The Structure of CCPA Law
CCPA law consists of two primary statutes: the original California Consumer Privacy Act of 2018 (AB 375) and the California Privacy Rights Act of 2020 (Proposition 24), which significantly amended and expanded the original law. Together, they form a comprehensive data privacy framework that is among the strongest in the world.
"CCPA law covers any personal information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household — a definition broader than virtually any other U.S. privacy statute."
Core Legal Obligations Under CCPA Law
Businesses subject to CCPA law must fulfill the following legal obligations:
- Privacy Notice at Collection — Inform consumers of the categories of personal information collected and the purposes for which it will be used
- Privacy Policy — Maintain a comprehensive, up-to-date privacy policy disclosing all required information
- Consumer Request Mechanisms — Provide at least two methods for consumers to submit requests (including a toll-free number)
- Response Timelines — Respond to consumer requests within 45 days (extendable by 45 days with notice)
- Data Minimization — Collect only personal information reasonably necessary for disclosed purposes (CPRA requirement)
- Opt-Out Mechanism — Provide a clear "Do Not Sell or Share My Personal Information" link
"Under CCPA law, businesses that sell or share personal information of consumers under 16 must obtain opt-in consent — and for consumers under 13, parental consent is required."
CPRA Amendments to CCPA Law
The California Privacy Rights Act (CPRA), effective January 1, 2023, made significant amendments to CCPA law, including:
- Creation of the California Privacy Protection Agency (CPPA) as a dedicated enforcement authority
- New category of "sensitive personal information" with enhanced protections
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information
- Mandatory cybersecurity audits for high-risk businesses
- Data retention limitations — businesses cannot retain personal information longer than necessary
CCPA Law Penalties and Enforcement
Non-compliance with CCPA law carries significant financial consequences. The CPPA can impose civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. Each affected consumer constitutes a separate violation.
"CCPA law's private right of action allows consumers to sue for $100–$750 per consumer per incident — meaning a breach affecting 50,000 California consumers could result in up to $37.5 million in statutory damages."