What is the CCPA?

The California Consumer Privacy Act of 2018 (CCPA) is a comprehensive state privacy law codified in the California Civil Code as Title 1.81.5, spanning sections 1798.100 through 1798.199.100. Enacted by the California Legislature in 2018 and substantially amended by voter initiative Proposition 24 in November 2020, the CCPA establishes privacy rights for California consumers and imposes obligations on businesses that collect their personal information.

Legislative Framework

The CCPA is structured within California Civil Code as follows:

Civil Code
└── Division 3: Obligations
    └── Part 4: Obligations Arising from Particular Transactions
        └── Title 1.81.5: California Consumer Privacy Act of 2018
            ├── Sections 1798.100-1798.125: Core Consumer Rights
            ├── Sections 1798.130-1798.148: Implementation Requirements
            ├── Sections 1798.150-1798.199: Enforcement & Procedures
            └── Sections 1798.199.10-1798.199.100: CPPA Provisions

The statute comprises 49 sections covering consumer rights, business obligations, enforcement mechanisms, and the establishment of the California Privacy Protection Agency (CPPA). The full text is available on the California Legislative Information website.

Seven Fundamental Consumer Rights

The CCPA grants California consumers seven core privacy rights:

1. Right to Know What Information is Collected (§1798.110)
2. Right to Access Personal Information (§1798.110)
3. Right to Know What is Sold or Shared (§1798.115)
4. Right to Delete Personal Information (§1798.105)
5. Right to Correct Inaccurate Information (§1798.106)
6. Right to Opt Out of Sale or Sharing (§1798.120)
7. Right to Limit Use of Sensitive Personal Information (§1798.121)

These rights are enforceable through both regulatory action by the CPPA and private lawsuits in limited circumstances.

Business Obligations

Businesses that collect personal information from California consumers must comply with comprehensive obligations, including:

• Notice at Collection: Inform consumers of the categories of personal information collected, purposes for collection, and whether information is sold or shared (§1798.100)
• Retention Limits: Retain personal information only as long as reasonably necessary for disclosed purposes (§1798.100(a)(3))
• Security Requirements: Implement reasonable security procedures to protect personal information (§1798.100(e))
• Contractual Protections: Enter agreements with service providers and contractors that obligate them to comply with CCPA requirements (§1798.100(d))
• Response Procedures: Establish mechanisms to respond to verifiable consumer requests for access, deletion, and correction

Scope of Coverage

The CCPA applies to for-profit entities doing business in California that meet one or more of the following thresholds:

• Annual gross revenues exceeding $25 million
• Buy, sell, or share the personal information of 100,000 or more California consumers or households
• Derive 50% or more of annual revenues from selling or sharing consumers' personal information

The law defines "personal information" broadly to include any information that identifies, relates to, or could reasonably be linked with a particular consumer or household (see /key-definitions/personal-information for detailed categories).

Amendment History

The CCPA has evolved through several legislative updates:

Proposition 24, also known as the California Privacy Rights Act (CPRA), significantly expanded the CCPA's scope and established the California Privacy Protection Agency as an independent regulatory body.

Enforcement Structure

The CCPA establishes a dual enforcement framework:

• Administrative Enforcement: The California Privacy Protection Agency investigates violations and may impose administrative fines (§1798.155, §1798.199.40-199.90)
• Attorney General Authority: The California Attorney General retains concurrent enforcement authority (§1798.199.90)
• Private Right of Action: Consumers may sue businesses for statutory damages following certain data breaches involving unencrypted personal information (§1798.150)

For details on penalties and enforcement procedures, see /enforcement-and-penalties/penalties-and-damages and /cppa-oversight/investigation-procedures.

Relationship to Other Laws

The CCPA includes specific provisions governing its relationship to other privacy frameworks:

• Federal Law: The CCPA does not restrict businesses' ability to comply with federal law (§1798.196)
• Industry-Specific Exemptions: Medical information subject to the Confidentiality of Medical Information Act (CMIA), HIPAA-covered entities, and GLBA-regulated financial institutions have specific exemptions (§1798.145, §1798.146)
• Employment Data: Exemptions apply to certain employee and business-to-business communications, subject to sunset provisions
• Preemption: The CCPA preempts local ordinances but does not limit constitutional rights or common law (§1798.180)

For a comprehensive discussion of exemptions, see /legal-framework/exemptions-limitations.

Statutory Construction Principles

The CCPA includes explicit instructions for courts and regulators interpreting the statute:

• Liberal Construction: The law "shall be liberally construed to effectuate its purposes" (§1798.194)
• Anti-Avoidance: Agreements waiving CCPA rights are void (§1798.192)
• Consumer Protection Priority: Conflicting provisions are resolved in favor of consumer privacy (§1798.175)

These principles guide how the CPPA adopts regulations and how courts adjudicate CCPA disputes. See /legal-framework/statutory-construction for detailed guidance.

Next Steps

To understand your rights as a California consumer under the CCPA, continue to /understanding-ccpa/consumer-rights. For businesses seeking to implement compliance programs, see /implementing-ccpa-compliance/opt-out-mechanisms.