What Is CCPA?
The California Consumer Privacy Act (CCPA) is a comprehensive privacy law that went into effect on January 1, 2020. It gives California residents new rights over their personal information and imposes obligations on businesses that collect, use, or sell that information. As amended by the California Privacy Rights Act (CPRA) in 2023, it is the most significant state-level privacy law in the US.
Why CCPA Matters
CCPA represents the leading edge of US privacy regulation. California's market size means CCPA effectively sets the standard for the entire US — most companies serving California consumers must comply, and many apply CCPA protections nationally. Other states have followed with similar laws, creating a patchwork that CCPA helps navigate.
Who Must Comply
CCPA applies to for-profit businesses that collect California consumers' personal information AND meet at least one threshold: annual gross revenue exceeding $25 million, buying, selling, or sharing personal information of 100,000 or more consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing consumer personal information.
Key Definitions
Consumer means a California resident. Personal information is broadly defined as information that identifies, relates to, describes, or could be linked to a particular consumer or household. This includes obvious identifiers but also browsing history, purchasing history, geolocation data, and inferences drawn from other personal information.
Sale means disclosing personal information for monetary or other valuable consideration. Sharing (added by CPRA) means disclosing for cross-context behavioral advertising, regardless of whether money changes hands. Service provider is an entity that processes personal information on behalf of a business.
CCPA vs GDPR
CCPA and GDPR share goals but differ in approach. CCPA is opt-out (consumers must actively opt out of data sales), while GDPR generally requires opt-in consent. CCPA applies based on business thresholds; GDPR applies based on data processing of EU individuals. CCPA focuses on transparency and control; GDPR imposes broader obligations including data minimization and purpose limitation.
In the next lesson, we will cover consumer rights under CCPA.