top of page


The California Consumer Privacy Act of 2018 (CCPA)[1] has the laudable distinction of being the first comprehensive state privacy law to be enacted in the U.S.  Passed by the California State legislature and signed into law with legendary speed,[2] it became effective on January 1, 2020. The Act created new responsibilities for businesses that collect consumer personal information (PI).[3] It also created new rights for California consumers, providing opportunities to find out when personal data is being collected and shared, the right to opt out of the sale of personal information and the right to have PI deleted.[4]


Given the CCPA’s rushed passage, it is little wonder that it was not praised as a model of legislative clarity.[5] It has already been amended several times, with its most substantial amendment enacted through the California initiative process on November 3, 2020, and referred to as the California Privacy Rights Act (CPRA).[6] Two sets of regulations have been promulgated under the CCPA and are codified at 11 CCR § 7000 et seq., with an additional set regarding automated decisionmaking technology, cybersecurity audits, and risk assessments still in draft form.[7]


Who Must Comply with the CCPA?


Any for-profit business that collects California consumers’ PI (either directly or from a business that does so on its behalf), determines the purposes and means of processing, does business in the State of California,[8] and meets at least one of the following requirements:

• has annual gross revenues over $25 million,[9]

• annually buys, receives, sells, or shares (in combination) the PI of at least 100,000 consumers or households;[10]

• derives 50% or more of its annual revenues from selling or sharing consumer PI.[11]


Who is Protected Under the Act?


The CCPA only grants data protection rights to natural persons who are California residents.[12] Even if a business located in California collects PI from individuals out of state, those out-of-state individuals are not granted PI protection rights under the CCPA.[13]


What Information is Covered Under the Act as “Personal Information”?


The CCPA takes an expansive view of what constitutes personal information. It includes any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”[14] The Act also provides numerous specific categories of information that qualify, from name, IP address and biometric information to olfactory information and inferential data used to create personal profiles.[15] The Act specifically excludes public data and deidentified information.[16]


What constitutes “deidentified information” is not without controversy. The CCPA generally defines deidentified information as those data that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer.[17] However, a business that wants its data to be exempt on the grounds that it is “deidentified” must also:

  • take reasonable steps to ensure the information cannot be associated with a particular consumer or household;

  • publicly commit to keeping the information in deidentified form and not attempt to reidentify the information; and 

  • if the data is shared, contractually require any recipients of the data to take on these same obligations.[18]


What information is Covered Under the Act as “Sensitive Personal Information”?


The CPRA added an important new category of protected information, “sensitive personal information” (SPI). SPI includes personal information that reveals a consumer’s:

  • Social Security number

  • Driver’s license number

  • State ID card

  • Passport number

  • Account log-in, financial account, debit card or credit card number along with any required security or access code, password, or credentials allowing access to an account

  • Precise geolocation data

  • Racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership

  • The contents of mail, email and text messages, unless a business is the intended recipient

  • Genetic data[19]


SPI also includes:

  • The processing of biometric information for the purpose of uniquely identifying a consumer 

  • PI collected and analyzed concerning a consumer’s health

  • PI collected and analyzed concerning a consumer’s sex life or sexual orientation[20]  


Just like personal information, sensitive personal information that is “publicly available” is excluded from the definition of SPI. [21] It is important to note, however, that SPI collected or processed without the purpose of inferring characteristics about a consumer is NOT considered sensitive personal data and is instead treated as PI under the CCPA.[22]


Consumers have the right to demand that their sensitive PI only be used by a business to the extent it is necessary to provide the goods or perform the services requested by the consumer.[23] However, the CCPA also allows SPI to be used for certain, specific, limited business uses without consumer consent. For example, SPI can be used over consumer objection: to help ensure business data security and integrity, for transient use, which can include immediate, non-personalized advertising, to perform services on behalf of the business, including analytic services, and maintain, or improve the product or service being offered by the business.[24]


If a business wishes to use or disclose SPI for other purposes, it may do so. However, consumers have the right to opt-out of these additional uses and disclosures.[25] Businesses must provide notice to consumers about any additional uses or disclosures, and inform consumers that they have the right to limit the use and disclosure of SPI.[26] Section 1798.135 identifies the various methods that a business can utilize to properly inform consumers of their right to limit the use and disclosure of their SPI.


What Are Other Rights and Responsibilities Under the Act?


Data Collection


Under the CCPA businesses that collect PI MUST:


  • Let consumers know what PI is being collected and why. At the time of PI collection, tell consumers the categories of PI to be collected and the purposes for which they will be used.[27]

  • Notify consumers if they decide to collect more PI or use it in an incompatible way. Notify consumers if they plan to collect additional categories of PI, or use existing PI for new, incompatible purposes.[28]

  • Give consumers a copy of the data collected about them upon request. Provide, upon verified request, the categories and specific pieces of information they have collected.[29] This information must be provided within 45 days, free of charge, and where possible, in a readily usable format that allows for data portability.[30]

  • Inform consumers in privacy policies or other public documents about the types of PI they collect, the purpose of collection and the types of businesses the data is shared with.  Disclose the categories of PI collected from consumers generally, the categories of sources from which the PI is collected, the purpose of collection, selling or sharing, the categories of recipients of that PI (if any), the purpose of disclosure, and that the consumer has the right to request the specific pieces of PI collected.[31]  


Under the CCPA  consumers have the RIGHT to:


  • Ask for the type of data and PI collected about them. Request disclosure of the categories and specific pieces of the personal information that a business has collected about them.[32]

  • Ask for the types of sources from which their PI was collected, the purpose of collection and types of recipients of the PI. Request the categories of sources from which the PI was collected, the purpose of collection, and the categories of third parties with whom the PI was shared.[33]

  • Receive a copy of their PI. Receive the categories and specific PI collected, upon making a verifiable request, within 45 days, free of charge, in a portable format where possible, no more often than 2x every 12 months.[34]


Data Retention and Minimization


Under the CCPA businesses that collect PI MUST:

  • Only collect and use as much PI as “reasonably necessary and proportionate” to achieve the purpose for which the PI was collected or processed, or for another disclosed, compatible purpose.[35]

  • Only retain PI as long as reasonably necessary and in proportion with achieving the purpose for which the PI was collected or processed, or for another disclosed compatible purpose.[36]

  • Inform consumers at or before the time of PI collection the length of time the business intends to retain each category of PI or SPI. If that is not possible, a business must tell consumers how the retention time will be determined. However, the PI/SPI still may not retained for longer than reasonably necessary for each disclosed purpose.[37]


Data Correction


Under the CCPA businesses that collect PI MUST:

  • Inform consumers of their right to request correction of inaccurate PI held by the business.[38]

  • Correct inaccurate PI upon verifiable consumer request insofar as it is commercially reasonable to do so.[39]


Under the CCPA consumers have the RIGHT to:

  • Have inaccurate PI corrected upon request, taking into account the nature of the PI and the purpose for its processing.[40]


Data Deletion


Under the CCPA businesses that collect PI MUST:


  • Inform consumers of their right to request deletion of their PI.[41]

  • Delete PI that they have collected from consumers upon verified request, unless an exception applies.[42] Note that data may be deidentified and aggregated in lieu of deletion.[43]


Under the CCPA consumers have the RIGHT to:


  • Have their PI deleted upon request from any business that collected it directly from them.[44]


Note that there are numerous exceptions to this right of deletion, including one which sets a particularly fuzzy standard. Businesses may refuse deletion requests if PI is being used for “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business and is compatible with the context in which the consumer provided the information.”[45]


Sales/Disclosures of Personal Information


If businesses sell, share or disclose consumer PI for a business purpose, under the CCPA businesses MUST:


  • Upon request, let consumers know the types of businesses they sold, shared, or disclosed PI to, and the types of PI they sold, shared, or disclosed. Specifically, upon verified request, businesses must inform consumers of:

    • the categories of PI sold/shared, 

    • the categories of third parties to whom the PI was sold/shared, and 

    • for each recipient category, the categories of PI each recipient category each received.[46]

Business must provide the same information for data “disclosed” (as opposed to sold/shared), compiled as a separate list.[47]

  • Inform consumers that they may opt-out of the sale/sharing of their data, including through a “Do Not Sell or Share My Personal Information” link. Businesses must provide notice to consumers, at the time of collection, that the PI may be sold/shared and that consumer may opt-out of the sale/sharing.[48] This includes publishing a conspicuous link on each business’s Internet homepage, titled “Do Not Sell or Share My Personal Information,” that enables a consumer to opt-out of the sale/sharing of their PI.[49] Note that “homepage” is defined by the CCPA to mean “any internet page where personal information is collected,” not just the introductory page of a website![50] If a business honors universal opt-out signals regarding selling and sharing PI, then no opt-out links are required.[51]

  • Make two separate lists in privacy policies or other public documents regarding PI sharing and disclosures. (1) A list of the categories of PI a business has sold or shared about consumers in the preceding 12 months. If no PI has been sold or shared in the preceding 12 months, disclosure of that fact.  (2) A list of the categories of PI that has been disclosed about consumers for a business purpose in the preceding 12 months. If the business  has not disclosed PI for a business purpose in the preceding 12 months, disclosure of  that fact.[52]  

  • Respect consumer opt-outs of PI sales/sharing. Enterprises must refrain from selling/sharing a consumer’s PI, if that consumer exercises opt-out rights.[53] A business may not ask the consumer to change his/her decision for at least 12 months.[54]  Unlike requests to know and requests to delete, unverified requests to opt-out must be honored.[55]

  • Ensure there has been explicit notification before reselling or resharing PI. Businesses must make sure consumers have been explicitly notified and provided the opportunity to opt-out before selling/sharing PI that has been purchased from another business.[56]

  • Obtain opt-in consent for consumers 15 and younger. Businesses must receive affirmative authorization from consumers, or their guardians, (opt-in) before selling or sharing PI of consumers under the age of 16.[57]

  • Not discriminate (or suggest they might discriminate) against a consumer for opting-out of the sale or sharing of his/her PI (or refusing to opt-in).[58] That means that a business cannot deny consumers goods or services because they opt-out, charge a different price, nor provide a different quality of goods or services, unless that different price or quality is “reasonably related” to the value of the consumer’s data.[59] Businesses may offer financial incentives to consumers for collection, sale, or retention of their personal information.[60] However, businesses must notify consumers about any financial incentives they offer for consumer PI.[61]

  • Obtain revocable opt-in consent before enrolling a consumer in any financial incentive program for their PI.[62]

  • Honor global opt-out privacy settings. Businesses must treat user-enabled global privacy controls, such as a browser plugin or privacy setting, that clearly communicate that a consumer’s choice to opt-out of the sale of PI, as a valid request, regardless of any other methods the business has made available to submit opt-out requests.[63]  If the global control conflicts with a consumer’s existing choice already made with a particular business, the business may inform the consumer of the conflict and give the consumer the opportunity to override the global setting.[64]


If businesses sell/share or disclose consumer PI, consumers have the RIGHT to:


  • Obtain information. Consumers have the right to find out the categories of PI collected, the categories of PI shared/sold or disclosed, the categories of third parties to whom the PI was shared/sold or disclosed, and for each recipient category, the categories of PI shared/sold to it.[65]

  • Opt-out of the sharing or sale of their PI to third parties.[66]

  • If under 16, refuse to opt-in to the sale or sharing of their PI to third parties.[67]

  • Enter into financial incentive programs for the collection, sale/sharing or deletion of their data.[68]


Communication with Consumers


Under the CCPA businesses that collect, sell/share/disclose PI, or offer any financial incentives for PI collection, sale or sharing MUST:


  • Display the following information in their online privacy policies (if they have one), and any California specific description of consumers’ privacy rights. If the business does not have a privacy policy, on its internet website kept updated once a year:[69]

    • A description of consumers’ rights and two or more designated ways to submit requests to exercise consumer rights,[70]

    • A link to the business’s “Do Not Sell or Share My Personal Information” web page,[71]

    • A link to the business’s “Limit the Use of My Sensitive Personal Information” web page,[72]

    • A list of categories of consumer PI it has collected over the previous 12 months,[73]

    • A list of categories of consumer PI it has sold or shared over the previous 12 months, or a statement that no PI has been sold or shared,[74] and

    • A separate list of categories of consumer PI it has disclosed for a business purpose over the previous 12 months, or a statement that no PI has been so disclosed.[75]

  • Make available to consumers at least two ways to submit verified consumer requests.[76] One method must be a toll-free phone number unless the business only operates online and only collects PI from its own, direct customers.[77] In that case, the business may provide an email address as its only avenue for consumer requests.[78] If the business operates an internet website, there must be a way on the website for consumers to submit requests.[79]


Automated Decision Making


Under the CCPA consumers have a RIGHT to:
  • Request meaningful information about the logic involved in a business’s automated decisionmaking process.[80]

  • Receive a description of the likely outcome of any automated decisionmaking process with respect to the consumer.[81]

  • Opt-out of a business’s use of automated decisionmaking technology, including profiling.[82]Profiling is defined by the CCPA as any form of automated processing of personal information to evaluate aspects of a person, in particular to analyze or predict performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.[83]


Regulations regarding automated decisionmaking are in the process of being drafted by the California Privacy Protection Agency.[84]




Under the CCPA businesses MUST:
  • Implement reasonable security procedures and practices appropriate to the nature of any PI being collected. These security practices must be appropriate to protect the PI from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with the California Customer Records Act.[85]

  • Perform annual cybersecurity audits if the processing of consumer PI presents a significant risk to consumers’ privacy or security.[86]

  • Submit risk assessments to the California Privacy Protection Agency on a regular basis with respect to the processing of PI.[87]


Exemptions to the CCPA / Relationship to Other Laws


Even when a piece of data constitutes PI of a California consumer, it may still be outside the purview of the CCPA, primarily to create legislative harmony. For example, information covered by the HIPAA, FCRA, GLBA, or DPPA falls outside of the Act.[88] Medical information covered by the CMIA is also exempt.[89] Similarly, a provider of health care governed by the CMIA and covered entities under HIPAA are entirely exempt from the CCPA’s requirements, provided they maintain patient PI in the same manner as medical PI.[90]




The California Privacy Protection Agency (CPPA) is the primary enforcer of the CCPA.[91] In addition to enacting regulations under the Act, the CPPA conducts administrative enforcement of the Act’s provisions. Violators can face administrative fines of up to $2,500 per violation and $7,500 for each intentional violation or those violations where the business has actual knowledge that the PI involved consumers under the age of 16.[92] The Office of the California Attorney General (OAG) has concurrent enforcement jurisdiction, and can seek an injunction and civil penalties in the same amounts as the CPPA.[93] The CPPA must stay their administration enforcement if requested to do so by the Attorney General, pending the OAG’s own investigation and civil enforcement.[94] While the CPPA does not have the right to stay actions by the OAG, if they agency has issued a decision or an order against an accused violator under the Act, the OAG may not thereafter pursue its own civil action.[95]


Private rights of action are limited to data breaches involving nonencrypted and nonredacted PI, and are not foreclosed by administrative enforcement by the CPPA.[96] Consumers can recover damages of $100 to $750 per consumer per incident or actual damages, whichever is greater, and injunctive relief.[97] Businesses are entitled to 30 days’ notice of noncompliance before any action by a private plaintiff seeking injunctive relief.[98]No such notice is required for any enforcement action by the Office of the California Attorney General, nor the CPPA. Similarly, no notice is required for a private plaintiff suing for actual monetary damages, as opposed to statutorily set amounts, due to a breach.[99]



[1] California Civil Code §§ 1798.100-.199.100. All code sections hereafter cited are from the California Civil Code unless otherwise noted.

[2] A mere seven days from bill drafting to passage. See

[3] See, e.g., § 1798.100 (initially “Consumer Information Disclosure Rights”, now “General Duties of Businesses that Collect Personal Information”) & § 1798.150 (civil actions for violations of duty to implement and maintain reasonable security procedures).

[4] See, e.g., §§ 1798.100, .105, .110, .115, .120 & .121.

[5] See, e.g.,

[6] See See also A.B. 25, 2019 Leg., Reg. Sess. (Cal. 2019)A.B. 874, 2019 Leg., Reg. Sess. (Cal. 2019)A.B. 1146, 2019 Leg., Reg. Sess. (Cal. 2019)A.B. 1355, 2019 Leg., Reg. Sess. (Cal. 2019); & A.B. 1564, 2019 Leg., Reg. Sess. (Cal. 2019)

[7] See

[8] § 1798.140(d)(1).

[9] § 1798.140(d)(1)(A). This threshold is not limited to revenue from California consumers. See Final Statement of Reasons Update of Initial Statement of Reasons for 11 C.C.R. §§ 999.300 et. seq. (hereinafter “FSOR”).

[10] § 1798.140(d)(1)(B).  See also § 1798.140(q) (definition of “household”).

[11] § 1798.140(d)(1)(C).

[12] See § 1798.140(i). While there are many different methods for determining whether a consumer is a California resident, it is likely that none of them are foolproof. Unfortunately, there is currently no “safe harbor” or officially endorsed method for determining the residency of individuals interacting with a website or mobile application. See FSOR, Appendix A, Response # 10.

[13] Id.

[14] See § 1798.140(v)(1). See also § 1798.194 (mandating liberal construction to effectuate the Act’s purposes).

[15] See §§ 1798.140(v)(1)(A)-(L).

[16] See §§ 1798.140(v)(2)&(3).

[17] See § 1798.140(m).

[18] See §§ 140(m)(1)-(3).

[19] § 1798.140(ae)(1).

[20] § 1798.140(ae)(2).

[21] § 1798.140(ae)(3).

[22] § 1798.121(d).

[23] § 1798.121(a).

[24] § 1798.121(a) & .140(e)(2), (4), (5), & (8).

[25] § 1798.135(a).

[26] § 1798.121(a).

[27] § 1798.100. Remember that collection from the consumer can be an active or passive activity, including simply observing consumer behavior. § 1798.140(f). See also 11 C.C.R. §§ 7012(c)(1)-(5)(providing detailed requirements for presenting understandable notices so that they are easy to read and likely to be encountered by consumers, through online, offline and mobile channels.) However, if the business does not collect PI directly from the consumer other rules apply. See 11 C.C.R. §§ 7012(h) & (i).

[28] § 1798.100(a). See also 11 C.C.R. §§ 7002(f) & 7012(d). Whether a new purpose for collected data is compatible with the original purpose of PI collection depends on (1) the reasonable expectations of the consumer at the time of collection, (2) the new disclosed purpose, and (3) the strength of the link between the two. 11 C.C.R. § 7002(c).

[29] § 1798.110. Verification rules can be found at 11 C.C.R. §§ 7060-7063.

[30] § 1798.130(a)(2)(A).

[31] §§ 1798.110(c)(1)-(5) & 1798.130(a)(5). Keep in mind that the categories of sources and third parties must be described with enough particularity to provide meaningful understanding to consumers. See 11 C.C.R. §§ 7001(e) & (f).

[32] §§ 1798.110(a)(1) & (5).

[33] §§ 1798.110(a)(1)-(5).

[34] §§ 1798.130(a)(2) & (b).

[35] §1798.100(c).

[36] Id.

[37] §1798.100(a)(3).

[38] § 1798.106(b).

[39] § 1798.106(c).

[40] § 1798.106(a).

[41] § 1798.105(b).

[42] §§ 1798.105(c) & (d) (lists the exceptions to data deletion, including, but not limited to, completing a transaction with the consumer, detecting security threats, debugging, protecting free speech rights, and engaging in public research when the consumer has previously provided consent). If the data is stored on backup systems, deletion may wait until that system is next accessed. 11 C.C.R. § 7022(d).

[43] See §§ 1798.140(o)(3) & 145(a)(5). See also 11 C.C.R. § 7022(b)(1).  

[44] § 1798.105(a). It is also worth noting that there is no right to request deletion from a business that has collected PI from another source other than directly from a consumer. Compare § 1798.105(a) (deletion rights) with § 1798.106(a) (correction rights). However, a business that receives a verified deletion request must notify its service providers, contractors, and any third parties it has sold or shared PI with, to delete the PI, unless this is impossible or would involve disproportionate effort. § 1798.105(c)(1).

[45] § 1798.105(d)(7). 

[46] § 1798.130(a)(4)(B). Keep in mind that the Act defines “sale” expansively, including renting or disclosing PI for any “other valuable consideration.” § 1798.140(ad).

[47] § 1798.130(a)(4)(C).

[48] § 1798.120(b). See also 11 C.C.R. § 7003 (providing detailed requirements for presenting understandable notices so that they are easy to read and likely to be encountered by consumers).

[49] § 1798.135(a)(1). If the required notice of consumers’ right to opt-out of sale of their PI is not posted at the time of collection, the business must get consent from consumers before it sells any PI previously collected. 11 C.C.R. § 7013(h). The Act does allow a business to forego posting “Do Not Sell or Share My Personal Information” text and links on its general website if a business chooses to maintain a separate homepage that contains the required text and links dedicated to California consumers, and takes reasonable steps to ensure that California consumers are directed to that homepage. § 1798.135(d).

[50] See § 1798.140(p).

[51] § 1798.135(b).

[52] § 1798.130(a)(5)(C).

[53] § 1798.135(c)(4). Note that in responding to a consumer opt-out request, a business may offer the consumer the option to only opt-out of certain uses of his/her PI. However, the global opt-out option must also be offered. 11 C.C.R. § 7026(h).

[54] See § 1798.135(c)(4).

[55] Compare, §§ 1798.110(b) and § 1798.135(c)(4).  See also 11 C.C.R. § 7026(d).

[56] See § 1798.115(d).

[57] § 1798.120(c). 11 C.C.R. § 7028 (describing the required opt-in process). Note that, under the age of 13, opt-in must be received either the child’s parent or guardian.

[58] § 1798.125(a)(1).

[59] §§ 1798.125(a)(1)(A)-(D); §§ 1798.125(a)(2) & (b)(1). See also 11 C.C.R. §§ 7016(d)(5), 7080 & 7081. If a business is unable to calculate a good-faith estimate of the value of the PI or cannot show the reasonable relationship between the financial incentive and the PI value, then the financial incentive may not be offered. 11 C.C.R. § 7080(b).

[60] § 1798.125(b)(1).

[61] § 1798.125(b)(2). See also 11 C.C.R. § 7016.

[62] § 1798.125(b)(3).

[63] 11 C.C.R. §§ 7025 & 7026(a)(1).

[64] See 11 C.C.R. § 7025(c)(3).

[65] §§ 1798.115(a)(1)-(3).

[66] § 1798.120(a). Consumers may use an authorized agent to submit opt-out requests as well as global privacy controls, such as a browser plug-in or device settings. 11 C.C.R. §§ 7025 & 7026(j).

[67] § 1798.120(c).

[68] § 1798.125(b).

[69] § 1798.130(a)(5).

[70] § 1798.130(a)(5)(A).

[71] § 1798.135(a)(1).

[72] § 1798.135(a)(2).

[73] §1798.130(a)(5)(B).

[74] § 1798.130(a)(5)(C)(i).

[75] § 1798.130(a)(5)(C)(ii).

[76] § 1798.130(a)(1)(A).

[77] Id.

[78] Id.

[79] §1798.130(a)(1)(B).

[80] §1798.185(a)(16).

[81] Id.

[82] Id.

[83] §1798.140(z).

[84] See note 7, supra.

[85] § 1798.100(e).

[86] § 1798.185(a)(15)(A). Regulations regarding these audits are currently in development. See note 7, supra.

[87] § 1798.185(a)(15)(B). Regulations regarding these risk assessments are in development. See note 7, supra.

[88] § 1798.145(c)(1).

[89] § 1798.145(c)(1)(A).

[90] § 1798.145(c)(1)(B).

[91] Compare, § 1798.155 with § 1798.150.

[92] § 1798.155.

[93] § 1798.199.90(a).

[94] §1798.199.90(c).

[95] § 1798.199.90(d).

[96] §§ 1798.150(a)(1) & 1798.199.90(e).

[97] §§ 1798.150(a)(1)(A)-(C).

[98] §§ 1798.150(b) & 1798.155(b).

[99] § 1798.150(b).

bottom of page