SecurePrivacy Logo

California Consumer Privacy Act (CCPA)

View Law Text
Maximum Fine
$7,500 per violation
Scope
State
Regulator
CA AG
Enacted
2020

Need Help with California Consumer Privacy Act (CCPA) Compliance?

Get expert guidance on implementing CCPA requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The California Consumer Privacy Act (CCPA) provides California residents with rights regarding their personal information and imposes obligations on businesses that collect and process this information.

Key Facts

  • Effective since January 1, 2020
  • Enforced by California Attorney General
  • Applies to businesses meeting specific thresholds

Consumer Rights

Right to Know

Consumers have the right to request disclosure of personal information collected, used, shared, or sold.

Requirements

  • Verify consumer identity
  • Provide specific pieces of personal information
  • Disclose categories of sources
  • Explain business purpose
  • List third-party sharing

Exceptions

  • Cannot verify identity
  • Requests that are manifestly unfounded
  • Requests that are excessive

Right to Delete

Consumers have the right to request deletion of their personal information.

Requirements

  • Verify consumer identity
  • Delete information from all systems
  • Direct service providers to delete
  • Confirm deletion completion
  • Document deletion process

Exceptions

  • Legal compliance requirements
  • Security purposes
  • Internal expected uses
  • Research purposes

Right to Opt-Out of Sale

Consumers have the right to opt-out of the sale of their personal information.

Requirements

  • Provide 'Do Not Sell' button
  • Honor opt-out requests
  • Maintain opt-out records
  • Train staff on opt-out handling
  • Verify authorized agents

Exceptions

  • Vehicle information sharing
  • Deidentified information
  • Aggregate consumer information

Compliance Requirements

Notice Requirements

Businesses must provide notice to consumers about data collection and sharing practices.

Implementation Steps

  • Update privacy policy
  • Implement notice at collection
  • Create notice of financial incentives
  • Provide notice of right to opt-out
  • Review and update notices annually

Required Documentation

  • Privacy policy
  • Collection notices
  • Financial incentive notices
  • Opt-out notices
  • Annual review records

Consumer Rights Implementation

Implement processes to handle consumer rights requests.

Implementation Steps

  • Create verification procedures
  • Establish response timelines
  • Train staff on request handling
  • Document request processes
  • Set up request tracking system

Required Documentation

  • Verification procedures
  • Response templates
  • Training materials
  • Process documentation
  • Request logs

Data Mapping and Inventory

Maintain records of personal information collection and processing.

Implementation Steps

  • Identify data sources
  • Map data flows
  • Document processing purposes
  • Track data sharing
  • Update inventory regularly

Required Documentation

  • Data inventory
  • Processing records
  • Data flow diagrams
  • Vendor lists
  • Annual updates

Enforcement & Penalties

Administrative Enforcement

The California Attorney General can enforce CCPA violations through civil penalties.

Penalty Categories

Intentional Violations
$7,500 per violation
For intentional violations or violations involving minors
Unintentional Violations
$2,500 per violation
For violations without intent
Data Breaches
$100-$750 per consumer
Statutory damages for data breaches

Example Cases

Sephora
$1.2 million
2022 - Failure to disclose sale of personal information
Retail Company
$500,000
2023 - Non-compliant privacy notices and opt-out mechanisms

Private Right of Action

Consumers can sue businesses for data breaches resulting from inadequate security.

Penalty Categories

Statutory Damages
$100-$750 per incident
Per consumer per incident
Actual Damages
Varies
Greater of actual damages if they exceed statutory amount
Injunctive Relief
Court Orders
Orders to implement specific security measures

Example Cases

T-Mobile Data Breach
$350 million
2022 - Settlement for data breach affecting millions of customers
Healthcare Provider
$2 million
2023 - Settlement for unauthorized access to medical records