CCPA Compliance: become compliant with the California Consumer Privacy Act
What is the difference between CCPA and CPRA?
The CCPA was the first state-level privacy law in the United States, implemented on July 1, 2020. It has been influential on subsequent laws in other states. The CPRA, which came into effect in California on January 1, 2023, significantly expands the CCPA and is designed to work in tandem.
CCPA and CPRA compliance applies to companies:
- with at least US $25 million annual gross revenue, or
- that derive more than 50% of their annual revenues from the sale or sharing
- of personal data, or
- that process personal data of at least 100,000 California residents for commercial purposes (under the CCPA it was 50,000).
The CPRA modifies and expands consumers’ rights, will also cover B2B data, and sees the establishment of the California Privacy Protection Agency (CPPA).
CCPA overview
CPRA overview 
VALUING PRIVACY
Consent management for CCPA compliance pays off
The CCPA and CPRA are extraterritorial, so it only matters if people whose data is being processed are located in California, not if the company processing the data is.
With the CPRA, California has added a new agency in the CPPA, specifically for privacy administration and enforcement.
Privacy compliance is now both a legal requirement and a necessity for brand trust. A consent management solution is a valuable tool to achieve and maintain privacy compliance.
Organizations must also notify consumers of their rights and complete the following in a timely manner upon receiving a request from a consumer:
- provide consumers with the right to
- opt -out of the sale of their personal data
- request a copy of their personal data information
- have their personal data deleted or updated it, if necessary.
ACHIEVING COMPLIANCE
Consent management and CCPA / CPRA compliance – how to be CCPA compliant
- Consumers have the right to object to (opt out of) the processing of their data at any time, otherwise companies can share or sell that personal data
- Companies must provide a clear “Do not sell (or share) my personal information” link on their website
- Companies must provide a clear, up to date description of consumers’ rights
- Consumers have the right to know who collects or sells their data, how it’s used, and request it be deleted or not sold
PRIVACY INNOVATION
What is Global Privacy Control?
Global Privacy Control (GPC) is an initiative to provide global standardization for user consent online. It’s compulsory for CCPA/CPRA compliance and would enable consumers to easily create a single set of personal data privacy consent preferences. These settings provide a clear signal of the user’s preferences to all websites or apps they visit, rather than requiring users to set new preferences on every site they visit. It would also help ensure that all regulatory requirements for data privacy are met.
This specification would not be dependent on specific technologies to work, facilitating innovation. It would benefit both businesses and consumers with streamlined privacy management and improved user experience.
your questions answered
Contact our expert team
We’re happy to help answer questions about data privacy and the CCPA/CPRA. Learn about Usercentrics’ Consent Management Platform.
- Doing business in California and unsure whether your business is compliant with privacy law?
- Not sure how to achieve compliance or what your company’s specific responsibilities are?
- Get in touch and learn how the Usercentrics Consent Management Platform can help you achieve CCPA and CPRA compliance.
- Looking to partner with us?
Learn more
Frequently asked questions
What happens if my company is not compliant with CCPA?
You risk fines, civil penalties, and reputational losses for failing to comply with CCPA. For an unintentional violation, you can be fined up to US $2,500 per violation. For an intentional violation, the fine is three times higher at US $7,500 per violation. Further, you could face class-action lawsuits, where, for example, affected users could be entitled to damages ranging between US $100 to $750 per person for a data breach. You could also lose revenue from user churn because of loss of trust and damage to your reputation.
What is the difference between GDPR and CCPA compliance for California residents?
While both the GDPR and CCPA protect user privacy and regulate how companies that collect user information handle this sensitive data, there are some differences in how they apply.
The GDPR applies to any organization that processes data from users in the EU, regardless of where the company is located. The CCPA only applies to organizations that process data from California residents.
Additionally, the company has to receive, process, or transfer data from 100,000 or more consumers or households in California per year, or have a gross annual revenue (in the previous year) exceeding US $25 million, or earn at least 50% annually from selling or sharing users’ data.
Like the GDPR, the company’s location has no bearing on whether the CCPA applies, if they are processing the personal data of California residents. Second, the GDPR requires that companies must have a legal basis for collecting user data, while the CCPA has no such requirement. Third, the GDPR requires explicit user consent before personal data can be collected and used. Users must actively opt in before a company can collect their data. The CCPA doesn’t require user consent to collect, process, or sell data. Instead, it requires users to opt out and request that their personal data not be collected or sold.. While the GDPR doesn’t require any explicit language in cookie consent banners or elsewhere, the CCPA requires companies to have a link titled “Do Not Sell Or Share My Personal Information” clearly visible on their website.