{"id":330,"date":"2024-09-19T09:24:00","date_gmt":"2024-09-19T07:24:00","guid":{"rendered":"https:\/\/stage.usercentrics.com\/?post_type=knowledge&#038;p=12018"},"modified":"2025-06-26T12:51:16","modified_gmt":"2025-06-26T10:51:16","slug":"california-consumer-privacy-act","status":"publish","type":"knowledge","link":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/","title":{"rendered":"California Consumer Privacy Act (CCPA) \u2013 an overview"},"content":{"rendered":"\n<p><span style=\"font-weight: 400\">The United States does not yet have a single federal data protection law. To date, an increasing number of states have passed their own laws and\/or updated existing ones, and bills have been introduced, are in progress, or have failed in many others.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">There are a number of other long standing privacy laws that target specific types of information or human demographics in the US, like the Health Insurance Portability and Accountability Act (HIPAA) for health and the <\/span><a href=\"\/knowledge-hub\/childrens-online-privacy-protection-act-coppa\/\"><span style=\"font-weight: 400\">Children&#8217;s Online Privacy Protection Act (COPPA)<\/span><\/a><span style=\"font-weight: 400\"> for children&#8217;s safety. This does not make it easy to keep track of all or achieve compliance for all relevant regulations that address personal data.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">The first and most influential state-level consumer privacy law passed in the United States is the <\/span><a href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/california-consumer-privacy-act\/\"><span style=\"font-weight: 400\">California Consumer Privacy Act (CCPA)<\/span><\/a><span style=\"font-weight: 400\">. It takes some influence from the European Union&#8217;s <\/span><a href=\"https:\/\/usercentrics-poc.psapp.devgdpr\/\"><span style=\"font-weight: 400\">General Data Protection Regulation (GDPR)<\/span><\/a><span style=\"font-weight: 400\"> and has, in turn, influenced privacy bills drafted by other states, including the <\/span><a href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/virginia-consumer-data-protection-act-vcdpa\/\"><span style=\"font-weight: 400\">Virginia Consumer Data Protection Act (VCDPA)<\/span><\/a><span style=\"font-weight: 400\">.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-the-california-consumer-privacy-act-ccpa\"><span style=\"font-weight: 400\">What is the California Consumer Privacy Act (CCPA)?<\/span><\/h2>\n\n\n\n<p><span style=\"font-weight: 400\">The <\/span><a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/codes_displayText.xhtml?division=3.&amp;part=4.&amp;lawCode=CIV&amp;title=1.81.5\" target=\"_blank\" rel=\"noreferrer noopener\"><span style=\"font-weight: 400\">California Consumer Privacy Act (CCPA)<\/span><\/a><span style=\"font-weight: 400\"> is a US state-level consumer privacy law that was passed in 2018 and came into effect on January 1, 2020. It applies exclusively to residents of California, known as \u201dconsumers\u201d under the law, and regulates the protection of their personal information.&nbsp;<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">It\u2019s worth noting, however, that California is the most populous US state, with a population of over 39 million people, as well as having the world\u2019s fifth largest economy, and a number of the world\u2019s largest and most influential tech companies are headquartered there. So the state has an outsized influence on many fronts.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">A consumer under the law is a natural person who is a resident of California, however identified, including by means of a unique identifier. A \u201cresident\u201d means:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">every individual who is in the State for other than a temporary or transitory purpose<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"font-weight: 400\">and<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">every individual who is domiciled in the state who is outside the state for a temporary or transitory purpose<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"font-weight: 400\">The CCPA was amended and expanded by the <\/span><a href=\"https:\/\/cppa.ca.gov\/\" target=\"_blank\" rel=\"noreferrer noopener\"><span style=\"font-weight: 400\">California Privacy Rights Act (CPRA)<\/span><\/a><span style=\"font-weight: 400\">, which took effect on January 1, 2023, and granted additional rights to consumers and established the <\/span><a href=\"https:\/\/cppa.ca.gov\/\" target=\"_blank\" rel=\"noreferrer noopener\"><span style=\"font-weight: 400\">California Privacy Protection Agency (CPPA)<\/span><\/a><span style=\"font-weight: 400\">, among other things. Enforcement of the CPRA began in February 2024 after a legal challenge. Enforcement had been scheduled to begin on July 1, 2023.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-definitions-under-the-california-consumer-privacy-act-ccpa-data-privacy-law\"><span style=\"font-weight: 400\">Definitions under the California Consumer Privacy Act (CCPA) data privacy law<\/span><\/h2>\n\n\n\n<p><span style=\"font-weight: 400\">The CCPA, as amended by the CPRA, defines several terms that cover the data it protects and data processing activities. Unlike most other data privacy laws, California does not use the terms &#8220;controller&#8221; or &#8220;processor&#8221;.<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-personal-information-under-the-ccpa-cpra\"><span style=\"font-weight: 400\">Personal information under the CCPA\/CPRA<\/span><\/h3>\n\n\n\n<p><span style=\"font-weight: 400\">The <\/span><span style=\"font-weight: 400\">CCPA\/CPRA law<\/span><span style=\"font-weight: 400\"> defines personal information as <\/span><i><span style=\"font-weight: 400\">\u201cinformation that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.\u201d<\/span><\/i><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">The CCPA\/CPRA\u2019s definition of personal information is wide ranging, and examples under the law include, among other things:&nbsp;<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">IP address, real name, alias, postal address, Social Security number, and email address<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">biometric information that can establish individual identity, such as imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, as well as sleep, health, or exercise data that contain identifying information<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">electronic activity information, such as browsing history or interactions with online ads<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">professional or employment-related information<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"font-weight: 400\">Personal information is known as personal data under many international and other state-level <\/span><a href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/us-data-privacy-laws-by-state\/\"><span style=\"font-weight: 400\">data privacy laws in the US<\/span><\/a><span style=\"font-weight: 400\">.<\/span><\/p>\n\n\n<div id=\"uc-cta_69e9ea0301200\" class=\"uc-cta uc-cta--button uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Understand PII vs. Personal Data<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Get insights into how different regulations define personally identifiable information and personal data to enhance your compliance efforts<\/p>\n                <\/div>\n                                                                    <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"87f5b412-41f0-481a-82b3-9585982c8631\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/personally-identifiable-information-vs-personal-data\/\" target=\"\"><span>Learn more<\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69e9ea0301200\"));\n    <\/script>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-sensitive-personal-information-under-the-ccpa-cpra\"><span style=\"font-weight: 400\">Sensitive personal information under the CCPA\/CPRA<\/span><\/h3>\n\n\n\n<p><span style=\"font-weight: 400\">Sensitive personal information is that which can cause harm to a consumer if misused, and includes, among other things:&nbsp;<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">driver\u2019s license, state ID card, passport, or Social Security number<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">precise geolocation data that can accurately identify a person within a radius of 1850 feet (563 meters)<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">racial or ethnic origin<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">debit card or credit card number in combination with any required password or credentials that provide access to the account<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">genetic data<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">contents of a consumer\u2019s postal mail, email, and text messages<\/span><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-unique-identifier-under-the-ccpa-cpra\"><span style=\"font-weight: 400\">Unique identifier under the CCPA\/CPRA<\/span><\/h3>\n\n\n\n<p><span style=\"font-weight: 400\">The <\/span><span style=\"font-weight: 400\">CCPA\/CPRA law<\/span><span style=\"font-weight: 400\"> defines a unique identifier or \u201cunique personal identifier\u201d as <\/span><i><span style=\"font-weight: 400\">\u201ca persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services.\u201d<\/span><\/i><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">The law specifies that a family means a custodial parent or guardian and any children under 18 years of age who are in their custody.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">Examples of unique identifiers are:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">device identifier<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">IP address<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">cookies, beacons, pixel tags, mobile ad identifiers, or similar technology<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">customer number, unique pseudonym, or user alias<\/span><\/li>\n<\/ul>\n\n\n<div id=\"uc-cta_69e9ea0302044\" class=\"uc-cta uc-cta--button uc-cta--size-7 uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Check if your website meets key privacy standards<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Quickly check if your site meets legal privacy standards and ad platform rules. Help protect your ad campaigns and revenue by scanning your website with our free cookie checker.<\/p>\n                <\/div>\n                                                                    <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"4de099d5-1419-4b63-93e7-9db5f1f64ad4\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"\/cookie-checker\/\" target=\"\"><span>Check your website<\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69e9ea0302044\"));\n    <\/script>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-consent-under-the-ccpa-cpra\"><span style=\"font-weight: 400\">Consent under the CCPA\/CPRA<\/span><\/h3>\n\n\n\n<p><span style=\"font-weight: 400\">The law defines consent as <\/span><i><span style=\"font-weight: 400\">\u201cany freely given, specific, informed, and unambiguous indication of the consumer\u2019s wishes by which the consumer, or the consumer\u2019s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.\u201c<\/span><\/i><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">The following does not constitute valid consent under the CCPA\/CPRA:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">acceptance of a general or broad terms of use or similar document<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">hovering over, muting, pausing, or closing a piece of content<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">agreement obtained through <\/span><a href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/dark-patterns-and-how-they-affect-consent\/\"><span style=\"font-weight: 400\">dark patterns<\/span><\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-sale-under-the-ccpa-cpra\"><span style=\"font-weight: 400\">Sale under the CCPA\/CPRA<\/span><\/h3>\n\n\n\n<p><span style=\"font-weight: 400\">The law defines sale as <\/span><i><span style=\"font-weight: 400\">\u201cselling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer\u2019s personal information by the business to a third party for monetary or other valuable consideration.\u201d<\/span><\/i><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">A business is not considered to have sold information when:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">a consumer uses or directs the business to intentionally disclose or interact with third parties<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">the business uses or shares an identifier for the consumer, for the purpose of informing others that the consumer has opted out of the sale of or limited the use of their personal information<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">the business transfers personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business<\/span><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-must-comply-with-the-california-consumer-privacy-act-ccpa\"><span style=\"font-weight: 400\">Who must comply with the California Consumer Privacy Act (CCPA)?<\/span><\/h2>\n\n\n\n<p><span style=\"font-weight: 400\">The <\/span><span style=\"font-weight: 400\">CCPA\/CPRA law<\/span><span style=\"font-weight: 400\"> applies to for profit businesses that operate in California and collect the personal information of the state&#8217;s residents, if they meet any one the following thresholds:&nbsp;<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">annual gross revenues exceeding USD 26,625,000 for the previous calendar year<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">receive, buy, sell, or share personal information of 100,000 or more consumers or households<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">earn more than half of their annual revenue from the sale of consumers&#8217; personal information<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"font-weight: 400\">Interestingly, more recently passed privacy laws in other states have abandoned the revenue-only compliance threshold. Whether or not the company is headquartered in or has an office in California is not relevant to compliance. All companies that meet the threshold must meet <\/span><span style=\"font-weight: 400\">CCPA\/CPRA obligations<\/span><span style=\"font-weight: 400\"> if they are doing business with California residents, regardless of where in the world they are based.<\/span><\/p>\n\n\n<div id=\"uc-cta_69e9ea0302bfe\" class=\"uc-cta uc-cta--button uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Do your data practices put you at risk of CCPA\/CPRA violations?<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Align your data practices with the CCPA\/CPRA and protect your business.<\/p>\n                <\/div>\n                                                                    <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"988596d9-75ae-4d02-8d04-aac63df4d1ff\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics-poc.psapp.devdata-privacy-audit\/\" target=\"\"><span>Start data privacy audit<\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69e9ea0302bfe\"));\n    <\/script>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-consumers-rights-under-the-california-consumer-privacy-act-ccpa-laws\"><span style=\"font-weight: 400\">What are consumers\u2019 rights under the California Consumer Privacy Act (CCPA) laws?<\/span><\/h2>\n\n\n\n<p><span style=\"font-weight: 400\">The CCPA, as amended by the CPRA, grants consumers several rights to enable them to protect their personal information and control how it\u2019s used.<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Right to delete: <\/b><span style=\"font-weight: 400\">consumers can request businesses to delete their personal information that was collected from the consumer.<\/span><\/li>\n\n\n\n<li><b>Right to correct:<\/b><span style=\"font-weight: 400\"> consumers can request a business to correct any incomplete or inaccurate personal information that it holds.<\/span><\/li>\n\n\n\n<li><b>Right to know and access: <\/b><span style=\"font-weight: 400\">consumers have a right to know and access the categories of personal information the business holds about them, the purposes for collecting the information, where the business obtained the information from, categories of third parties who receive the information, and the specific personal information the business has collected about the consumer.<\/span><\/li>\n\n\n\n<li><b>Right to know regarding sale or disclosure: <\/b><span style=\"font-weight: 400\">consumers have the right to know what categories of personal information the business holds; the categories of personal information sold, shared, or disclosed; and the categories of third parties to whom it is sold, shared, or disclosed.&nbsp;<\/span><\/li>\n\n\n\n<li><b>Right to opt out: <\/b><span style=\"font-weight: 400\">consumers have the right to opt out of the sale or sharing of their personal information.<\/span><\/li>\n\n\n\n<li><b>Right to limit: <\/b><span style=\"font-weight: 400\">consumers have the right to limit the use or disclosure of their sensitive personal information.<\/span><\/li>\n\n\n\n<li><b>Right of nondiscrimination: <\/b><span style=\"font-weight: 400\">consumers have the right not to be discriminated against for exercising any of their rights under the law.<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"font-weight: 400\">In addition to these rights that are explicitly stated in the CCPA\/CPRA, consumers also have the right to data portability. Where a consumer has exercised their right to know and access personal information, businesses must present the consumer\u2019s specific personal information in a \u201cstructured, commonly used, machine-readable format.\u201d<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-obligations-under-the-california-consumer-privacy-act-ccpa-rules\"><span style=\"font-weight: 400\">Obligations under the California Consumer Privacy Act (CCPA) Rules<\/span><\/h2>\n\n\n\n<p><span style=\"font-weight: 400\">Businesses have specific <\/span><span style=\"font-weight: 400\">CCPA\/CPRA obligations<\/span><span style=\"font-weight: 400\"> to protect consumers\u2019 personal data, ensuring transparency and accountability in their data handling practices.<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-notices-required-under-the-ccpa-cpra\"><span style=\"font-weight: 400\">Notices required under the CCPA\/CPRA<\/span><\/h3>\n\n\n\n<p><span style=\"font-weight: 400\">The CCPA\/CPRA requires businesses to provide two distinct notices to consumers: a <\/span><b>notice at collection<\/b><span style=\"font-weight: 400\"> and a <\/span><a href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/what-is-a-privacy-policy-and-why-do-you-need-one\/\"><b>privacy policy<\/b><\/a><span style=\"font-weight: 400\">.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">A notice at collection must be displayed to consumers at or before the point where the business collects their personal information. This notice must clearly list:&nbsp;<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">categories of personal information collected, including sensitive personal information, if any<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">purposes for which personal information will be used, including sensitive personal information, if any<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">whether personal information or sensitive personal information is sold or shared<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">how long the business will retain the personal information and sensitive personal information<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">If the business sells or shares personal information, the notice must include a link with the specific words &#8220;Do Not Sell Or Share My Personal Information&#8221;, enabling consumers to easily opt out of such transactions.<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"font-weight: 400\">The notice at collection should contain a link to the business\u2019s privacy policy.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">The CCPA privacy policy must include:&nbsp;&nbsp;<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">a description of consumers\u2019 privacy rights and how to exercise them<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">categories of personal information collected, sold, or shared in the preceding 12 months<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">categories of sources from which personal information is collected<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">business or commercial purpose for collecting, selling, or sharing personal information<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">categories of third parties to whom personal information is disclosed<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"font-weight: 400\">Businesses commonly make their privacy policy accessible on their websites, typically found via a link in the footer so that consumers can easily find and review the privacy policy.<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-consent-requirements-under-the-ccpa-cpra\"><span style=\"font-weight: 400\">Consent requirements under the CCPA\/CPRA<\/span><\/h3>\n\n\n\n<p><span style=\"font-weight: 400\">In most cases, the CCPA\/CPRA does not require explicit consent from consumers for the collection, use, or sharing of their personal information. It operates on an opt-out model, where consumers are assumed to consent to data use unless they choose to opt out. There is an exception for the personal information belonging to minors:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">For minors aged 13 to 16, businesses must obtain explicit, opt-in consent from the minor before selling or sharing their personal information<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">For minors under 13 years of age, businesses must obtain explicit consent from a parent or guardian before collecting or selling their data<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"font-weight: 400\">Consumers have the right to opt out of the sale and several other uses of their personal information and to limit the use or disclosure of sensitive personal information.<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-opt-out-requests-under-the-ccpa-cpra\"><span style=\"font-weight: 400\">Opt-out requests under the CCPA\/CPRA<\/span><\/h3>\n\n\n\n<p><span style=\"font-weight: 400\">Businesses must provide options for consumers to opt out of:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">sale or sharing of their personal information (and targeted advertising and profiling under the CPRA)<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">use or disclosure of their sensitive personal information for unauthorized purposes&nbsp;<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"font-weight: 400\">The law mandates specific ways for businesses to provide consumers with opt-out options.&nbsp;<\/span><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">Through a clear and conspicuous link on the business\u2019s homepage titled \u201cDo Not Sell Or Share My Personal Information,\u201d which directs consumers to a page from which they can opt out of the sale or sharing of their personal information.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">Through a clear and conspicuous link titled \u201cLimit The Use Of My Sensitive Personal Information,\u201d which enables consumers to limit the use or disclosure of their sensitive personal information.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">If a business prefers, it can use a single link that combines both functions, as long as it effectively enables consumers to opt out of both, the sale, sharing, targeted advertising, or profiling from their personal information, and limiting the use or disclosure of their sensitive personal information.<\/span><\/li>\n<\/ol>\n\n\n\n<p><span style=\"font-weight: 400\">Businesses must also respect universal opt-out mechanisms, such as <\/span><a href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/what-is-global-privacy-control\/\"><span style=\"font-weight: 400\">Global Privacy Control (GPC)<\/span><\/a><span style=\"font-weight: 400\"> signals, through which consumers can set their consent preferences once and communicate them automatically across various websites and online services.<\/span><\/p>\n\n\n<div id=\"uc-cta_69e9ea0303e05\" class=\"uc-cta uc-cta--button uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Does your business sell personal data or personal information?<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Protect your business and consumers\u2019 personal data with our guide to understanding data selling and compliance.<\/p>\n                <\/div>\n                                                                    <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"35666efe-4d13-454a-bf1c-3f4beb0ceee4\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/data-is-the-new-gold-how-and-why-it-is-collected-and-sold\/\" target=\"\"><span>Learn more<\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69e9ea0303e05\"));\n    <\/script>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-consumer-requests-for-right-to-know-correct-and-delete\"><span style=\"font-weight: 400\">Consumer requests for right to know, correct, and delete<\/span><\/h3>\n\n\n\n<p><span style=\"font-weight: 400\">Consumers have the right to request information about the personal data collected about them, as well as to correct inaccuracies or to delete that data.&nbsp;<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">The law requires businesses to provide at least two designated methods for consumers to submit their requests, which must include a toll-free telephone number. For businesses that operate exclusively online and have a direct relationship with consumers, an email address is sufficient.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">If a business maintains a website, it should enable consumers to submit requests for information, correction, and deletion directly through the site.&nbsp;<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">Consumers can request data that was collected up to 12 months prior to the date of their request. Businesses have 45 days from the date of the request to disclose the requested information, and they may seek an extension of an additional 45 days under certain circumstances<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">While businesses may require consumers to login to an existing account to verify identity and submit a request, they cannot require consumers to create a new account for this purpose.<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-contracts-under-the-ccpa-cpra\"><span style=\"font-weight: 400\">Contracts under the CCPA\/CPRA<\/span><\/h3>\n\n\n\n<p><span style=\"font-weight: 400\">Businesses that collect consumers\u2019 personal information sometimes sell or share consumers\u2019 personal information with a third party, or disclose the personal information to a service provider or contractor for business purposes.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">The CCPA\/CPRA requires businesses to enter into agreements with these third parties, service providers, or contractors. The agreement must outline that:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">the personal information is sold, shared, or disclosed only for limited and specific purposes<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">the third party, service provider, or contractor must comply with the <\/span><span style=\"font-weight: 400\">CCPA\/CPRA obligations<\/span><span style=\"font-weight: 400\"> applicable to them<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">the third party, service provider, or contractor must provide the level of data privacy protection required by the law<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">the business is entitled to take &#8220;reasonable and appropriate steps&#8221; to ensure that any third party, service provider, or contractor uses the personal information shared in a way that aligns with the business&#8217;s <\/span><span style=\"font-weight: 400\">CCPA\/CPRA obligations<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">the third party, service provider, or contractor must inform the business if it cannot meet its legal obligations<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">the business has the right to take reasonable and appropriate steps to stop and remedy any unauthorized use of personal information, after providing notice<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"font-weight: 400\">Contracts with service providers and contractors must also prohibit them from:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">selling or sharing personal information<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">retaining, using, or disclosing personal information for any purpose other than that specific in the contract<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">combining the personal information received from the business with personal information received by any other means, except for purposes exempted under the law<\/span><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-data-security-under-the-ccpa-cpra\"><span style=\"font-weight: 400\">Data security under the CCPA\/CPRA<\/span><\/h3>\n\n\n\n<p><span style=\"font-weight: 400\">Businesses that collect consumers\u2019 personal information are obligated to safeguard the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure. The CCPA\/CPRA requires businesses to implement \u201creasonable security procedures and practices\u201d for this purpose.<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-data-minimization-under-the-ccpa-cpra\"><span style=\"font-weight: 400\">Data minimization under the CCPA\/CPRA<\/span><\/h3>\n\n\n\n<p><span style=\"font-weight: 400\">Under the CCPA\/CPRA, businesses can collect, use, store, and share consumers\u2019 personal information only to the extent needed to achieve the original purpose for collecting the information, or for another compatible purpose. The personal information must not be processed in ways that conflict with the original purposes.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">This requirement is a key aspect of <\/span><a href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/data-minimization\/\"><span style=\"font-weight: 400\">data minimization<\/span><\/a><span style=\"font-weight: 400\">, which means that companies must limit their handling of personal data to what is essential for the intended purposes.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">The CPPA, in its <\/span><a href=\"https:\/\/cppa.ca.gov\/pdf\/enfadvisory202401.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"><span style=\"font-weight: 400\">Enforcement Advisory No. 2024-1<\/span><\/a><span style=\"font-weight: 400\">, has highlighted the various <\/span><a href=\"https:\/\/cppa.ca.gov\/regulations\/pdf\/cppa_regs.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"><span style=\"font-weight: 400\">CCPA regulations<\/span><\/a><span style=\"font-weight: 400\"> that reflect the principle of data minimization by prohibiting businesses from requiring consumers to share additional information \u201cbeyond what is necessary.\u201d<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-enforcement-and-penalties-under-the-california-consumer-privacy-act-ccpa\"><span style=\"font-weight: 400\">Enforcement and penalties under the California Consumer Privacy Act (CCPA)<\/span><\/h2>\n\n\n\n<p><span style=\"font-weight: 400\">The CCPA\/CPRA has certain unique characteristics when it comes to enforcing the state\u2019s consumer privacy law.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">Unlike most states, where the Attorney General has sole enforcement authority, California permits both the Attorney General and CPPA to enforce the law. However, the CPPA cannot limit the Attorney General\u2019s authority and must stay an administrative action or investigation when requested. A business cannot be penalized by both the Attorney General and the CPPA.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">Violations of the CCPA\/CPRA attract civil penalties of up to:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">USD 2,663 per non-intentional violation<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">USD 7,988 per intentional violation and violation involving the personal information of minors<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"font-weight: 400\">The CCPA\/CPRA is also the only consumer privacy law in the US that grants consumers a private right of action, although it is limited to specific situations. Consumers can sue businesses in the event of a data breach or <\/span><a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/codes_displaySection.xhtml?lawCode=CIV&amp;sectionNum=1798.150.\" target=\"_blank\" rel=\"noreferrer noopener\"><span style=\"font-weight: 400\">personal security information breach<\/span><\/a><span style=\"font-weight: 400\">, which occurred because the business failed to implement reasonable security measures to protect the personal information and that results in non-encrypted or non-redacted data being stolen.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">Consumers must give businesses 30 days to cure the violation in the event of a data breach before they can bring an action against the business. Of note is that when the CCPA came into effect, the Attorney General also provided a 30-day cure period; however, that has now sunset.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">Consumers can bring an action:&nbsp;<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400\">to recover damages between USD 107 and USD 799 per incident, or actual damages suffered, whichever is greater<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400\">for injunctive or declaratory relief<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"font-weight: 400\">If a consumer believes their rights, other than those arising out of a data breach, have been violated, they may file a complaint with the Attorney General or the CPPA.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-gdpr-vs-ccpa-a-summary\"><span style=\"font-weight: 400\">GDPR vs. CCPA: a summary<\/span><\/h2>\n\n\n\n<p><span style=\"font-weight: 400\">The EU\u2019s General Data Protection Regulation (GDPR) and the CCPA\/CPRA are landmark regulations when it comes to protecting data privacy.&nbsp;<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">The GDPR is considered one of the most stringent data protection regulations worldwide, and has influenced many other regulations, such as Brazil\u2019s <\/span><a href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/brazil-lgpd-general-data-protection-law-overview\/\"><span style=\"font-weight: 400\">General Data Protection Law (LGPD)<\/span><\/a><span style=\"font-weight: 400\"> and the CCPA.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">The CCPA was the first state-level consumer privacy law passed in the US and has many unique provisions, such as dual enforcement and private right of action.<\/span><\/p>\n\n\n\n<p><span style=\"font-weight: 400\">We look at the two regulations side by side to examine some of the similarities and differences.<\/span><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><\/th><th>CCPA<\/th><th>GDPR<\/th><\/tr><\/thead><tbody><tr><td>Scope and applicability<\/td><td>Applies to for-profit businesses that collect personal information from California residents and either: <br>&#8211; have annual gross revenues exceeding USD 26,625,000 for the previous calendar year <br>&#8211; receive, buy, or sell personal information of 100,000 or more consumers or households <br>&#8211; earn more than half of their annual revenue from the sale of consumers&#8217; personal information <br>It applies to any business that meets these conditions, regardless of where the business is located (extraterritoriality).<\/td><td>Applies to any entity that processes the personal data of individuals located in the EU\/EEA and either: <br>&#8211; offers them goods and services <br>&#8211; monitors their behavior <br>Like the CCPA, it applies regardless of where the business is located (extraterritoriality).&nbsp; <br>The GDPR applies to non-profit organizations and government agencies as well as for-profit businesses.<\/td><\/tr><tr><td>What it protects<\/td><td>Personal information of California residents, known as consumers, even if they are temporarily outside the state. Personal information includes that which can be linked to a consumer or a household.<\/td><td>Personal data of individuals located in the EU territory, known as data subjects. Applies to individuals only and does not extend to households.<\/td><\/tr><tr><td>Consent<\/td><td>Operates on an opt-out consent model and doesn\u2019t require prior consent to collect and process data in most cases. Consumers can opt out of the use of their data in specific cases.<\/td><td>Operates on an opt-in consent model, meaning that organizations cannot collect or process data unless the user gives their explicit consent.<\/td><\/tr><tr><td>Legal bases<\/td><td>There are no specific legal bases for collecting personal information.<\/td><td>Personal data can only be collected if there is a legal basis:&nbsp; <br>&#8211; consent <br>&#8211; to perform a contract <br>&#8211; legal obligation <br>&#8211; to protect vital interests <br>&#8211; in the public interest <br>&#8211; legitimate interest<\/td><\/tr><tr><td>Enforcement authority<\/td><td>California Attorney General and California Privacy Protection Agency (CPPA).<\/td><td>Data Protection Authorities (DPA) of the EU Member States.<\/td><\/tr><tr><td>Private right of action<\/td><td>Consumers can directly sue businesses only in the event of a data breach caused by a failure to take security measures, in specific circumstances.<\/td><td>Data subjects can lodge complaints with the DPA in their state and receive compensation if they have suffered material or non-material damage.<\/td><\/tr><tr><td>Civil penalties<\/td><td>Up to USD 2,500 per non-intentional violation and USD 7,500 per intentional violation, and statutory damages for data breach.<\/td><td>Up to 2 percent of annual turnover or EU 10 million, whichever is higher, for certain violations. Up to 4 percent of annual turnover or EU 20 million, whichever is higher, for more serious violations.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-does-the-ccpa-cpra-mean-for-companies-websites\">What does the CCPA\/CPRA mean for companies\u2019 websites?<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>If a business meets one of the CCPA\/CPRA thresholds and has an online property, it must take several steps to meet CCPA\/CPRA obligations.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The website must present visitors with a notice at collection that lists the categories and purposes of the personal data collected, whether personal information is sold or shared, and how long the business will retain the personal information.&nbsp;<\/li>\n\n\n\n<li>The website must include a privacy policy that informs consumers of their privacy rights and how to exercise them, as well as the business\u2019 privacy practices in more detail.<\/li>\n\n\n\n<li>If the business sells or shares personal data, it must present a link titled \u201cDo Not Sell Or Share My Personal Information\u201d to enable users to opt out of the sale of their personal data. It must also present a link titled \u201cLimit The Use of My Sensitive Personal Information\u201d to enable users to opt out of the use of their sensitive personal information.<\/li>\n\n\n\n<li>For personal information of minors, businesses must obtain explicit consent from the consumer (between 13 and 16 years) or their parent or guardian (when the minor is below 13 years) before their personal information can be shared or sold.<\/li>\n<\/ul>\n\n\n\n<p>Businesses can use a <a href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/consent-management-platforms\/\">consent management platform (CMP)<\/a> like Usercentrics CMP to achieve CCPA compliance.<\/p>\n\n\n\n<p>A CMP enables websites to display cookie consent banners with straightforward links or buttons that enable users to opt out of data processing. It can also handle cookies and other tracking technologies, blocking their use when a consumer exercises their right to opt out.<\/p>\n\n\n\n<p>CMPs also help websites provide clear information to users about the types of data being collected, the purposes for collection, and the third parties that may receive this data, in accordance with the CCPA\/CPRA and other data privacy laws.<\/p>\n\n\n<div id=\"uc-cta_69e9ea030535f\" class=\"uc-cta uc-cta--button uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Achieve CCPA\/CPRA compliance<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Protect consumers\u2019 personal information with a CMP that enables California residents to opt out of processing<\/p>\n                <\/div>\n                                                                    <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"c70d6c8c-ce73-497b-834b-bb67db4cefa0\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics-poc.psapp.devccpa\/\" target=\"\"><span>Learn more<\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69e9ea030535f\"));\n    <\/script>\n\n\n\n<p><em>Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In effect since January 1, 2020, the California Consumer Privacy Act (CCPA) was the first US state-level consumer privacy law. It established consumers\u2019 rights, set obligations for businesses, and influenced subsequent privacy regulations in other states.<\/p>\n","protected":false},"featured_media":7549,"template":"","meta":{"_acf_changed":false,"editor_notices":[],"footnotes":""},"tags":[],"magazine_issue":[],"magazine_tag":[],"resource_tag":[14,13],"class_list":["post-330","knowledge","type-knowledge","status-publish","has-post-thumbnail","hentry","resource_tag-privacy","resource_tag-regulations"],"acf":[],"yoast_head":"<title>California Consumer Privacy Act (CCPA): An Overview<\/title>\n<meta name=\"description\" content=\"Our California Consumer Privacy Act (CCPA) summary helps you understand how the California privacy law impacts businesses that collect personal information.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"California Consumer Privacy Act (CCPA): An Overview\" \/>\n<meta property=\"og:description\" content=\"Our California Consumer Privacy Act (CCPA) summary helps you understand how the California privacy law impacts businesses that collect personal information.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/\" \/>\n<meta property=\"og:site_name\" content=\"Usercentrics - US\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/usercentrics\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-26T10:51:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/uc_some_1200x630_ccpa_091824_1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"California Consumer Privacy Act (CCPA) - an overview\" \/>\n<meta name=\"twitter:description\" content=\"The first, and to date, most influential state-level consumer privacy law passed in the US, is the California Consumer Privacy Act (CCPA).\" \/>\n<meta name=\"twitter:site\" content=\"@usercentrics\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"17 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/\",\"url\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/\",\"name\":\"California Consumer Privacy Act (CCPA): An Overview\",\"isPartOf\":{\"@id\":\"https:\/\/test-usercentrics-poc.pantheonsite.io\/us\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/uc_blog_1000x1000_ccpa.jpg\",\"datePublished\":\"2024-09-19T07:24:00+00:00\",\"dateModified\":\"2025-06-26T10:51:16+00:00\",\"description\":\"Our California Consumer Privacy Act (CCPA) summary helps you understand how the California privacy law impacts businesses that collect personal information.\",\"breadcrumb\":{\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/\"}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/#primaryimage\",\"url\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/uc_blog_1000x1000_ccpa.jpg\",\"contentUrl\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/uc_blog_1000x1000_ccpa.jpg\",\"width\":1000,\"height\":1000,\"caption\":\"Golden Gate Bridge\",\"copyrightNotice\":\"\u00a9 Copyright 2026 Usercentrics GmbH\",\"creator\":{\"@type\":\"Organization\",\"name\":\"Usercentrics GmbH\"},\"creditText\":\"Image: Usercentrics GmbH\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Resources\",\"item\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/resources\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"California Consumer Privacy Act (CCPA) \u2013 an overview\",\"item\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/test-usercentrics-poc.pantheonsite.io\/us\/#website\",\"url\":\"https:\/\/test-usercentrics-poc.pantheonsite.io\/us\/\",\"name\":\"Usercentrics - US\",\"description\":\"Consent Management Platform (CMP) Usercentrics\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/test-usercentrics-poc.pantheonsite.io\/us\/?s={search_term_string}\"}}],\"inLanguage\":\"en-US\"}]}<\/script>","yoast_head_json":{"title":"California Consumer Privacy Act (CCPA): An Overview","description":"Our California Consumer Privacy Act (CCPA) summary helps you understand how the California privacy law impacts businesses that collect personal information.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"California Consumer Privacy Act (CCPA): An Overview","og_description":"Our California Consumer Privacy Act (CCPA) summary helps you understand how the California privacy law impacts businesses that collect personal information.","og_url":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/","og_site_name":"Usercentrics - US","article_publisher":"https:\/\/www.facebook.com\/usercentrics","article_modified_time":"2025-06-26T10:51:16+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/uc_some_1200x630_ccpa_091824_1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_title":"California Consumer Privacy Act (CCPA) - an overview","twitter_description":"The first, and to date, most influential state-level consumer privacy law passed in the US, is the California Consumer Privacy Act (CCPA).","twitter_site":"@usercentrics","twitter_misc":{"Est. reading time":"17 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/","url":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/","name":"California Consumer Privacy Act (CCPA): An Overview","isPartOf":{"@id":"https:\/\/test-usercentrics-poc.pantheonsite.io\/us\/#website"},"primaryImageOfPage":{"@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/#primaryimage"},"image":{"@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/#primaryimage"},"thumbnailUrl":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/uc_blog_1000x1000_ccpa.jpg","datePublished":"2024-09-19T07:24:00+00:00","dateModified":"2025-06-26T10:51:16+00:00","description":"Our California Consumer Privacy Act (CCPA) summary helps you understand how the California privacy law impacts businesses that collect personal information.","breadcrumb":{"@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/"}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/#primaryimage","url":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/uc_blog_1000x1000_ccpa.jpg","contentUrl":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/uc_blog_1000x1000_ccpa.jpg","width":1000,"height":1000,"caption":"Golden Gate Bridge","copyrightNotice":"\u00a9 Copyright 2026 Usercentrics GmbH","creator":{"@type":"Organization","name":"Usercentrics GmbH"},"creditText":"Image: Usercentrics GmbH"},{"@type":"BreadcrumbList","@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Resources","item":"https:\/\/usercentrics-poc.psapp.dev\/us\/resources\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/"},{"@type":"ListItem","position":3,"name":"California Consumer Privacy Act (CCPA) \u2013 an overview","item":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/california-consumer-privacy-act\/"}]},{"@type":"WebSite","@id":"https:\/\/test-usercentrics-poc.pantheonsite.io\/us\/#website","url":"https:\/\/test-usercentrics-poc.pantheonsite.io\/us\/","name":"Usercentrics - US","description":"Consent Management Platform (CMP) Usercentrics","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/test-usercentrics-poc.pantheonsite.io\/us\/?s={search_term_string}"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/knowledge\/330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/knowledge"}],"about":[{"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/types\/knowledge"}],"version-history":[{"count":1,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/knowledge\/330\/revisions"}],"predecessor-version":[{"id":17462,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/knowledge\/330\/revisions\/17462"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/media\/7549"}],"wp:attachment":[{"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/media?parent=330"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/tags?post=330"},{"taxonomy":"magazine_issue","embeddable":true,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/magazine_issue?post=330"},{"taxonomy":"magazine_tag","embeddable":true,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/magazine_tag?post=330"},{"taxonomy":"resource_tag","embeddable":true,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/resource_tag?post=330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}