← Back to all briefings
Data Strategy 6 min read Published Updated Credibility 92/100

California Consumer Privacy Act takes effect

CCPA is live. Starting January 1, 2020, California residents can demand to know what data businesses collect, request deletion, and opt out of data sales. If you meet the thresholds—$25M revenue, 100K consumers' data, or 50%+ revenue from selling data—you need to have your notice, rights-request workflows, and vendor contracts in order. This is the biggest U.S. privacy law since HIPAA.

Kodi C.

Editor & Research Lead

Accuracy-reviewed by the editorial team

Data strategy pillar illustration for Zeph Tech briefings
Data strategy, stewardship, and privacy briefings

The California Consumer Privacy Act (CCPA) became effective on , activating notice, access, deletion, correction, and opt-out rights for California residents. this analysis converts statutory text into a deployable operating model with controls, and metrics that align to data governance frameworks. The CCPA represents the most significant U.S. privacy regulation since sector-specific laws like HIPAA and GLBA, establishing a full framework that influenced subsequent state privacy legislation nationwide.

Scope, Thresholds, and Covered Entities

The CCPA applies to for-profit entities collecting California residents' personal information that meet any of three thresholds: annual gross revenue exceeding $25 million; buying, receiving, selling, or sharing personal information of 100,000 or more consumers, households, or devices annually; or deriving 50% or more of annual revenue from selling or sharing consumers' personal information. If you are affected, carefully evaluate these thresholds across all legal entities and operating brands.

Personal information under CCPA includes a broad range of identifiers including names, addresses, online identifiers, IP addresses, biometric data, geolocation, browsing history, professional information, and inferences drawn to create consumer profiles. The definition explicitly excludes publicly available information, deidentified data meeting specific safeguard requirements, and aggregate consumer information that cannot be reasonably linked to individuals.

Service providers and contractors face distinct obligations under CCPA. Written contracts must prohibit secondary use of personal information, prevent sale or sharing, limit retention to what is reasonably necessary, and prohibit combining personal information across different clients except where explicitly permitted. If you are affected, implement CCPA-specific addenda with flow-down requirements, audit rights, and incident notification service level agreements.

Consumer Rights Framework and Response Timelines

The CCPA establishes five core consumer rights that businesses must accommodate through verifiable request processes. The right to know requires businesses to disclose categories of personal information collected, sources, purposes, and third parties with whom information is shared. Consumers can also request specific pieces of personal information, subject to identity verification requirements.

The right to delete obligates businesses to erase consumer personal information upon request, with propagation to service providers. Exemptions exist for completing transactions, security purposes, compliance with legal obligations, and other specified circumstances. Organizations must document exemption decisions and communicate them clearly to requesting consumers.

The right to opt-out of sale or sharing requires businesses to provide a clear "Do Not Sell or Share My Personal Information" link and honor opt-out preference signals including Global Privacy Control (GPC). The distinction between "sale" (any value exchange) and "sharing" (cross-context behavioral advertising) requires careful classification of data flows to advertising technology, analytics platforms, and data enrichment services.

Response timelines require acknowledgment within 10 business days and significant response within 45 calendar days, with a possible 45-day extension for complex requests. If you are affected, implement intake tracking, verification workflows, and fulfillment automation to meet these deadlines consistently at scale.

Notice Requirements and Transparency Obligations

CCPA mandates notice at or before collection identifying categories of personal information collected, purposes for collection, retention periods, whether information is sold or shared, and categories of third parties receiving information. Privacy policies must be updated at least annually and include specific CCPA-required disclosures about consumer rights and how to exercise them.

Financial incentive programs offering different prices, services, or quality levels based on consumer data must be accompanied by clear notice explaining the program terms, how to opt in or out, and the value of consumer data underlying the incentive. Non-discriminatory treatment is required—businesses cannot deny goods or services, charge different prices, or provide different quality solely because a consumer exercised CCPA rights.

Notice requirements extend to sensitive personal information categories including social security numbers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, health information, sex life or sexual orientation, and genetic data. When collecting sensitive information, businesses must explain purpose limitations and provide the right to limit use.

Operational Controls and Technical Implementation

Effective CCPA compliance requires integration of privacy controls into data architecture and business processes. Data inventory capabilities must track personal information by category, purpose, retention period, and sharing relationships across systems and vendors. Tagging mechanisms should identify California resident data to enable efficient request fulfillment and opt-out propagation.

Consent and preference management platforms should centralize opt-out signals, cookie consent, and communication preferences with APIs to propagate changes to downstream systems including customer data platforms, advertising technology, and email marketing tools. Global Privacy Control detection should be implemented across web properties with appropriate response handling.

Identity verification processes must balance fraud prevention with consumer access, implementing reasonable methods proportional to the sensitivity of information requested. Knowledge-based verification, one-time passcodes, or account authentication can satisfy verification requirements while minimizing additional data collection.

Vendor governance processes should screen new vendors for CCPA compliance capability before engagement, include CCPA-specific contractual terms, and maintain ongoing evidence of downstream request propagation. Quarterly vendor attestations documenting deletion completion and opt-out setup provide audit-ready evidence.

Enforcement environment and Risk Assessment

The California Attorney General holds exclusive enforcement authority under CCPA, with the California Privacy Protection Agency (CPPA) assuming expanded authority under CPRA amendments. Civil penalties reach $2,500 per unintentional violation and $7,500 per intentional violation, calculated per affected consumer and per violation—creating significant exposure for systematic compliance failures.

Private right of action exists for data breaches involving unencrypted or unredacted personal information resulting from failure to implement reasonable security. Statutory damages range from $100 to $750 per consumer per incident, or actual damages if greater, creating class action exposure for breaches affecting large consumer populations.

Risk mitigation strategies should include documented risk assessments for high-risk processing activities, consumer complaint tracking and remediation logging, and breach response procedures coordinated between privacy and security teams. Evidence of reasonable security measures provides affirmative defense against private actions.

Metrics and Performance Measurement

If you are affected, track key performance indicators to show compliance effectiveness and identify operational improvements. DSAR intake-to-close time should target 30 days or less with documented extensions, measured through ticketing system timestamps and fulfillment artifacts. GPC honor rate should achieve 100% of eligible web and mobile sessions, verified through consent logs and web quality assurance testing.

Vendor propagation metrics should track confirmation of deletion and opt-out requests within 15 days at 95% or greater completion rate. Notice coverage should be validated quarterly across all collection points through screenshots, tag scans, and change control documentation. Opt-out user experience should minimize friction, targeting less than 1% abandonment due to process complexity.

Sustainment and Continuous Improvement

CCPA compliance requires ongoing operational attention rather than one-time setup. Monthly DSAR quality assurance reviews should examine real request handling for accuracy and timeliness. Quarterly tag and cookie scans should verify notice coverage and opt-out signal honoring across web properties and mobile applications.

Annual training programs should address frontline staff handling consumer inquiries, engineering teams implementing privacy controls, and marketing teams using consumer data. Policy reviews should incorporate enforcement trends, regulatory guidance updates, and lessons learned from complaint handling.

Privacy steering committees with representation from legal, security, marketing, and product functions should approve new data collection, tracking technologies, and vendor engagements. This governance structure ensures privacy considerations are integrated into business decisions before setup creates compliance gaps.

Similar analysis

Additional analysis covering similar themes.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Data Strategy Operating Model Guide

    Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

  • Data Interoperability Engineering Guide

    Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

  • Data Stewardship Operating Model Guide

    Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published
Coverage pillar
Data Strategy
Source credibility
92/100 — high confidence
Topics
CCPA compliance · Data governance · Consumer privacy · Privacy rights · Data protection
Sources cited
3 sources (oag.ca.gov)
Reading time
6 min

Further reading

  1. California Consumer Privacy Act of 2018 (as amended) — California Department of Justice
  2. California Consumer Privacy Act (CCPA) Now in Effect — Office of the Attorney General, California
  3. CCPA Regulations Text — California Attorney General
  • CCPA compliance
  • Data governance
  • Consumer privacy
  • Privacy rights
  • Data protection
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.