The California Consumer Privacy Act (CCPA) is a state law designed to enhance privacy rights and consumer protection for residents of California, United States. Officially known as AB-375, the law was introduced by Ed Chau, a member of the California State Assembly, and State Senator Robert Hertzberg.

Key Dates of the CCPA


Law definitively adopted on June 28, 2018


Final amendments adopted on October 11, 2019


Effective from January 1, 2020, but with a 12-month “look back” requirement that allows consumers to request data collected on them going back a full year from when the request is made. This means that businesses must identify personal data files collected from January 1, 2019 (12 months prior to January 1, 2020).

Who is Covered by This Law

It applies to any business that:


Directly or indirectly collects or processes personal data of California consumers (i.e., any individual physical person residing in California) and alone or jointly with others determines the purposes and means of processing personal data


Conducts business in California (regardless of the business’s location, in California or in another state or country, as long as the conditions are met)


Meets at least one of the following thresholds:

– Has annual gross revenues exceeding 25 million dollars

– Or annually buys, receives, sells, or shares for commercial purposes, 50,000 or more personal data of California consumers, households, or devices

– Or earns more than half of its annual revenues from selling personal data

The CCPA also applies, indirectly, to the parent company and subsidiaries of an entity that meets the above criteria a), b), and c) if they share the same branding or trade name (“common branding“).

NB: The notion of “selling” personal data includes, notably:

  • Placing a third-party cookie on a website to enable advertising; or
  • Granting rights to sellers to analyze data for their own purposes.

Definition of "Personal Data"

Personal data is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Personal data notably includes any cookie identifier, device identifier, pixel beacon, customer number, as well as information linked to a household.

Data that is anonymized or aggregated is not considered personal data.

Principal Rights of Consumers


Right to information regarding (i) the categories of personal data that will be collected about them prior to its collection and any changes to this collection, (ii) the purpose of the collection, (iii) the third parties with whom their personal data is shared (i) before any collection


Right to consent or object to the sale of their personal data (opt-out)


Right of access: to know the data collected about them by a company and the source of this collection

Click no

Right to object to the sale of their personal data


Right to deletion of their personal data

Action justice

Right to take action (individually, not collectively) against companies that fail to meet their legal obligations

Principal Obligations of Businesses


To inform the concerned individuals by:

– A privacy notice at the time of collection

– A privacy policy containing information on online and offline collection practices (mandatory update every 12 months)

– A notification in case of enrichment or modification of the collected information


To notify the terms of any existing financial incentives during the collection, sale, or retention of personal data

Click no

To provide an opt-out means for the individual to object to the sale of their personal data

ID alternatif

Specific obligations regarding the collection of personal data of minors under 13 years old

Protect data

To train its staff on personal data protection rules

Unlike the GDPR, the CCPA recognizes the right to the monetization of data by allowing individuals to sell their personal data in exchange for a financial incentive (“financial incentive“).

Penalties in Case of Violation of the Law


Notice of non-compliance by the California Attorney General

Money dollard

Civil penalties imposed by the California Attorney General ranging from $2,500 to $7,500 for each violation that is not remedied following a notice

Action justice

Civil action by the affected individual against the non-compliant company

Exemptions and Exceptions

The CCPA provides various exceptions and exemptions to personal data processing. For example, a general exemption applies until January 1, 2021:


To information that a business collects from its candidates, employees, contractors, and other similar individuals

Money dollard

To information about the personnel of business clients of an entity, in B2B scenarios