What You Should Know About the California Consumer Privacy Act

What are California’s privacy laws? Learn everything you need to know about the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

By , Attorney

Some businesses, like Facebook, collect data you voluntarily supply, like your age, employer, relationship status, and where you live. They also track the other places you visit online and what apps you use. The companies then use all that information to sell advertisements.

These practices sound relatively harmless. But in 2018, details emerged about a political data firm, Cambridge Analytica, improperly collecting and using the personal data of millions of Facebook users. After that incident, the way Facebook and other businesses treat users' personal information came under increased scrutiny.

To address this issue, California passed the California Consumer Privacy Act (CCPA), which went into effect in 2020. This law gives consumers in California basic privacy rights concerning how businesses use their personal information. The California Privacy Rights Act (CPRA), effective January 1, 2023, amends the CCPA and provides additional privacy protections for consumers.

What Is the California Consumer Privacy Act (CCPA)?

The CCPA (Cal. Civ. Code § 1798.100 and following) is the first comprehensive consumer privacy law in the United States. The law is patterned after the European Union's General Data Protection Regulation, the primary law in Europe regulating how companies must handle EU citizens' private data and personal information.

The CCPA gives consumers in California fundamental privacy rights concerning how businesses collect and sell their personal information. This law went into effect on January 1, 2020.

What Is the California Privacy Rights Act (CPRA)?

The CPRA, a ballot initiative, is an amendment to the CCPA. The CPRA expands the protections under the CCPA and is sometimes called "CCPA 2.0."

The CPRA passed in November 2020, with most of its provisions becoming effective on January 1, 2023.

Consumer Rights Under the CCPA and CPRA

California consumers have the following rights under the CCPA, as amended by the CPRA.

1. The right to know what personal information a business collects and how it's used.

Under the CCPA, you have the right to know the categories of personal information collected and how the business will use that information. You also have the right to request specific information from a business that collects personal information about you, including:

  • the categories of personal information it has collected about you
  • the categories of sources from which the personal information is collected
  • the business or commercial purpose for collecting, selling, or sharing personal information
  • the categories of third parties to whom the business discloses personal information, and
  • the specific pieces of personal information it has collected about you. (Cal. Civ. Code § 1798.100, § 1798.110, § 1798.115.)

The CPRA modified and expanded consumers' rights under the CCPA. For example, under the CPRA, the business must provide information about the categories of personal information "shared" with third parties. ("Shared," in this context, means providing personal information to a third party for the purposes of targeted advertising.) (Cal. Civ. Code § 1798.140.)

2. The right to request the deletion of your personal information.

You may request that a business delete your personal information. The company must erase your data upon receipt of your request, subject to certain exceptions.

A business doesn't have to erase your information under certain circumstances, like if the information is necessary to complete the transaction for which the personal information was collected or if it's needed to perform a contract between you and the business. (Cal. Civ. Code § 1798.105.)

The CPRA provides several new exceptions or clarifications to the deletion requirement. For example, businesses aren't required to delete household data or personal information that applies to a student's grades or test scores. (Cal. Civ. Code § 1798.145.)

3. The right to opt out of having your personal information sold to a third party.

Under the original CCPA, you got the right to opt out of the sale of your personal information. The CPRA expands this opt-out right to include both the sale and sharing of personal information.

A business has to provide a "Do Not Sell or Share My Personal Information" link on its internet homepage. This link must take you to a page that enables you to opt out of the sale or sharing of your personal information. (Cal. Civ. Code § 1798.120, § 1798.135.)

Also, a business generally can't sell (or share) a consumer's personal information if the business has actual knowledge that the consumer is less than 16 years of age. However, a consumer at least 13 years old or a consumer's parent (for consumers who are less than 13 years old) can opt into the sale or sharing of information. (Cal. Civ. Code § 1798.120.)

4. The right to receive equal service and pricing (no retaliation) from a business if you exercise your privacy rights under the CCPA.

The CCPA prohibits a business from discriminating against you if you exercise your rights under this law. It includes a prohibition on charging a different price or providing you with a different quality of goods or services after you exercise your rights. But an exception applies if the difference is reasonably related to the value your data provides to the business. (Cal. Civ. Code § 1798.125.)

The CPRA expands these protections to prohibit retaliation against employees, applicants for employment, or independent contractors for exercising rights guaranteed under this law. The CPRA also clarifies that businesses can still offer loyalty, rewards, premium features, discounts, or club card programs. These types of programs don't constitute discrimination. (Cal. Civ. Code § 1798.125.)

What Is "Personal Information" Under the CCPA and CPRA?

Under the CCPA and CPRA, "personal information" is defined as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." (Cal. Civ. Code § 1798.140(v)(1).) This definition of "personal information" is much broader than typical privacy-related laws in the United States.

The CCPA's definition of personal information also includes a wide range of examples, like:

  • your real name or alias
  • your postal address
  • a unique personal identifier
  • an online identifier
  • an Internet Protocol address
  • your email address
  • an account name
  • your Social Security number, driver's license number, or passport number, and
  • other similar identifiers. (Cal. Civ. Code § 1798.140(v)(1)(A).)

However, publicly available information isn't considered personal information. (Cal. Civ. Code § 1798.140(v)(2).)

What Additional Rights Do Consumers Get Under the CPRA?

The CPRA creates several additional privacy rights for consumers.

1. The right to correct inaccurate personal information that a business has on you.

Under the CPRA amendments, you get the right to correct inaccurate personal information that a business has on you. Businesses must disclose to consumers that they have the right to correct inaccurate personal information. (Cal. Civ. Code § 1798.106, § 1798.185(a)(7).)

After a business receives a verified request to correct inaccurate personal information, it must use "commercially reasonable efforts" to correct the personal information. However, some exceptions apply to requests that would be impossible or involve disproportionate effects. (Cal. Civ. Code § 1798.106, § 1798.130)

2. The right to limit the use and disclosure of your "sensitive personal information."

The CPRA provides consumers with a new right to restrict the use and disclosure of "sensitive personal information." (Cal. Civ. Code § 1798.121.)

California consumers get the right to tell a business to limit its use of sensitive personal information to that "which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services."

The business may also use the information for the performance of specific enumerated business purposes, like:

  • maintaining or servicing accounts
  • providing customer service
  • processing or fulfilling orders and transactions
  • verifying customer information
  • processing payments
  • providing financing
  • providing analytic services
  • providing storage, or
  • providing similar services on behalf of the business. (Cal. Civ. Code 1798.121, § 1798.140.)

Businesses must include disclosures about their sensitive personal information collection and use practices. The CPRA requires a link on a business's website homepage titled "Limit the Use of My Sensitive Personal Information" or a combined link with the "Do Not Sell or Share My Personal Information" link, in some cases. (Cal. Civ. Code § 1798.121, § 1798.135.)

3. The right to access information about, and opt out of, automated decision-making technology.

The CPRA also adds a right to opt out of automated decision-making technology, which includes profiling consumers based on their "performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, and movements." (Cal. Civ. Code § 1798.185(a)(16), § 1798.140(z).)

Who's Protected Under the CCPA and CPRA?

The CCPA, as amended by the CPRA, gives privacy rights and protections to consumers who are California residents, including:

  • every individual in California for other than a temporary or transitory purpose, and
  • every individual domiciled in the state but outside California for a temporary or transitory purpose. (Cal. Civ. Code § 1798.140(i).)

Who Has to Comply With CCPA and CPRA?

The CCPA and CPRA apply to for-profit entities that collect and process the personal information of California residents and that do business in the State of California.

Also, for the CCPA and amendments to apply, the business must:

  • generate annual gross revenue in excess of $25 million as of January 1 of the preceding calendar year
  • buy, sell, or share the personal information of 100,000 or more consumers or households, or
  • derive at least 50% of its annual revenue by selling or sharing personal information. (Cal. Civ. Code § 1798.140(d).)

Nonprofit businesses and companies that don't meet any of the three criteria listed above don't have to comply with these laws.

Private Right of Action Under the CCPA and CPRA for Consumers After a Data Breach

The CCPA provides consumers with a private right of action (the right to file a lawsuit) if their nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure (that is, a data breach). "Personal information" in this context means an individual's first name or first initial and the individual's last name in combination with another data element, like a Social Security or driver's license number, when either the name or the data elements are not encrypted or redacted. (Cal. Civ. Code § 1798.81.5(d)(1)(A).)

Under the law as amended by the CPRA, you can also bring a private cause of action for a data breach involving the leak of an email address in combination with a password or security question and answer that would permit access to the account. (Cal. Civ. Code § 1798.150(d)(1)(B), § 1798.81.5.)

The breach must have happened because the business didn't comply with its duty to implement and maintain reasonable security procedures and practices. And you must satisfy certain procedural requirements first. (Cal. Civ. Code § 1798.150.)

Damages in any private action that a consumer brings will be not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. (Cal. Civ. Code § 1798.150.)

Who Enforces the CCPA and CPRA?

The CPRA established the California Privacy Protection Agency to implement and enforce the law. This agency has full administrative power, authority, and jurisdiction to implement and enforce the CCPA. (Cal. Civ. Code § 1798.199.10.)

The California Attorney General can also file suit against companies that don't comply with the CCPA. Any business, service provider, or other person found in violation is subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation. (Cal. Civ. Code § 1798.155.)

Enforcement of the civil and administrative obligations of the CPRA provisions begins July 1, 2023, and applies to violations that happen on or after that date.

Talk to a Consumer Protection Lawyer About California Privacy Laws

If you have further questions about the California Consumer Privacy Act or its amendments, contact a consumer protection lawyer to get more information about your rights under state law.

An attorney can also advise you about filing a lawsuit against a company that has violated this law or any of its amendments, including the procedural requirements you need to follow before initiating such a suit.

Talk to a Lawyer

Need a lawyer? Start here.

How it Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you
Get Professional Help

Talk to a Consumer Protection attorney.

How It Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you