CCPA
Learn what the California Consumer Privacy Act (CCPA) is, why it matters for data privacy, and how organizations ensure compliance with consumer rights requirements.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a comprehensive data privacy law that enhances consumer rights and business obligations related to personal information. Enacted in 2018 and effective since January 2020, the CCPA provides California residents the right to access, delete, and opt out of the sale of their personal data. The law applies to organizations that meet specific thresholds for revenue, data volume, or business activity involving California consumers. It established one of the first major state-level privacy frameworks in the United States and served as a model for other state laws and the later California Privacy Rights Act (CPRA).
Why the CCPA matters
The CCPA transformed U.S. data privacy by introducing consumer-centric protections similar to global regulations like the GDPR. It requires businesses to disclose how personal data is collected, shared, and sold, while empowering consumers to exercise control over their data.
Compliance with the CCPA builds consumer trust, mitigates reputational risks, and helps organizations prepare for stricter U.S. privacy laws. The California Privacy Protection Agency (CPPA) enforces the CCPA and its amendments, issuing fines for non-compliance and requiring ongoing transparency and accountability.
The CCPA’s influence extends beyond California, shaping national privacy expectations and prompting organizations to adopt broader governance programs covering data inventory, consent management, and user rights automation.
How the CCPA is used in practice
- Creating privacy notices that disclose data collection and sharing practices
- Implementing opt-out mechanisms for data sale and targeted advertising
- Enabling access, correction, and deletion requests from consumers
- Tracking consent and preference signals across systems and devices
- Conducting data mapping to identify where consumer information is stored and processed
- Aligning data practices with updates introduced by the CPRA
Related laws & standards
- California Privacy Rights Act (CPRA)
- EU General Data Protection Regulation (GDPR)
- Colorado Privacy Act (CPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Utah Consumer Privacy Act (UCPA)
How OneTrust helps with the CCPA
OneTrust helps organizations operationalize CCPA compliance through centralized consent management, automated consumer rights workflows, and dynamic privacy notices. The platform enables scalable compliance by unifying data discovery, preference tracking, and reporting across jurisdictions.
[Explore Solutions →]
FAQs about the CCPA
The CPRA expands and amends the CCPA, adding new rights such as data correction and limiting data use for sensitive information. It also establishes the California Privacy Protection Agency for enforcement.
Businesses that collect personal information from California residents and meet specific thresholds—such as exceeding $25 million in annual revenue or processing data on 100,000 or more consumers or households—must comply with the CCPA.
While both laws focus on data privacy and transparency, the GDPR applies to organizations processing data on EU residents, whereas the CCPA focuses on California residents. The GDPR requires lawful processing bases, while the CCPA centers on consumer rights and opt-out mechanisms.
