise the right to:

  • Opt out
  • Request disclosure
  • Request deletion

The CCPA laws are now in effect, and will change the way businesses deal with data across the country. As almost all bigger businesses have some customers based in California, the CCPA has tremendous implications for data privacy laws. For more help with privacy policies and contracts, contact us .

How ContractsCounsel Works
Hiring a lawyer on ContractsCounsel is easy, transparent and affordable.
1. Post a Free Project
Complete our 4-step process to provide info on what you need done.
2. Get Bids to Review
Receive flat-fee bids from lawyers in our marketplace to compare.
3. Start Your Project
Securely pay to start working with the lawyer you select.

Meet some of our Lawyers

Sarah K. on ContractsCounsel
View Sarah
5.0 (13)
Member Since:
June 21, 2021

Sarah K.

General Counsel (Commercial, Tech & IP Focus)
Free Consultation
Get Free Proposal
New York, New York
11 Yrs Experience
Licensed in NY
New York University School of Law

Seasoned attorney with over 10 years of experience in legal leadership across business functionalities. Specialization in tech, product, IP, data and commercial but well versed in all transactional and operational advisory matters.

Michael K. on ContractsCounsel
View Michael
5.0 (35)
Member Since:
June 28, 2021

Michael K.

Associate Counsel
Free Consultation
Get Free Proposal
Miami, FL
5 Yrs Experience
Licensed in FL
St. Thomas University School of Law

A business-oriented, proactive, and problem-solving corporate lawyer with in-house counsel experience, ensuring the legality of commercial transactions and contracts. Michael is adept in reviewing, drafting, negotiating, and generally overseeing policies, procedures, handbooks, corporate documents, and more importantly, contracts. He has a proven track record of helping lead domestic and international companies by ensuring they are functioning in complete compliance with local and international rules and regulations.

Roman V. on ContractsCounsel
View Roman
5.0 (1)
Member Since:
July 9, 2021

Roman V.

Trademark Attorney
Free Consultation
Get Free Proposal
Milwaukee, WI
9 Yrs Experience
Licensed in MD
Marquette University Law School

I'm an experienced trademark attorney and enjoy helping clients protect and grow their brand names through trademark registration and enforcement. I've worked with a wide variety of clients in different industries, including e-commerce, software as a service (SaaS), and consumer goods, to register trademarks for product names, logos, and slogans, both in the US and abroad.

Justin A. on ContractsCounsel
View Justin
5.0 (8)
Member Since:
July 7, 2021

Justin A.

Free Consultation
Get Free Proposal
Seattle, WA
6 Yrs Experience
Licensed in NY, WA
The University of Chicago Law School

I am an entrepreneurial lawyer in the Seattle area dedicated to helping clients build and plan for the future. I earned my law degree from the University of Chicago and worked in a top global law firm. But I found advising real people on legal issues far more rewarding. Reach out to discuss how we can work together!

Max M. on ContractsCounsel
View Max
4.9 (17)
Member Since:
July 12, 2021

Max M.

Business Attorney
Free Consultation
Get Free Proposal
Baltimore, Maryland
16 Yrs Experience
Licensed in MD
Georgetown University Law Center

Results oriented business attorney focusing on the health care sector. Formerly worked in Biglaw doing large multi-million dollar mergers and acquisitions, financing, and outside corporate counsel. I brought my skillset to the small firm market, provide the highest level of professionalism and sophistication to smaller and startup companies.

Joshua C. on ContractsCounsel
View Joshua
Member Since:
June 28, 2021

Joshua C.

Free Consultation
Get Free Proposal
Ashland, MA
7 Yrs Experience
Licensed in CA, MA
UCLA School of Law

Attorney Joshua K. S. Cali is a respected business, estate planning, and real estate attorney based in Ashland serving Middlesex County and other nearby areas. Joshua graduated summa cum laude from Bentley University in Waltham, MA, and from UCLA School of Law in Los Angeles. Before starting his own firm, Joshua practiced estate planning for high net worth clients at a boutique law firm in San Diego, CA.

Erin F. on ContractsCounsel
View Erin
Member Since:
June 28, 2021
Drew B. on ContractsCounsel
View Drew
Member Since:
June 30, 2021

Drew B.

Managing Member
Free Consultation
Get Free Proposal
Cleveland, Ohio
25 Yrs Experience
Licensed in MO, OH
Saint Louis University

Drew is an entrepreneurial business attorney with over twenty years of corporate, compliance and litigation experience. Drew currently has his own firm where he focuses on providing outsourced general counsel and compliance services (including mergers & acquisitions, collections, capital raising, real estate, business litigation, commercial contracts and employment matters). Drew has deep experience counseling clients in healthcare, medical device, pharmaceuticals, information technology, manufacturing, and services.

Daniel R. on ContractsCounsel
View Daniel
Member Since:
July 1, 2021

Daniel R.

Managing Attorney
Free Consultation
Get Free Proposal
10 Yrs Experience
Licensed in IL
Gonzaga School of Law

Daniel is an experienced corporate attorney and works closely with corporations, privately held companies, high-net worth individuals, family offices, start-ups and entrepreneurs. Daniel graduated from the Gonzaga University School of Law and is licensed to practice law in Illinois.

Jaroslaw P. on ContractsCounsel
View Jaroslaw
Member Since:
July 20, 2021

Jaroslaw P.

Free Consultation
Get Free Proposal
Warsaw, Poland
16 Yrs Experience
Licensed in AK
Wroclaw University - Law

Attorney - I graduated in Law from the University of Wroclaw and in Economics from the Scottish University of Aberdeen; My legal interests include, in particular: contracts, intellectual property, and corporate law, as well as transactional / regulatory advisory along with related risk management (M&A); The industries with which I have worked most often are: IT, real estate and construction, professional sport, industrial chemistry and medicine, oil & gas, energy, and financial services; I possess many years of experiences working with international entities for which I have prepared and negotiated contracts, as well as (due diligence) reports, analyses, litigation documents, and presentations; Apart from law firms, I have also worked for investment banks and big 4 - thanks to that I also gained financial, technological, and consulting experiences; I shall be described by: accuracy, openness, honesty, concreteness, a broad approach to the problem, and ... a lack of bad manners, along with a good sense of humour :)

Find the best lawyer for your project

Browse Lawyers Now

Want to speak to someone?

Get in touch below and we will schedule a time to connect!

Request a call