Overview
Direct Answer
The California Consumer Privacy Act (CCPA) is a state-level privacy statute enacted in 2018 that grants California residents explicit rights over their personal information held by for-profit businesses. It mandates transparency in data collection, establishes consumer access and deletion rights, and requires opt-out mechanisms for data sales.
How It Works
The law operates through four primary consumer rights: access (right to know what data is collected), deletion (right to request erasure), opt-out (right to prevent sale or sharing of personal information), and non-discrimination (right to equal service despite privacy choices). Organisations must disclose privacy practices in accessible privacy notices and respond to verified consumer requests within 45 days, with limited exemptions for legally required retention.
Why It Matters
Compliance failure exposes organisations to statutory penalties of up to $2,500 per unintentional violation or $7,500 per intentional violation, enforced by California's Attorney General and private litigants. The law has prompted widespread adoption of privacy management infrastructure, data inventory processes, and consent platforms across industries serving California residents, establishing a de facto standard for US privacy regulation.
Common Applications
Technology companies, retail organisations, financial services firms, and healthcare providers have implemented data governance frameworks, automated consent management systems, and customer data platforms to satisfy CCPA requirements. e-commerce platforms and SaaS providers routinely integrate privacy request workflows and data subject access tools into their operations.
Key Considerations
The law applies only to California residents and businesses meeting specific revenue or data-processing thresholds, creating compliance complexity for multi-state operations. Tensions exist between consumer rights and business utility of data, particularly regarding the definition of 'personal information' and exemptions for employee and business-to-business contexts.
More in Governance, Risk & Compliance
Incident Reporting
Compliance & RegulationThe formal process of documenting and communicating security incidents, breaches, or compliance violations.
Sanctions Screening
Compliance & RegulationThe process of checking individuals and entities against government-issued lists of sanctioned parties.
Governance
GovernanceThe system of policies, rules, and processes by which activities are directed, controlled, and managed.
Business Ethics
GovernanceThe application of ethical principles and moral standards to business activities, decisions, and relationships.
AI Audit
Compliance & RegulationAn independent assessment of an AI system's compliance with regulatory requirements, ethical standards, and organisational policies, examining data, models, outputs, and governance.
ISO/IEC 42001
GovernanceThe international standard for AI management systems that specifies requirements for establishing, implementing, maintaining, and improving AI governance within organisations.
Continuous Compliance
Compliance & RegulationAn automated approach to maintaining regulatory compliance through real-time monitoring, policy enforcement, and evidence collection integrated into development and operations pipelines.
Risk Management
Risk ManagementThe process of identifying, assessing, and controlling threats to an organisation's capital and operations.