California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) grants California residents rights over their personal data, requiring transparency and control from organizations that collect or sell it.
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a comprehensive state privacy law that gives California residents the right to know what personal information businesses collect, how it’s used, and whether it’s sold or shared. Enacted in 2018 and effective since January 2020, the CCPA introduced key rights including access, deletion, and opt-out of data sale. The law applies to for-profit entities meeting certain thresholds related to revenue, data volume, or commercial activity in California. It also established a foundation for subsequent legislation such as the California Privacy Rights Act (CPRA), which expanded and amended the CCPA’s provisions.
Why the California Consumer Privacy Act (CCPA) matters
The CCPA reshaped privacy expectations in the United States by granting individuals unprecedented control over their data. It requires organizations to provide clear privacy notices, honor consumer requests, and maintain transparent data-handling practices.
Compliance with the CCPA helps build consumer trust and reduces regulatory risk. The law is enforced by the California Privacy Protection Agency (CPPA) and allows penalties for non-compliance, reinforcing accountability and governance obligations.
The CCPA also serves as a model for new state privacy laws, influencing broader U.S. data protection trends and encouraging businesses to adopt scalable, privacy-first data management frameworks.
How the California Consumer Privacy Act (CCPA) is used in practice
- Creating and maintaining privacy notices that disclose data collection and sharing practices
- Implementing opt-out mechanisms for data sale and targeted advertising
- Managing consumer access, correction, and deletion requests
- Tracking consent and preference signals across systems and regions
- Conducting data mapping to identify where personal information is stored and shared
- Aligning privacy programs with updates introduced by the CPRA
Related laws & standards
- California Privacy Rights Act (CPRA)
- EU General Data Protection Regulation (GDPR)
- Colorado Privacy Act (CPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Utah Consumer Privacy Act (UCPA)
How OneTrust helps with the California Consumer Privacy Act (CCPA)
OneTrust simplifies CCPA compliance by automating consumer rights requests, managing consent and preferences, and maintaining dynamic, compliant privacy notices. The platform provides configurable workflows, reporting tools, and audit-ready documentation to help organizations demonstrate transparency and accountability.
[Explore Solutions →]
FAQs about the California Consumer Privacy Act (CCPA)
The CPRA expands on the CCPA by introducing new rights—such as correction and data minimization—and creating the California Privacy Protection Agency (CPPA) for enforcement.
The CCPA applies to businesses that collect or sell personal information of California residents and meet specific thresholds, such as generating over $25 million in annual revenue or processing data from 100,000 or more consumers or households.
While both laws protect individual privacy rights, the GDPR applies globally to EU data subjects, and the CCPA focuses on California residents. The GDPR emphasizes lawful processing bases, while the CCPA centers on disclosure, transparency, and opt-out rights.
