7.2 CCPA & CPRA — California Leads

When the European Union's GDPR came into force in 2018, it set a global benchmark. In the United States, it was California that answered first — and most ambitiously. The California Consumer Privacy Act (CCPA) took effect January 1, 2020, and its successor measure, the California Privacy Rights Act (CPRA), became fully operative on January 1, 2023. Together they represent the most comprehensive US state privacy regime — and a model that roughly 20 other states have since followed.

Who dös it apply to?

CCPA/CPRA applies to for-profit businesses that do business in California and meet at least one of three thresholds: (1) annual gross revenues above $25 million; (2) annually buy, sell, receive, or share for commercial purposes the personal information of 100,000 or more consumers or households; or (3) derive 50% or more of annual revenues from selling or sharing consumers' personal information. The law protects California residents regardless of where the business is located — meaning a London-based company doing business in California may be covered.

Consumer rights under CCPA/CPRA

The framework gives California residents a suite of rights:

• Right to know — what personal information is collected, used, disclosed, and sold
• Right to delete — request deletion of personal information (with exceptions)
• Right to opt out of sale or sharing — tell a business not to sell or share your personal information with third parties
• Right to non-discrimination — you cannot be penalised for exercising privacy rights (no worse service, no higher prices)
• Right to correct — request correction of inaccurate personal information (added by CPRA)
• Right to limit use of sensitive personal information — restrict use of sensitive data (health, precise geolocation, finances, race, religion, sexual orientation) to what is necessary for the service (added by CPRA)

The California Privacy Protection Agency (CPPA)

The CPRA created the California Privacy Protection Agency — the first dedicated US privacy enforcement agency, independent of the Attorney General. The CPPA has rulemaking authority and can impose fines of up to $2,500 per unintentional violation and$2,500perunintentionalviolationand7,500 per intentional violation or violation involving minors' data.

Opting out: the GPC signal

One of CCPA/CPRA's most practical innovations is the opt-out-of-sale mechanism. Businesses must display a "Do Not Sell or Share My Personal Information" link. The CPRA also requires businesses to honour the Global Privacy Control (GPC) — a browser-level signal that automatically communicates opt-out preference to every website you visit. Supported by Firefox, DuckDuckGo browser, and several extensions, GPC is privacy-by-design in action.

A national ripple effect

As of 2024, approximately 20 US states have passed comprehensive state privacy laws — including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and others. Most share a similar structure: applicability thresholds, a bundle of consumer rights, and an opt-out mechanism for sale and targeted advertising. None yet match CCPA/CPRA's breadth or CPPA's independent enforcement body.

Your takeaway

If you are a California resident, CCPA/CPRA gives you some of the strongest privacy rights in the US. If you work with personal data from California consumers, compliance is mandatory — wherever your business is based.