The California Consumer Privacy Act (CCPA)

Like the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) gives individuals more control over how companies use, collect, store, and process their personal information.

The CCPA is one of the most sophisticated data protection laws in the United States. Crucially, it protects California residents from losing control of their personal information.

Although the law passed in June of 2018, it didn't come into effect until January 1st 2020. The CCPA currently affects business operations, and you'll need to take steps to comply.

Put simply, the CCPA regulates:

  • What information businesses collect
  • Who the business shares the information with
  • Who the business sells the information to
  • Why the business collects the data in the first place
  • How the data is stored and processed
  • The consent that businesses must obtain before they can process personal data

Most importantly, the CCPA makes it compulsory for businesses to draft comprehensive Privacy Policies which inform consumers of their various rights under the Act.

The CCPA applies to businesses wherever they are located. It does not just apply to businesses based in California. The CCPA applies when:

  • A company collects or processes the private data from people who live in California
  • The company does business, or makes sales, in California

It's clear that the CCPA, like the GDPR, affects businesses across the United States.

Essentially, the CCPA exists because people want more control over what happens to their data when they shop online, visit websites or share their information with other parties.

People want to know that their data is safe and secure, and that businesses collect the least amount of personal data possible.

They also want to know that businesses can't sell their data to third parties without their consent. Regulating the sale and distribution of personal data is at the heart of the CCPA.

On the other hand, businesses require information about their customers to analyse trends, predict growth, and reach new prospective business opportunities. Much like the GDPR, the CCPA attempts to regulate an increasingly complex commercial world while respecting the rights of the individual.

Although the CCPA applies to businesses, it doesn't apply to every business. Businesses that meet certain criteria are exempt from the CCPA, because it would be disproportionate for them to comply with the rules.

Before considering the CCPA in detail, then - who does the CCPA apply to?

The CCPA gives customers more control over how businesses share, process, and use their personal information.

Although the Act primarily affects California residents, businesses which undertake substantial activities in California are subject to the CCPA. Very small businesses are exempt.

The Act doesn't apply to charity or other non-profits, either.

Personal information is any data which can reasonably be linked to an individual or their household. This doesn't include government-sanctioned data collection at federal, state, or local level.

Now we understand what data the CCPA applies to, let's consider what new rights the Act gives individuals, and what new responsibilities commercial businesses must accept.


Businesses must comply with the CCPA and how it's changing data processing. The first thing you should do is revise your existing Privacy Policy and ensure it's comprehensive, clear, and transparent.

Make it especially clear how California residents can opt out of data sharing, and only collect as much data as you need.