The California Consumer Privacy Act (CCPA) applies to certain for-profit businesses that collect or have collected the personal information of California residents, whether or not those businesses are located in California.

Often compared to the European Union’s General Data Protection Regulation (GDPR), the CCPA is the most stringent data privacy law in the United States. And in fact, its reach is nearly as broad as the GDPR. There is no federal law like the GDPR protecting consumer information. Some states have data privacy laws, but none as stringent as this new California law.

Which businesses must comply?

Circumstances under which enterprises and their service providers must comply with the CCPA: 

  • They operate as a for-profit business in California.
  • They collect personal data of California residents (or have that information collected).
  • They determine on their own or with others the purpose and means of processing personal information, and
  • They meet one or more of the following criteria: 
    • Collects more than $25 million in annual gross revenues, adjusted for inflation
    • Buys or receives for a commercial purpose, sells or shares the personal information of 50,000 or more California consumers, households or devices per year
    • Derives more than half its yearly revenue from selling California consumers’ personal information.

CCPA compliance does have some exceptions. It does not apply to data governed by the Health Insurance Portability and Accountability Act (HIPAA), for example. Nor does it supersede federal, state, or local laws.

To which people does the CCPA apply?

Consumers and employees protected by the CCPA are those who qualify as California residents under the state’s tax laws. The CCPA applies to consumers who are identified as natural persons residing in California. This means they:

  • Are in California for a non-temporary or non-transitory purpose, or
  • Maintain a residence in California but are temporarily outside the state.