The California Consumer Privacy Act is a California privacy law that gives residents more control over how businesses collect, use, share, and sell their personal information. It is one of the most important privacy laws in the USA because it can apply to businesses that handle personal information from California residents, even if the business is located outside California.
The CCPA took effect on January 1, 2020. It was later amended by the California Privacy Rights Act, also called the CPRA. Today, many official California resources refer to the law as the CCPA, as amended.
This article is for general information only and is not legal advice. Businesses should review the current law, regulations, and legal guidance before making compliance decisions.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA) is a state privacy law that gives California residents specific rights over their personal information.
Personal information means information that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household. This can include names, contact details, online identifiers, commercial information, internet activity, geolocation data, and other categories covered by the law.
The CCPA gives consumers the right to ask what information a business collects, how it is used, whether it is sold or shared, and with whom it is disclosed. It also creates duties for businesses, including privacy notices, request-response processes, opt-out options, and safeguards around personal information.
What changed after the CPRA amendments?
The CPRA amended the CCPA and added new privacy protections that began applying in 2023. The California Attorney General explains that the CPRA did not create a separate law. It amended the CCPA and added new consumer rights and business obligations.
Important changes include:
- The right to correct inaccurate personal information.
- The right to limit the use and disclosure of sensitive personal information.
- Expanded rules around selling and sharing personal information.
- Stronger focus on sensitive personal information.
- Creation of the California Privacy Protection Agency.
- More detailed regulations and enforcement activity.
For businesses, the main takeaway is that CCPA compliance should be reviewed as an ongoing privacy program, not a one-time 2020 checklist.
Who needs to comply with the California Consumer Privacy Act?
CCPA compliance generally applies to certain for-profit businesses that do business in California, collect personal information from California residents, and meet legal thresholds.
A business may need to comply if it meets criteria such as:
- Having annual gross revenue above the current statutory threshold.
- Buying, selling, or sharing personal information of a large number of California consumers or households.
- Deriving a significant portion of annual revenue from selling or sharing personal information.
The older CCPA threshold included 50,000 California residents, households, or devices. Under CPRA amendments, this threshold changed, so businesses should not rely on older numbers without checking the current statute.
This is especially important for SaaS companies, survey platforms, research businesses, ecommerce brands, marketing teams, and companies that collect customer or respondent data from California residents.
Who is protected under the CCPA?
The CCPA protects natural persons who are California residents.
This generally includes:
- Individuals in California for a purpose that is not temporary or transitory.
- Individuals domiciled in California who are temporarily outside the state.
That means a California resident may still have CCPA rights even while traveling or temporarily living elsewhere.
The law can affect both B2C and B2B contexts when personal information from California residents is collected and used. Businesses should review how they collect personal information from customers, employees, prospects, website visitors, survey respondents, and business contacts.
What consumer rights does the California Consumer Privacy Act provide?
The CCPA gives California residents several consumer privacy rights. These rights help consumers understand and control how businesses use their personal information.
Right to know
Consumers can request information about the personal information a business has collected about them.
This can include:
- Categories of personal information collected.
- Categories of sources.
- Business or commercial purposes for collection, sale, or sharing.
- Categories of third parties receiving the information.
- Specific pieces of personal information, when applicable.
Right to delete
Consumers can ask a business to delete personal information collected from them, subject to legal exceptions.
A business may be allowed to keep certain information when it is needed to complete a transaction, detect security incidents, comply with legal obligations, or use the information in ways allowed by the law.
Right to correct
Consumers can ask a business to correct inaccurate personal information it maintains about them.
This right was added through the CPRA amendments and is now an important part of CCPA consumer rights.
Right to opt out of sale or sharing
Consumers can opt out of the sale or sharing of their personal information.
Businesses that sell or share personal information may need to provide clear opt-out mechanisms, such as a “Do Not Sell or Share My Personal Information” link or other accepted methods. California also recognizes opt-out preference signals in certain contexts.
Right to limit sensitive personal information
Consumers can ask certain businesses to limit the use and disclosure of sensitive personal information.
Sensitive personal information can include certain types of government identifiers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, health information, biometric data, and other categories covered by the law.
Right to non-discrimination
Businesses cannot discriminate against consumers for exercising their CCPA rights.
This means businesses generally cannot deny goods or services, charge different prices, or provide a different level of service because a consumer used their privacy rights, except where the law allows certain differences tied to the value of the data.
What are the main CCPA requirements for businesses?
CCPA requirements can vary by business, but most covered organizations need clear processes for privacy notices, consumer requests, opt-outs, and data handling.
Common requirements include:
- Publish a clear privacy notice.
- Explain what personal information is collected and why.
- Provide methods for consumers to submit requests.
- Respond to verified consumer requests within required timelines.
- Offer opt-out choices for sale or sharing when applicable.
- Respect limits on sensitive personal information when applicable.
- Train employees who handle consumer privacy requests.
- Review service provider and contractor agreements.
- Maintain reasonable security practices for personal information.
- Avoid retaining personal information longer than reasonably necessary.
For companies that collect survey, research, customer experience, or employee experience data, these requirements can affect consent language, privacy notices, retention policies, access controls, and how consumer requests are handled.
How is CCPA different from GDPR?
CCPA and GDPR both focus on privacy rights, but they are not the same law.
The GDPR is a European Union privacy law that applies broadly to personal data processing and has a strong legal basis model for processing data. The CCPA is a California privacy law focused on consumer rights, transparency, access, deletion, correction, opt-out rights, and limits on sale or sharing.
Key differences include:
| Area | General Data Protection Regulation | California Consumer Privacy Act |
|---|---|---|
| Location | Applies to the EU and certain global processing activities involving people in the EU. | Applies to California residents and covered businesses. |
| Legal model | Relies heavily on lawful bases for processing. | Focuses more on consumer rights and business disclosure obligations. |
| Opt-out rights | Broad rights to object/restrict processing data overall. | Has specific rules for opting out of the sale or sharing of personal information. |
| Sensitive data | Addresses sensitive data, but definitions and obligations differ from CCPA. | Addresses sensitive data, but definitions and obligations differ from GDPR. |
| Enforcement | Enforced by EU data protection authorities. | Enforcement involves California privacy regulators. |
Businesses operating across regions may need separate but coordinated privacy programs for GDPR, CCPA, and other privacy laws.
What happens if a business violates the California Consumer Privacy Act?
CCPA penalties can include civil fines and regulatory enforcement.
California regulators can seek penalties of up to $2,500 per violation or up to $7,500 per intentional violation or violations involving certain minors’ personal information. Penalty exposure depends on the facts, the violation, and enforcement decisions.
Consumers also have a limited private right of action for certain data breaches involving specific types of personal information. That does not mean consumers can sue for every CCPA violation. Many CCPA issues are handled through regulatory enforcement.
Businesses should treat CCPA penalties as one risk. The larger risk may be loss of customer trust, legal costs, operational disruption, and reputational damage.
What is QuestionPro doing for CCPA compliance?
QuestionPro supports privacy and compliance efforts by maintaining processes that help customers manage survey, research, and experience data responsibly.
As a SaaS provider, QuestionPro focuses on areas such as privacy documentation, data protection practices, customer-facing policies, employee awareness, and processes that support data subject rights. These efforts help customers use the platform while building their own compliance workflows.
QuestionPro’s CCPA-related efforts may include:
- Updating customer-facing documentation, including privacy policies and service agreements.
- Supporting internal privacy and security awareness.
- Reviewing data storage, safety, and access practices.
- Maintaining processes to respond to eligible privacy rights requests.
- Helping customers understand how survey and feedback data is collected and managed.
- Supporting responsible handling of personal information across research, CX, and employee experience programs.
You can also use text to learn more about QuestionPro’s privacy and data protection practices.
Businesses using any SaaS platform should still review their own CCPA obligations. A vendor can support compliance, but each covered business is responsible for understanding its own data collection, privacy notices, contracts, and consumer request workflows.
Final takeaway
The California Consumer Privacy Act gives California residents more control over their personal information and creates clear privacy obligations for covered businesses.
For organizations in the USA that collect customer, respondent, website visitor, or employee data from California residents, CCPA compliance should be treated as an ongoing privacy program.
Keep privacy notices current, understand what data you collect, support consumer rights, and review legal guidance as the law and regulations continue to develop.
If you have any problems related to the CCPA and QuestionPro, please contact us to schedule a meeting with our compliance manager.
FAQs about the CCPA
The California Consumer Privacy Act is a California privacy law that gives residents rights over how covered businesses collect, use, share, and sell their personal information.
Certain for-profit businesses that do business in California, collect personal information from California residents, and meet statutory thresholds may need to comply with CCPA.
Consumers may have rights to know, delete, correct, opt out of sale or sharing, limit sensitive personal information, and avoid discrimination for exercising privacy rights.
No. The CPRA amended the CCPA. It added new rights and obligations, but official California resources commonly refer to the law as the CCPA, as amended.
California regulators can seek civil penalties, including up to $2,500 per violation or up to $7,500 for intentional violations or certain violations involving minors’ information.
