California Consumer Privacy Act (CCPA): Ultimate reference guide

  • Articles
  • December 4 2020
  • 0 min read

As the troves of data that Instagram and Facebook hold on users are becoming tools of election manipulation and are subjected to data breaches, it’s of paramount significance that we have a good handle on what sort of data these tech giants gather about us. Regulations over data are becoming more and more formidable and invasive against what was more of a wild west type scenario during the early days of sharing. To tighten the data screws, laws like General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have sprang up with the latter setting the bar higher than ever before for U.S. companies when it comes to data privacy regulation.

According to the Standardized Regulatory Impact Assessment conducted by Berkeley Economic Advising and Research, LLC, over $12 billion worth of personal data, that is used for advertising each year in California, will be protected by CCPA regulations. California passed this adroit and groundbreaking privacy law to give consumers more authority over their data. The legislation gives residents rights to control what information organisations collect on them and how it is used. Simply put, residents of the state get a whole new armoury of tools to protect their data and personal information online and can tread with greater responsibility.

From ballot to enforcement: A brief history of CCPA

CCPA was approved by the California State Governor on June 28, 2018 and came into effect on January 1, 2020. Let’s go for a trip down the memory lane to understand how the foundation for such a privacy law was laid and how it eventually came into being. In the beginning of 2018, a California real estate developer pitched for a new privacy law i.e. the Consumer Right to Privacy Act of 2018 on the November 2018 California ballot. The supporter of the initiative had collected enough signatures by June 2018 to earn a place on the November ballot. 

Eventually, California legislators worked with representatives of the affected California companies and other interest groups and a passed a substitute bill i.e. The California Consumer Privacy Act of 2018 or the CCPA in exchange for an agreement. The agreement was to drop the more restrictive text in the Consumer Right to Privacy Act from the November ballot. California Attorney General Xavier Becerra unveiled the first version of the proposed implementing regulations on October 11, 2019.

So, CCPA was approved by the California State Governor on June 28, 2018 and came into effect on January 1, 2020. On February 10, 2020, modified regulations were released by California AG. On March 11, 2020, the second set of modified regulations were introduced. The California AG submitted this version of justification along with the Statement of Reasons to California’s Office of Administrative Law (OAL) on June 1, 2020. It entered the enforcement phase on July 1, 2020 which means that California’s Attorney General will be able to take direct action against organisations for violating privacy protection requirements of the CCPA.

The final version was approved by OAL on August 14, 2020 that put a stop to a long period of uncertainty and established specific content and administrative compliance obligations for businesses.

The three fundamentals of CCPA

As one California legislator puts it, CCPA is the “first consumer privacy act in the US”. None of the other US states have provided its citizens with GDPR-like protections that required firms to apprise consumers about the information gathered and shared and offer them a right to access, to delete and to opt-out.


Table with four columns explaining California Consumer Privacy Act (CCPA)
Source: Deloitte

CCPA is a law that enables any California consumer to demand for seeing all the data a company has saved on them in addition to the complete list of all the third parties that data is shared with. Plus, it lets the consumers sue organisations if the privacy guidelines are not met even if there is no breach of privacy. This ultimately ensures that consumers get more control over the sharing of their personal information and forces business organisations to give more information to consumers about what’s being done with their data.

The real deal about the whole thing is that most consumers don’t realise that their personal information is being shared or sold to others. This act ensures that they are given the opportunity to opt-out of having their data used in a way that they disapprove of.

AB 375 considers following as the personal information:

  • Identity-related data like real name, alias, residential address among others
  • Commercial information comprising data on personal property, products or services obtained, or other such history on purchasing or consuming tendencies
  • Internet and other electronic network activity
  • Geolocation data
  • Audio, visual, thermal, olfactory or other such similar information
  • Employment-related information
  • Education information
  • Conclusions obtained from any of the information identified in this subdivision for generating a profile about a consumer that shows preferences, characteristics, psychological trends, predispositions, etc.
  • Credit card information
  • Religion
  • Age
  • Political affiliation


A tasksheet icon on right and textual information on left about California Consumer Privacy Act (CCPA)
Source: Varonis

Must comply:

  • All for-profit organisations that serve California residents and have at least $25 million in annual revenue have to comply with the CCPA regulations.
  • Moreover, businesses of any size that receive or disclose personal information on at least 50,000 people or that collect more than half of their revenues from the sale of personal information also come under the purview of this law.
  • Organisations don’t have to be based in California or have a physical presence there or even based in the United States to come under the supervision of this law.

Won't have to comply:

  • Non-profit organisations, smaller businesses that don’t meet the revenue thresholds,
  • and/or that don’t traffic in cornucopia of personal information from California residents, 
  • and that do not share a brand with an affiliate that’s covered by CCPA
Hammer icon left and statistical information on right about California Consumer Privacy Act (CCPA)
Source: Deloitte

Non-compliance with CCPA will definitely incur penalties. Civil penalties start at $2500 for a violation that is deemed unintentional and can reach upto $7500 for intentional ones. If a company can take corrective actions within 30 days of being notified, they can get away with a warning. Data breaches enable consumers to take specific actions against the offending company. Consumers can bring an action for statutory damages when an organisation fails to implement proper security procedures for consumers’ personal data.

If you are wondering who is mainly responsible for CCPA compliance, understand that it is an all-hands-on-deck kind of a thing. It’s true that CEOs and CIOs lead the pack but since so many other departments gather and use consumer data, it’s pivotal that everyone gives ample importance to this data privacy law and be responsible and accountable for what they do with personal data.


A number of major companies have already started introducing measures taken by them to comply with CCPA. For instance, whether it’s about importing and exporting customer data, or responding to user requests to delete personal data, or even contacting the admin who controls the workspace, Slack got everything covered when it comes to CCPA compliance. Similarly, as mentioned in its Online Services Terms, Microsoft complies with all laws and regulations that are applicable to its provision of the Online Services including CCPA.

The three-pronged approach to ensure CCPA compliance include:


  • First and foremost, focus on identifying and classifying your data assets. It’s important to know where personal data is located and if the data is at risk by checking access permissions.
  • Dig deeper into personal data for identifying those folders that are seldom accessed because stale personal information doesn’t serve much purpose and is an unwanted security risk.


  • Privacy policy disclosures should be updated.
  • Providing timely notice of collection and use of personal data to employees and consumers is a must.
  • Implementing or revising existing processes for accepting and responding to consumer requests is a must.
  • Applying reasonable security controls to responses to consumer requests would go a long way.
  • It is also important to incorporate criteria that are set forth under final regulations for verifying consumer request
  • Maintaining records of CCPA consumer requests in a specific form for at least 24 months is important.
  • Notices regarding business’s privacy practices should be accessible to consumers with disabilities.
  • Confirmation of consumer requests is again a must.


Always be alert for new cyber threats and adjust privacy and security as and when needed.


The CCPA, along with GDPR, represent a big shift in confronting data but also present an opportunity to reframe the conversation with the customers and redirect the required big investments for building a unified customer architecture. This ultimately supports both privacy compliance and longer-term marketing and customer relationship strategies.

Become our reader!

Get hand picked blogs directly in your inbox.
The subscriber's email address.