CCPA Explained

The California Consumer Act (CCPA) was enacted by the State of California in 2018 to prevent misuse of personal data by businesses and protect individuals’ rights.

CCPA enacts strict data protection compliance laws, similar to the EU’s GDPR and Singapore’s PDPA. Any failure to protect data for matters on end-to-end encryption, portability, conformity, and data residency, entails similar obligations as portrayed in the GDPR. 


What is CCPA

The California Consumer Privacy Act, 2018 (CCPA) is a landmark law passed by the State of California to give consumers the right to control how businesses collect their personal information. The California Government has placed the CCPA enforcement responsibilities on the California Attorney General (AG). Although CCPA was enacted in 2018, it came into force in January 2020. 

CCPA applies to any company with business in California, and that matches any of the following criteria:

  • Have a revenue of over USD 25 Million;
  • Trade the personal information of over 50,000 customers;
  • Derives 50 percent or more of its annual revenue from selling customer’s personal data.


While explaining the reason for CCPA’s existence, legislators refer to the Cambridge Analytics incident of 2018, wherein there was a disclosure of personal data misuse by the company.

The CCPA's Four Primary Rights to Consumers

Complying with CCPA in 11 Steps

To ensure compliance with CCPA, companies must take the following actions:

  1. Upon request of the consumer, inform the type and the purpose for which the data has been collected;
  2. Verify the identity of consumers who request to access or delete their personal information;
  3. Deliver information to consumers free of charge within 45 days, by mail or electronically, and the information delivered must be portable, to the extent technically feasible;
  4. Delete personal information when consumers request it;
  5. Create a process to identify who are the individuals responsible for consumers to opt-out and not sell their data to third parties in response to such a request;
  6. Do not sell consumers’ personal information when they are between 13 & 16 years of age;
  7. Provide consumers the right to equal services and prices;
  8. Create a privacy policy as required by CCPA;
  9. Train and inform dedicated personnel to properly process new requests to exercise privacy rights;
  10. Make sure that agreements with service providers are CCPA compliant;
  11. Maintain records of requests and how you responded for 24 months in order to demonstrate your compliance;

How to build CCPA awareness training that works?