California Consumer Privacy Act (CCPA)
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a state-level privacy law that was enacted in 2018 and went into effect on January 1, 2020. It was created to enhance privacy rights and consumer protection for residents of California.
The law requires businesses to be transparent about how they collect, use, and share personal information. It also gives consumers more control over their data, including the ability to access, delete, and restrict the sale of that information.
CCPA is one of the most comprehensive privacy regulations in the United States and has influenced broader discussions around data privacy across industries and other states.
Who Does the CCPA Apply To?
CCPA doesn’t apply to every business—only those that meet specific thresholds. A business is subject to the CCPA if it operates for profit and meets at least one of the following criteria:
- Has gross annual revenues of over $25 million
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices annually
- Derives 50% or more of annual revenue from selling consumers’ personal information
Additionally, companies that control or are controlled by a business that meets these thresholds—and share branding—may also fall under the scope of CCPA.
Even if a company is not based in California, it still needs to comply if it collects personal information from California residents.
Key Consumer Rights Under the CCPA
The CCPA grants several rights to consumers that businesses must accommodate:
- Right to Know: Consumers can request details about what personal data a business collects, uses, shares, or sells. This includes both the categories and specific pieces of personal information collected.
- Right to Delete: Consumers can ask businesses to delete their personal data, with certain exceptions (e.g., legal or security reasons). Businesses must clearly communicate these exceptions in their privacy policies.
- Right to Opt-Out: Consumers can request that a business not sell their personal information. Businesses must provide a clear and accessible mechanism, such as a “Do Not Sell My Information” link, to honor this request.
- Right to Non-Discrimination: Businesses cannot deny goods, services, or charge different prices to consumers who exercise their CCPA rights. Incentive programs tied to data sharing must be disclosed and explained.
- Right to Correct (added by CPRA): Consumers can request corrections to inaccurate personal information held by the business. This right ensures the accuracy and integrity of stored data.
Consumers also have the right to request information about data collected during a 12-month period prior to their request. Businesses must provide a straightforward process for submitting and verifying these requests and are prohibited from charging for the service. Mechanisms must be easy to find and accessible to users of all abilities, including dedicated email addresses, toll-free numbers, or online forms. These rights require businesses to have mechanisms in place for intake, verification, and fulfillment of consumer requests.
Definition of Personal Information
Under CCPA, personal information is broadly defined to ensure wide coverage and protection. It includes any information that: “Identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Examples include:
- Names, aliases, and addresses
- Email addresses and phone numbers
- IP addresses and device identifiers
- Geolocation data
- Purchase history
- Browsing and search history
- Employment or education data
- Biometric and audio/visual recordings
Business Obligations Under the CCPA
To comply with the CCPA, businesses must implement specific processes and safeguards:
- Notice at Collection: Inform consumers at or before data collection what categories of information will be gathered and how it will be used.
- Privacy Policy Updates: Maintain an up-to-date privacy policy that outlines consumer rights and business practices regarding personal data.
- Data Access & Deletion Mechanisms: Set up tools and workflows to respond to verified consumer requests within 45 days.
- “Do Not Sell My Information” Link: Include a clear link on websites for consumers to opt out of data sales.
- Training and Accountability: Train staff who handle customer inquiries and maintain audit logs of data requests and responses.
CCPA vs. GDPR: What’s the Difference?
While both CCPA and the European Union’s General Data Protection Regulation (GDPR) aim to protect consumer data, they differ in scope, terminology, and enforcement. In practice, companies that comply with GDPR often meet many—but not all—CCPA requirements.
| Feature | CCPA | GDPR |
|---|---|---|
| Jurisdiction | California residents | EU residents |
| Legal Basis for Processing | Not required (opt-out model) | Requires legal basis (opt-in model) |
| Personal Information | Broad, includes household-level data | Broad, more individual-focused |
| Opt-Out Rights | Right to opt out of data sale | Right to withdraw consent |
| Fines | Up to $7,500 per violation | Up to 4% of annual global turnover or €20M |
| Consumer Requests | Right to know, delete, opt-out, correct | Right to access, rectify, erase, restrict, object |
To understand the difference better, go to the glossary page for GDPR.
Penalties for Non-Compliance
CCPA enforcement is managed by the California Attorney General and the California Privacy Protection Agency (established under the CPRA). Businesses that fail to comply with CCPA requirements may face significant financial penalties, including:
- $2,500 per unintentional violation
- $7,500 per intentional violation
In addition to regulatory fines, consumers have the right to take legal action in cases involving specific types of data breaches—particularly where a business fails to implement and maintain reasonable security measures. To mitigate the risk of penalties, organizations must demonstrate a proactive approach to compliance by implementing proper safeguards, policies, and response mechanisms for handling consumer data requests.
CCPA and Data Retention Policies
Although the CCPA does not mandate specific data retention timelines, it emphasizes the importance of maintaining clear, reasonable, and purpose-driven retention policies. Businesses are expected to:
- Collect and retain only the data necessary to fulfill the stated business purpose
- Securely delete personal information once it is no longer required
- Clearly communicate retention practices to consumers, including how long data is kept or the criteria used to determine that timeframe
Implementing thoughtful data retention policies not only supports CCPA compliance but also strengthens overall data governance. These practices align closely with IT asset management (ITAM) strategies—especially when decommissioning hardware or retiring software that may contain sensitive information. Proper disposal procedures and documentation help ensure that personal data is permanently removed, reducing the risk of data exposure and reinforcing consumer trust.
The Role of IT Asset Management in CCPA Compliance
CCPA compliance doesn’t stop at software systems—it also involves hardware, devices, and data stored across the physical IT environment. This is where IT asset management (ITAM) plays a critical role.
Key ways ITAM supports compliance:
- Tracking Devices with Personal Data: Knowing where all hardware assets are, who they’re assigned to, and what data they store.
- Audit Trails: Maintaining logs that show when devices were accessed, reassigned, or decommissioned.
- Data Sanitization: Ensuring retired devices are properly wiped or destroyed, reducing the risk of data leakage.
- Lifecycle Management: Managing data exposure risks through onboarding, active use, and secure disposal of assets.
With the right ITAM platform, businesses can build a privacy-forward infrastructure that safeguards data across its entire lifecycle.
How Teqtivity Supports CCPA Compliance
Teqtivity strengthens CCPA compliance by providing the visibility and tools needed for secure, accountable asset management.
Key features include:
- Asset Lifecycle Tracking: Monitor the full journey of each device with timestamps and user assignments.
- Data Sanitization Records: Log when and how data is wiped from decommissioned devices for audit readiness.
- User-to-Asset Visibility: Identify who accessed or managed a device at any point in time.
- IAM Integration: Ensure asset access aligns with user permissions to protect sensitive data.
- Custom Reporting: Generate reports for audits, consumer data requests, and internal reviews.
- Tagging & Classification: Flag assets that may store personal data for extra oversight.
With Teqtivity, IT teams can confidently manage privacy risks and respond quickly to CCPA-related inquiries. Contact us to learn more.