California Consumer Privacy Act / California Privacy Rights Act
The CCPA and its successor CPRA give California residents extensive rights over their personal data. This legislation is the strictest privacy law in the United States and affects businesses worldwide that do business with California consumers.
The California Consumer Privacy Act (CCPA) was adopted in 2018 and took effect on January 1, 2020. The law was supplemented in November 2020 by the California Privacy Rights Act (CPRA), which took effect on January 1, 2023. Together they form the most comprehensive privacy framework in the United States. The legislation gives California consumers the right to know what personal data is collected, to request deletion, to opt out of the sale of their data and not to be discriminated against when exercising their privacy rights. The CPRA also established the California Privacy Protection Agency (CPPA) as an independent supervisory authority.
Businesses with gross annual revenue of more than 25 million dollars
Organizations that process personal data of 100,000 or more California consumers
Businesses that derive 50% or more of their revenue from the sale or sharing of personal data
Subsidiaries of businesses that meet the above criteria
Any entity that processes personal data of California consumers on behalf of a covered business
Consumers have the right to know what personal data is collected, for what purposes, and with which third parties it is shared. Businesses must communicate this transparently via a privacy policy.
Consumers can request to have their personal data deleted. Businesses must comply with this request, subject to certain legal exceptions.
Businesses must offer a clear 'Do Not Sell My Personal Information' link on their website. With the CPRA, this has been extended to the sharing of data for cross-context behavioral advertising.
Under the CPRA, consumers have the right to have inaccurate personal data corrected by the business that holds this data.
The CPRA introduces the concept of sensitive personal data and gives consumers the right to limit its use and disclosure.
Businesses may only collect personal data that is reasonably necessary and proportionate for the intended purpose for which it is collected.
The California Attorney General and the CPPA can impose fines of up to 2,500 dollars per unintentional violation and 7,500 dollars per intentional violation or violation involving minors. Additionally, consumers have the right to damages of 100 to 750 dollars per incident for data breaches caused by insufficient security measures.
Consentr automates CCPA/CPRA compliance so you can focus on your business.
Consentr automatically recognizes the Global Privacy Control (GPC) signal and respects visitors' opt-out preferences, as required by the CCPA/CPRA.
Easily add a compliant 'Do Not Sell My Data' link to your website that automatically triggers the correct actions.
Consentr automatically detects whether a visitor is from California and displays the appropriate CCPA/CPRA-compliant notifications and options.
Easily manage consent for the use of sensitive personal data as required by the CPRA.
All opt-out requests are securely registered and documented as evidence of compliance for any audits.
Consentr helps you keep your privacy policy up to date so that it meets the latest CCPA/CPRA requirements.
Yes, if your company meets the threshold values (revenue above 25 million dollars, data of more than 100,000 California consumers, or more than 50% revenue from data sales) and you do business with California consumers, you are required to comply with the CCPA/CPRA.
The CPRA is an extension and strengthening of the CCPA. The main additions are the right to correction, restrictions on sensitive data, stricter rules for automated decision-making and the establishment of an independent privacy supervisory authority (CPPA).
GPC is a browser setting that allows users to automatically send an opt-out signal to websites. Under the CCPA/CPRA, businesses are required to respect this signal as a valid request to stop data sale or sharing.
The GDPR requires prior consent (opt-in) for most data processing, while the CCPA operates with an opt-out model. The GDPR applies to all organizations that process EU data, while the CCPA uses threshold values. Both laws, however, give consumers strong rights over their personal data.