What is the CCPA (California Consumer Privacy Act)?

The California Consumer Privacy Act (CCPA) gives California residents control over the personal data that businesses collect about them.

Learning Objectives

After reading this article you will be able to:

  • Know what rights California residents have under the CCPA
  • Explain when the CCPA applies to a business
  • Contrast the CCPA with other data privacy legislation

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a piece of data privacy legislation that applies to most businesses that process the personal data of California residents. The CCPA gives California residents a certain amount of control over the personal data that businesses collect about them.

The CCPA went into effect on January 1, 2020. In late 2020, California voters passed a proposition, the California Privacy Rights Act (CPRA) that amended and expanded the CCPA. The CCPA will continue to be revised over time.

What rights does the CCPA give to consumers?

The CCPA gives consumers the following important rights:

  • The right to know: Consumers should be informed about what personal information an organization collects about them and how that information is used.
  • The right to delete: With some exceptions, consumers can delete information collected about them.
  • The right to opt out: Consumers can prevent the sale of their information to third parties.
  • The right to non-discrimination: An organization cannot treat users who exercise their CCPA rights differently — such as by charging them more for regular services. However, there are times when exercising CCPA rights impacts what services an organization can provide; for instance, if a user of an ecommerce website exercises the "right to delete" and deletes their account, they may not be able to save their shipping address or credit card information on that website anymore.

Suppose Alice visits a website, news.example.com, and that website uses browser cookies and user location tracking. Alice is loading this website on her laptop in her apartment in San Jose, California. Because she is in California, a banner pops up when she loads news.example.com, and the banner tells Alice about the website's use of cookies and location data. This happens because Alice has a right to know.

The banner also offers Alice a choice: She can choose to not allow news.example.com to sell information about her location to ad networks by clicking a button that reads "Do Not Sell My Personal Info." Or, she can click "Accept and Continue" to allow this data sale. She has this choice because she has a right to opt out.

Now imagine Alice clicks "Do Not Sell My Personal Info" because she would rather keep her location as private as possible. All of a sudden, all the content on news.example.com becomes locked, and Alice can no longer watch videos or read articles on the website. This would be a violation of the CCPA, because Alice has a right to non-discrimination — news.example.com has to provide the same services at the same price to Alice that they provide to their other users who allow the sale of their data.

Where does the CCPA apply?

The CCPA applies to the personal data of California residents only. However, any organization can be subject to the CCPA if it collects data about California residents, no matter where the organization is based.

The CCPA applies to organizations that do any amount of business in California and meet one of the following descriptions:

  1. They have a gross annual revenue of $25 million or more.
  2. They buy, receive, or sell the personal information of at least 50,000 California residents, households, or devices.
  3. They obtain 50% or more of their annual revenue from selling California residents' personal information.

The CCPA does not apply to nonprofit organizations, government agencies, or certain kinds of financial institutions — for example, a California resident cannot avoid paying off a debt by asking the debt collecting agency to delete their personal information.

How does the CCPA define 'personal information'?

The CCPA defines "personal information" in this way:

"'Personal information' means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

The CCPA also lists many types of data that are considered personal information, including:

  • Name
  • IP address
  • Mailing address
  • Biometric information
  • Internet browsing history or search history
  • Geolocation
  • Any inferences drawn from any of the listed types of personal information

The full list can be found in the California Consumer Privacy Act, section 1798.140.

The CCPA also clarifies that publicly available information, such as information in legally obtained government records, is not considered personal information.

Note that this definition of "personal information" is unique to the CCPA. Other privacy frameworks, such as the European Union's General Data Protection Regulation (GDPR), use their own definitions.

Is CCPA compliance the same as GDPR compliance?

Aside from the fact that these two privacy frameworks apply to different regions, the CCPA and the GDPR are not the same. They define terms differently, have different requirements for businesses, and have different fine and penalty structures. Compliance with the GDPR does not guarantee compliance with the CCPA, and vice versa.

Does the CCPA override HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law regulating healthcare data privacy and protection. The CCPA does not apply to personal health information that is already regulated by HIPAA.

How does the CCPA affect cookie usage?

A "cookie" is a small file of information that a website generates and sends to a user’s web browser when they visit the website. Some cookies collect user browsing history, user search history, or a user's interactions with a website. All of these are considered "personal information" under the CCPA. Because of the right to know, organizations have to let users know what data they collect via cookies and how that data is used.

However, unlike some other privacy frameworks, the CCPA does not require organizations to get a user's consent for cookies.

Learn more about cookies or about data privacy.