California Consumer Privacy Act
see-see-pee-AY
California's privacy law that gives residents the right to know what personal data is collected, request deletion, and opt out of data sales.
CCPA is California's answer to GDPR. It gives California residents the right to know what personal data businesses collect about them, request that it be deleted, and opt out of the sale of their data. The California Privacy Rights Act (CPRA) amended and expanded CCPA in 2023.
CCPA applies to for-profit businesses that meet any of three thresholds: annual gross revenue over $25 million, buying or selling personal data of 100,000+ consumers, or deriving 50%+ of revenue from selling consumer data. If you meet any of those thresholds and have California users, you must comply.
The practical requirements include a 'Do Not Sell My Personal Information' link on your website, responding to consumer requests within 45 days, and providing a privacy policy that discloses your data practices. Penalties are $2,500 per unintentional violation and $7,500 per intentional violation.
Examples
A SaaS company adds a CCPA compliance banner.
The website now includes a 'Do Not Sell or Share My Personal Information' link in the footer. Clicking it lets California users opt out of data sharing with third-party analytics and advertising partners.
A user submits a data deletion request.
A California user requests deletion of their account and all associated data. The company has 45 days to process the request, confirm deletion, and notify any third parties with whom the data was shared.
A company assesses whether CCPA applies to them.
The startup has $30M in revenue and 50,000 users, some in California. They exceed the revenue threshold. CCPA applies. They begin a compliance project to update their privacy policy and implement consumer request workflows.
Frequently asked questions
How is CCPA different from GDPR?
GDPR applies to all companies handling EU residents' data regardless of size. CCPA only applies to businesses meeting specific revenue or data volume thresholds. GDPR requires opt-in consent for data processing; CCPA gives consumers the right to opt out of data sales.
Does CCPA apply to companies outside California?
Yes. If your business meets the thresholds and collects personal data from California residents, CCPA applies regardless of where you are headquartered. A company in New York with California customers must comply.
Related terms
The European Union regulation that governs how companies collect, store, and process personal data of EU residents.
A legal document that explains what personal data a company collects, how it uses that data, and how it protects it.
The requirement that data be stored and processed within specific geographic boundaries, often mandated by local laws or regulations.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.