Understanding the California Consumer Privacy Act (CCPA)

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader

The California Consumer Privacy Act (CCPA) is a piece of legislation passed in 2018 and enacted in 2020. The law gives California consumers control over the data companies collect, and consumers can even ask companies to remove specific pieces of information that have been gathered in the past. 

Few companies can afford to ignore the California privacy law. The legislation could protect any consumer who pops into your website. If you void visitor’s rights, you might face potential fines.

What is the California Consumer Privacy Act (CCPA)?

In the past, companies could collect a great deal of information about their website visitors. Consumers had little control over how their data was used, and sometimes, they didn't even know what a company knew about them. The California Consumer Privacy Act of 2018, commonly known as CCPA, changes the situation dramatically.

This significant law started as a small ballot initiative sponsored by the Californians for Consumer Privacy. After the law passed through legislator's hands and was approved, companies had several years to prepare for compliance. In 2020, the law went into effect, and all companies had to obey it or face the consequences. 

Key CCPA elements

Like most legislative efforts, the CCPA includes thousands of words and many legal principles. But the underlying principles and elements are relatively easy to understand. 

The California State Department of Justice says consumers have four basic rights under the CCPA:

  1. Knowledge: You have the right to know about the data a company collects about you. 
  2. Deletion: You have the right to ask a company to remove personal information that identifies you. 
  3. Removal: You have the right to ask a company not to sell your personal information. 
  4. Protection: You are protected from discrimination if you exercise these rights. 

Personal data is at the heart of CCPA. Think of something that could identify you in a crowd of people, and you're likely talking about protected data. You could ask a company to stop collecting your:

  • Name
  • Social Security number
  • Email address
  • Location 

Your browsing history, including the places you’ve visited before a specific website and the next place you go, could also identify you. Companies typically track your path with a tiny digital tag called a “cookie.” If that tag is persistent, meaning it can track you through sites or over a long time, it is considered personal information within the CCPA. 

CCPA compliance: How does it work?

The law includes the word "California," and it's easy to assume that only companies operating in the state are charged with compliance. Unfortunately, that's just not true. 

Only California residents have CCPA rights. But they take those rights with them when they’re online. If you engage in transactions for financial gain (which could mean something as simple as operating an online shop), you could be serving Californians. 

And most websites don't screen people by location. If you're online, anyone in any state could find you. There's no real way to ensure that you're protecting California residents unless you try to do so. 

As a company, you must comply if you:

  • Make at least $25 million annually, 
  • Gather info on more than 50,000 users,
  • Or you make more than half of your money on user data.

If you share common branding assets (like logos) with a company that meets these requirements, even if you do not, you could be required to comply too. 

Most companies prove their compliance through a privacy policy. But consumers must see that information before you grab any information from them. If you've seen popups on websites with long disclosures about information gathered, you've encountered CCPA rules. 

If you don't comply and a consumer complains, the California Attorney General sends you a 30-day warning. If you don't fix the problem, you could face a penalty of up to $7,500 per violation. 

Notice the use of the word "per" in that sentence. If you've been violating cookie policies for months, for example, you might have data on 20 or more people. Each one could land you a fine. 

No one is sure what will happen with CCPA in the future. But it's likely consumers will demand ever-increasing data transparency. If you're not offering that now, it's time to reconsider. 

CCPA is very similar to another piece of privacy legislation enacted in Europe: GDPR. If you're not sure what that law looks like and how it impacts you, read our blog.  


California Consumer Privacy Act of 2018. California Legislative Information. 

CCPA: A Brief History. Privacy Rights Clearinghouse. 

California Consumer Privacy Act (CCPA). State of California Department of Justice. 

Answers to the Most Frequently Asked Questions Concerning Cookies and Adtech. (February 2020). Bryan Cave Leighton Paisner. 

California's Privacy Law Goes Into Effect Today. Now What? (January 2020). Wired. 

CCPA FAQs on Cookies. (August 2019). The National Law Review. 

California Consumer Privacy Act. (February 2019). American Bar Association.