What Is the CCPA? California Consumer Privacy Act

What Is the CCPA?

The California Consumer Privacy Act (CCPA) is a state privacy law that grants California residents specific rights over the personal information businesses collect about them, and requires those businesses to disclose, secure, and respond to consumer requests about that data. It is one of the most consequential data privacy statutes in the U.S., and every right the statute grants a consumer (e.g. the right to know, delete, correct, or limit use), is ultimately a question a business must answer about data it already holds. These questions include, where is this person's information, who processed it, what systems copied it, and which vendors touched it?

CPRA was passed by California voters as Proposition 24 in November 2020 and operative on January 1, 2023, amended the statute by adding new rights, a new enforcement agency, and a separate category for sensitive personal information.

The CCPA is codified at California Civil Code Section 1798.100 et seq., with regulations written and enforced by the California Privacy Protection Agency (CPPA). The original statute took effect on January 1, 2020; the CPRA amendments became operative on January 1, 2023. Together, they form one of the broadest state privacy regimes in the United States, and they set the template that Virginia, Colorado, Connecticut, and Utah drew from with variations.

Who Does the CCPA Apply To?

The CCPA applies to for-profit entities that do business in California, collect personal information from California residents, and meet at least one of three thresholds. Nonprofits, government agencies, and entities that do not meet any threshold sit outside the statute, though they may still fall under sector-specific privacy laws.

For-profit threshold tests

A business must satisfy the CCPA if it meets any one of the following:

1. Annual gross revenue: More than $25 million in the preceding calendar year.
2. Consumer volume: Buys, sells, or shares the personal information of 100,000 or more California consumers or households per year. This threshold was raised from 50,000 by the CPRA amendments.
3. Data-sale revenue share: Derives 50% or more of annual revenue from selling or sharing California consumers' personal information.

A business that meets none of these thresholds is still drawn in if it controls or is controlled by a covered business, shares branding with that covered business, and exchanges consumer personal information with it. The CPPA publishes implementing regulations and applicability guidance on its regulations page.

CCPA Exemptions

The CCPA carves out categories of data rather than categories of organizations. Personal information collected under HIPAA, the Gramm-Leach-Bliley Act, the Driver's Privacy Protection Act, and the Fair Credit Reporting Act is exempt when processed under those regimes.

Nonprofits and government agencies are excluded entirely. B2B and employee data were temporarily exempt but lost that status when the CPRA took effect in 2023, bringing employment records and commercial contact information into full scope.

Consumer Rights Under the CCPA and CPRA

The CCPA, as amended by the CPRA, grants California residents seven distinct rights. Businesses must honor valid requests within defined timelines and provide at least two methods to submit each one. The table below lists each right alongside its operational implication for the business receiving the request.

The seven rights look simple on paper. They become hard the moment a business has to locate the underlying data. A consumer's personal information rarely sits in one database. It is copied to CRMs, shared with marketing platforms, transformed by analytics pipelines, embedded in support tickets, and synced to vendors whose names no one at the company remembers. The 45-day response window is not the hard part. The hard part is having continuous visibility into where regulated data actually lives, before the request arrives.

Business Obligations and Compliance Requirements

The CCPA imposes three categories of obligation on every covered business: disclosure, request handling, and vendor management. Each has its own timeline, its own failure mode, and its own enforcement action on record.

Notice and disclosure

Covered businesses must publish a privacy policy that describes, at a minimum, the categories of personal information collected, the sources, the business and commercial purposes, the categories of third parties that receive the data, the retention period for each category, and a clear description of each consumer right. The CPRA added a requirement to disclose the categories of sensitive personal information collected and whether they are used or disclosed beyond what is necessary to provide the requested service. Notice must be provided at or before the point of collection; retroactive notice is not permitted.

Data minimization is baked into the CPRA. Businesses cannot collect more personal information than is reasonably necessary and proportionate to the purpose disclosed, and they cannot retain it longer than necessary for that purpose. This is where data classification and discovery intersect with privacy law: a business that does not know what categories of data it holds cannot truthfully disclose them, and it cannot credibly enforce a retention limit it never measured. A mature data governance program is what turns the disclosure and retention rules from a policy artifact into something the business can operate against.

Vendor categories under CPRA

The CPRA recognizes four roles a party can play with California consumer data, and the contract terms and liability allocations differ for each. Getting the classification right matters because a misclassified vendor can turn an ordinary data transfer into an unauthorized "sale" or "share" under the statute.

• Business: The entity that determines the purposes and means of processing personal information. The business holds primary responsibility for compliance.
• Service provider: Processes personal information on behalf of a business under a written contract, strictly for the purposes the business defines. Transfers to service providers are not "sales" or "shares."
• Contractor: Similar to a service provider, with a separate contractual designation created by the CPRA. Subject to the same use and retention restrictions.
• Third party: Any recipient that does not meet the service-provider or contractor test. Transfers to third parties count as "sharing" or "sales" and trigger opt-out rights.

The contract requirements for service providers and contractors are specific. The agreement must prohibit sale or retention of the data for other purposes, obligate the party to comply with CCPA provisions, and grant the business audit and remediation rights. A contract that omits any required term does not preserve the service-provider safe harbor, and the downstream transfer reverts to a "sale" in the eyes of the CPPA.

For a deeper look at how modern data security posture management (DSPM) supports data discovery and classification at the scale CCPA requires, read Core Capabilities of AI-Native, Modern DSPM.

Sensitive Personal Information and the AI Era

Sensitive personal information (SPI) is a category introduced by the CPRA and defined in Cal. Civ. Code Section 1798.140(ae). SPI covers categories that carry heightened risk if exposed:

• Government identifiers: Social Security number, driver's license, state ID, and passport numbers.
• Financial account credentials: Account numbers paired with access codes or passwords.
• Precise geolocation: Location data at sub-ZIP-code granularity.
• Protected-class attributes: Racial or ethnic origin, religious or philosophical beliefs, and union membership.
• Private communications: The contents of mail, email, and text messages where the business is not the intended recipient.
• Biometric and genetic data: Genetic data and biometric information processed to uniquely identify a consumer.
• Health, sex life, and sexual orientation: As defined in the statute.

Consumers have the right to limit the use of SPI to the processing necessary to provide the requested product or service. That restriction applies to every downstream use: advertising personalization, model training, behavioral analytics, and cross-context profiling. A business that collects SPI for one purpose and then feeds it into an AI training pipeline without a documented necessity tie back to the service is violating the CPRA's use limitation.

The AI dimension is what makes SPI hard. SPI does not stay in the system it was collected into. Employees paste data into generative AI tools to draft summaries, support agents forward it through integrations, and analytics teams copy it into notebooks. The same biometric identifier that arrived through a formal intake flow may end up inside a vendor-hosted AI assistant within hours, through the same shadow AI pathways that already concern security teams, and the transformed AI output may contain the information in a form content inspection alone cannot recognize.

CCPA vs. CPRA vs. GDPR

Three names dominate privacy conversations: the CCPA, the CPRA, and the European Union's General Data Protection Regulation (GDPR). The CCPA and CPRA are the same California statute at different points in its life, before and after the 2023 amendments. The GDPR is a separate legal instrument with separate scope, enforcement, and remedies. The table below lists the differences that most often matter to data security teams.

The CPRA did not replace the CCPA. It amended it, strengthened several rights, and added a dedicated regulator. Businesses that built their compliance programs around the 2018 text and never updated them are working from an outdated statute; enforcement filings track the post-2023 version.

Enforcement and Penalties

The CCPA authorizes two enforcement pathways. The California Attorney General and the CPPA can pursue administrative penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation or per violation involving a minor under 16. Separately, consumers have a private right of action when unredacted personal information is exposed in a breach caused by the business's failure to maintain reasonable security. Statutory damages in those private suits range from $100 to $750 per consumer per incident, with actual damages available if larger. The private right of action is narrow; it applies only to breaches, not to ordinary compliance failures.

How a Data Security Platform Supports CCPA Compliance

Every CCPA obligation reduces to a data question the business must be able to answer. Where is this consumer's personal information? What classification does it hold? Who processed it, and on whose behalf? Has it been deleted where required? The organizations that pass CCPA enforcement scrutiny are the ones whose security infrastructure was already producing those answers before a regulator asked. Voluntary frameworks like the NIST Privacy Framework describe the same control families the CCPA implies, and map cleanly to the discovery, classification, and inventory work the statute demands.

A data security platform supports CCPA compliance through four capabilities that map directly to the statute:

• Continuous discovery and classification: Legacy, periodic scan-based discovery produces point-in-time snapshots that are stale the moment they are created. Continuous discovery identifies sensitive personal information as it is created, copied, and moved, so the CCPA inventory reflects current state.
  
• Data lineage: Privacy law asks where data came from, where it went, and who touched it along the way. Data lineage preserves that chain across endpoints, SaaS apps, cloud storage, and AI tools, so a 45-day DSAR response is built from evidence rather than memory.
  
• DLP and exfiltration controls: The CCPA's private right of action attaches to breaches involving unredacted personal information. Cross-channel data loss prevention (DLP) that understands data context, not just content patterns, reduces the exfiltration paths that trigger statutory damages.
  
• AI visibility: Shadow AI tools ingest personal information in ways content inspection alone cannot fully observe. Endpoint-first DLP monitoring records which AI tools employees use, what data they paste, and where the outputs flow, so the SPI use-limitation rule is enforceable in practice.

See how Cyberhaven's core technology provides continuous visibility to answer all CCPA data requests by exploringHow Data Lineage Works.

Frequently Asked Questions

What does CCPA stand for?

CCPA stands for the California Consumer Privacy Act. Governor Jerry Brown signed it into law as AB 375 in June 2018, and it took effect on January 1, 2020. The name matters because the CCPA was the first broad state consumer privacy statute in the United States, and later state laws in Virginia, Colorado, Connecticut, and Utah drew directly from its structure and vocabulary.

When did the CCPA take effect?

The original CCPA took effect on January 1, 2020, with enforcement beginning July 1, 2020. California voters approved the CPRA amendments as Proposition 24 in November 2020, and those amendments became operative on January 1, 2023, with a lookback period covering personal information collected from January 1, 2022. The California Privacy Protection Agency has held rulemaking and enforcement authority alongside the Attorney General since January 2023.

What is the difference between CCPA and CPRA?

CPRA amended the CCPA rather than replacing it. The amendments added the right to correct, the right to limit use of sensitive personal information, and a new SPI category; raised the consumer-volume threshold from 50,000 to 100,000; created the California Privacy Protection Agency as a dedicated regulator; and removed the temporary exemptions for employee and B2B data. The California Attorney General and the International Association of Privacy Professionals refer to the current statute as "the CCPA, as amended by the CPRA."

Does the CCPA apply to companies outside California?

The CCPA applies to any for-profit business, anywhere in the world, that collects personal information from California residents and meets one of the three thresholds. Physical presence in California is not required. A New York software company that sells to California consumers, hits $25 million in revenue, and processes their personal information is covered. The geographic trigger is the residency of the data subject, not the location of the business.

What are the penalties for CCPA violations?

Administrative penalties under the CCPA run up to $2,500 per unintentional violation and $7,500 per intentional violation or per violation involving a consumer under 16. Consumers also have a private right of action for breaches involving unredacted personal information, with statutory damages between $100 and $750 per consumer per incident. Recent settlements include Sephora at $1.2 million in 2022, DoorDash at $375,000 in 2024, and Honda at $632,500 in 2025.

Is CCPA the same as GDPR?

The CCPA and the GDPR are not the same statute, though they share several design principles. The CCPA is a California state law that applies to for-profit businesses meeting specific thresholds and grants opt-out rights. The GDPR is an EU regulation that applies to any processing of EU personal data and requires a legal basis (such as consent) before processing begins. The GDPR's penalty ceiling is far higher than the CCPA's per-violation cap, but the CCPA's private right of action creates exposure the GDPR does not.