Regulations & Frameworks

California Consumer Privacy Act (CCPA)

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) introduces new data privacy rights for California residents – forcing companies that conduct business in the state of California to implement structural changes to their privacy programs.

The law is a response to the increasing role personal data plays in business practices and the personal privacy implications surrounding the collection, use, and protection of personal information.

Failure to comply with the CCPA can result in penalties up to $7,500 (USD) for each violation.

Last Updated: March 12, 2020

What is the CCPA?

Inspired by the Freedom of Information Act and the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) takes more control over the sale of personal information while establishing data privacy as a fundamental right for California residents.

The CCPA was first introduced as an initiative drafted by Rick Arney and Alastair Mactaggart. The original initiative outlined consumer rights with regards to data privacy. After over 629,000 signatures from California residents, legislators agreed to draft a bill if Arney and Mactaggart withdrew their initiative. The bill was officially drafted with a slightly less restrictive take on data privacy and how companies must adhere to the law. Despite this, it is considered the toughest data privacy law in the United States and one of the first of its kind in the country.

The bill was officially approved by the California State Governor on June 28, 2018, with defined parameters of new statutory rights for California consumers.  Consumers in the bill’s text is loosely defined as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations…”, Section 17014 defines California residents as “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.” Cal. Code Regs. tit. 18, § 17014.

Who Must Comply With the CCPA?

The CCPA applies to for-profit businesses that collect personal information about residents in California or do business in California and meet one or more of the criteria outlined below. The CCPA is not focused on the size of the company, so any for-profit business that meets one or more of these criteria must adhere to the CCPA.

  • Annual gross revenue of at least $25M.
  • Buys, receives or shares personal information of 50,000 or more consumers, households or devices.
  • Derives at least 50% of annual revenue from selling California consumers’ personal information.

What Is Personal Information Under the CCPA?

Personal information is defined in the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 1798.140(o)(1)

Examples of personal data include direct and indirectly identifiable information including:

  • IP addresses
  • Email addresses
  • Browsing history
  • Geolocation data

Even information that could draw inferences to create a profile for a consumer due to their preferences, characteristics, behavior and more are considered personal information.

What Are Consumer Rights Under the CCPA?

The law is composed of ten consumer rights with six new rights added as amendments soon after the passing of the bill.

The rights can be categorized into four key parts that are protected under CCPA:

Right to Disclosure

The CCPA highlights the right to disclosure for consumers. Consumers have the right to know what information is being gathered about them. Broken up into two segments, businesses under CCPA must disclose when and what information they’re going to gather, process, and/or sell.

Section 1. 1798.100. (b) “A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.”

1. Inform consumers at or before the point of collection both the categories of personal information collected and the purpose for which the personal information will be used.

1798.110. (a) “A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:

    • (1) The categories of personal information it has collected about that consumer.
    • (2) The categories of sources from which the personal information is collected.
    • (3) The business or commercial purpose for collecting or selling personal information.
    • (4) The categories of third parties with whom the business shares personal information.
    • (5) The specific pieces of personal information it has collected about that consumer.”

2. The business must provide verifiable consumer requests with information about the collection or sale of personal information promptly.

Section 1. 1798.100. (d) “A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.”

To remain compliant, businesses should also make sure they’re keeping records of all the information and collection points of data that they’re collecting on consumers.

Right to Deletion

Consumers, as defined under CCPA, have the right to request that a company delete any personal information they have about them. However, there are a few restrictions to this. Most importantly, the business must not provide information to the individual unless they can verify the consumer making the request is indeed the consumer about whom the website owner has collected information.

Additionally, the act requires a business that collects any personal information about a consumer to disclose the consumer’s right to delete the personal information in a “reasonably accessible” way to consumers, either in their privacy policy or cookie policies.

However, the clause also stipulates that if the personal information is “necessary for the business or service provider to maintain the customer’s personal information in order to carry out specified acts,” then they are not legally required to comply with the request.

Right to Opt-Out

Consumers have the right to opt-out of the collection and sale of their personal information to third parties. Businesses must provide notice to consumers which information they sell to third parties and give them the option to opt-out of the sale of their personal information. Businesses should have a Do Not Sell button on their website to provide consumers with the option to request that businesses do not sell their personal information.

1798.120. (a) “A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.

(b) A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the “right to opt-out” of the sale of their personal information.”

Businesses cannot sell the personal information of consumers under 16 years of age, unless the consumer or the consumer’s guardian has authorized the sale, also known as the “Right to Opt-In.” Businesses who disregard the consumer’s age will be assumed to have knowledge of the consumer’s age.

Right to Nondiscrimination

Businesses cannot discriminate against consumers who choose to exercise their rights under CCPA. Additionally, consumers cannot be refused services or goods due to exercising their rights.

However, businesses can charge different prices or adjust the quality of the goods if the difference is related to the value of the personal information gathered.

How Is the CCPA Enforced?

The office of the Attorney General of California has until July 2020 to specify exactly how the act will be enforced moving forward.

However, as it is currently written, the CCPA can be enforced by both the Attorney General for California and by citizens with a few stipulations. It is slightly more difficult for citizens to bring legal action against a company on their own, with the Attorney General having the ability to challenge a business much easier.

For individuals, the enforcement is limited only to data breach incidents. Before beginning private action against a company in violation of the CCPA, the consumer must give the business 30 days to resolve the violation and respond. The most an individual can receive from a business is $750 per incident.

As the first law of its kind in the US, the CCPA is setting a precedent that many states will follow in the coming years. Data privacy is increasingly important to everyone, so understanding how to keep your business compliant is crucial regardless of meeting these specific criteria.

Steps to Cookie Compliance

Personal data is of utmost importance to the CCPA. Personal data definitions differ across data privacy regulations. While first-party cookies typically contain only anonymous data, third party cookies on websites can collect many different types of identifiable data. The information cookies gather is considered personal data under the CCPA. Here are just a few of the requirements for CCPA cookie compliance:

Display Notice of Sale Information

The CCPA requires website owners to share what data is being collected and what is being done with it at or before the point of collection. A notice of sale clearly communicates the intention to sell personal data to the visitor. Additionally, including a Do Not Sell button or opt-out of sale option is important to give consumers the ability to opt-out of the sale of their personal information. CookiePro has this functionality built-in, with a Do Not Sell button builder and a fully customizable cookie banner template to provide notice of sale to website visitors.

Track Do Not Sell Opt-Outs

Keeping track of all Do Not Sell requests and opt-outs is required for CCPA cookie compliance. Tracking these requests requires a robust system to store those requests and make sure they’re not only fulfilled but also recorded for potential future reporting needs. CookiePro integrates with hundreds of existing systems to ensure personal information is not sold if the consumer has opted out already. Intake and fulfill ‘Do Not Sell’ and consumer requests for personal information access and deletion.

Under the CCPA, websites can request that customers opt-in to the sale of their personal information after 12 months from the time the last request was made. CookiePro will remember and request reconsent from the user who previously opted out after the allotted 12 months.

Learn about how you can create a FREE Do Not Sell notice to comply with CCPA Opt-Out Requirements with CookiePro:

Create Opt-Out Mechanism

Categorize Cookies for CCPA Compliance

Cookies are categorized and each category has its own set of restrictions under the CCPA. Cookies that contain personal information are required to have an opt-out option. Understanding the categories that the cookies on websites belong to is crucial to CCPA compliance.

Bundle cookies that involve the sale of personal information and enable the opt-out mechanism for only those specific cookie categories in a cookie banner and preference center using CookiePro

Cookie Consent & Website Scanning

CCPA Compliant Cookie Banners

The CCPA and GDPR require different cookie banners and have different cookie rules for compliance. It’s important for website owners to dynamically display different cookie banners based on website visitor’s location. Geolocation rules allow website owners to select which banners will display in which regions.

Create, edit, and track cookie notices with a completely customizable experience for the website visitor with CookiePro.

Privacy and Cookie Policies

Businesses must have a privacy policy that contains the information about consumer rights and how the visitor can exercise their rights through the website. Link to cookie policy generator on cookielaw.

Best Practices for CCPA Cookie Compliance

Data privacy legislation is a major focus all around the world to button up privacy and security in the handling of personal information online. In addition to CCPA and GDPR, there are many other potential cookie laws in various stages all around the world. Businesses are starting to focus on best practices in the handling of any personal information that comes through their websites even if they don’t fall under the CCPA or GDPR to protect themselves in the future. Preparing early for data privacy regulations will make cookie compliance with cookie laws even easier to implement down the road.

Here are a few best practices to use when handling personal information online:

  • Disclosing what kind of personal information your website collects and what is done with this information.
  • Understanding what cookies are on your website, what categories they belong in, and having a list of the cookies on file.
  • Giving website visitors the option to opt-out of the sale of their personal information
  • Provide a way for website visitors to request access to, deletion of, or amendments to the personal information that you have collected.
  • Know where the data you collect lives.

Stay up to date with Cookie Consent and upcoming cookie regulations on