Key Facts
Overview
The California Consumer Privacy Act was signed into law in June 2018 and took effect on January 1, 2020, making California the first US state with a comprehensive consumer privacy law. It gave residents unprecedented rights over their personal information and established the opt-out consent model that became the template for most subsequent US state privacy laws. In November 2020, California voters passed the CPRA (California Privacy Rights Act), which amended and expanded the CCPA effective January 1, 2023.
What This Means for Your Website
- You must provide a clear "Do Not Sell My Personal Information" link on your website
- Visitors from California have the right to opt out of the sale of their personal information, including data collected via cookies used for cross-context behavioral advertising
- You must disclose in your privacy policy what categories of personal information you collect, the purposes for collection, and the categories of third parties with whom you share it
- You cannot discriminate against consumers who exercise their privacy rights (e.g., by charging different prices or providing a different level of service)
- If you collect personal information from minors under 16, you must obtain opt-in consent before selling it. For children under 13, verifiable parental consent is required
- Requests to know or delete personal information must be responded to within 45 days
Key Requirements
The CCPA applies to for-profit businesses that do business in California and meet any of three thresholds: annual gross revenue exceeding $25 million, buying or selling the personal information of 50,000 or more California consumers, households, or devices, or deriving 50% or more of annual revenue from selling consumers' personal information. The California Attorney General enforces the CCPA, with penalties of $2,500 per unintentional violation and $7,500 per intentional violation. Consumers also have a limited private right of action for data breaches involving unencrypted or unredacted personal information, with statutory damages of $100 to $750 per consumer per incident.
Note: The CPRA (effective January 2023) amended the CCPA to create the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, added the right to correct and limit use of sensitive personal information, and introduced opt-in requirements for sensitive data categories.
How ConsentStack Handles This
ConsentStack automatically detects visitors from California via CDN-edge geo-detection and applies the appropriate consent model. Under the CCPA's opt-out framework, scripts are allowed to run while visitors are presented with a clear option to opt out. ConsentStack's banner includes the required opt-out controls and records each visitor's choice with a timestamped audit trail. For the full scope of current California requirements including CPRA amendments, see the CPRA regulation page.
Penalties
$2,500 per unintentional violation / $7,500 per intentional violation
Key Requirements
- Right to know what personal information is collected, used, and shared
- Right to delete personal information held by businesses
- Right to opt out of the sale of personal information
- "Do Not Sell My Personal Information" link required on website
- Non-discrimination for exercising privacy rights
- Privacy policy must disclose categories of personal information collected and purposes
Notable Provisions
- First comprehensive US state privacy law, effective January 1, 2020
- Established the opt-out model adopted by most subsequent US state laws
- Amended and expanded by the CPRA (California Privacy Rights Act) effective January 1, 2023
- Limited private right of action for data breaches involving unencrypted personal information
US State Specifics
Other North America Regulations
Frequently Asked Questions
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a comprehensive privacy law that gives California residents the right to know what personal information businesses collect about them, to delete that information, and to opt out of its sale. It took effect on January 1, 2020 and was later amended by the CPRA.
Do I need a cookie consent banner for CCPA?
If your website uses cookies for cross-context behavioral advertising or sells personal information collected via cookies, California visitors must have a way to opt out. ConsentStack automatically shows an opt-out banner to California visitors with the required controls.
What is the difference between CCPA and CPRA?
The CCPA (2020) established opt-out rights for the sale of personal information. The CPRA (2023) amended the CCPA to add new rights (correction, limiting sensitive data use), created a dedicated enforcement agency (CPPA), and introduced opt-in requirements for sensitive data categories. The CPRA builds on the CCPA rather than replacing it.
What are the penalties for CCPA non-compliance?
The California Attorney General can impose fines of $2,500 per unintentional violation and $7,500 per intentional violation. Consumers also have a limited private right of action for data breaches involving unencrypted personal information, with statutory damages of $100 to $750 per consumer per incident.
Does the CCPA apply to my business?
The CCPA applies to for-profit businesses that do business in California and meet any of three thresholds: over $25 million in annual revenue, buying or selling personal information of 50,000+ California consumers, or deriving 50%+ of revenue from selling personal information. If your website has California visitors and meets a threshold, you likely need to comply.
Stay compliant with CCPA
ConsentStack helps you implement Opt-out consent for California, United States automatically.