What is CCPA?

The California Compliance Protection Act (CCPA) is a law passed in 2018 that gives consumers the right to know what information a company has collected on them and if that company has shared their personal information with any third party. It also allows consumers the ability to sue any organization that has failed to protect their privacy.

What is the CCPA Compliance Framework?

CCPA went into effect in 2020 and mandates stringent consumer privacy and protection. It defines and protects personally identifiable information (PII) on a much broader scale, including biometrics, internet search and browse data, and employment information. Compliance with the CCPA will ultimately help businesses build better consumer trust, enhance their reputation, and strengthen their brands.

With the California Consumer Privacy Act comes a new set of consumer rights covering how consumers interact and control their personal information. 

Who Does CCPA Apply To? 

The CCPA applies to for-profit businesses that meet certain thresholds. Here's a breakdown of the key factors:

• Does business in California: This applies even if the business is physically located outside California.
• Collects personal information: Personal information is broadly defined and includes names, email addresses, browsing history, and geolocation data.
• Meets at least one of these thresholds:
  • Has an annual gross revenue exceeding $25 million
  • Buys or sells the personal information of 50,000 or more California residents or households annually
  • Derives more than 50% of its revenue from selling consumers' personal information (as of a January 1, 2023 amendment)

What are the Penalties for Violating CCPA? 

The CCPA enforces compliance through two main channels: fines from the California Attorney General and private lawsuits from consumers.

• Fines by the Attorney General: The CCPA allows the California Attorney General to impose civil penalties of up to:
  • $2,500 per violation for unintentional violations.
  • $7,500 per violation for intentional violations.

It's important to note that "per violation" can mean a significant penalty, especially for larger businesses. Each instance of non-compliance with a consumer request or a security breach could be a separate violation.

• Private Lawsuits by Consumers: California residents can sue businesses for violating the CCPA's data security requirements. These lawsuits can seek:
  • Statutory damages range from $100 to $750 per consumer per incident.
  • Actual damages suffered by the consumer as a result of the CCPA violation.

The CCPA allows consumers to sue for whichever amount is greater, potentially leading to substantial payouts for businesses in non-compliance.

See Also 

• GDPR vs. CCPA
• Who Needs to Comply with CCPA?

Return to Cybersecurity Frameworks and Standards Glossary