CCPA/CPRA
California Consumer Privacy Act / California Privacy Rights Act
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive U.S. state privacy law. It grants California residents rights over their personal information and imposes obligations on businesses that collect such data. The law applies to for-profit businesses meeting certain thresholds: over $25 million in annual revenue, buying/selling/sharing personal information of 100,000+ consumers or households, or deriving 50%+ of revenue from selling or sharing personal information.
Key consumer rights include: knowing what personal information is collected and how it's used, deleting personal information held by businesses and their service providers, opting out of the sale or sharing of personal information, and non-discrimination for exercising privacy rights. CPRA (effective January 2023) added significant new rights: correcting inaccurate personal information, limiting the use and disclosure of sensitive personal information, and accessing information about automated decision-making.
CCPA takes a distinctive process-based approach to de-identification, contrasting with GDPR's risk-based framework and HIPAA's prescriptive Safe Harbor. Information qualifies as "deidentified" only if it cannot reasonably identify, relate to, or be linked to a particular consumer AND the business maintains: technical safeguards prohibiting re-identification, business processes specifically prohibiting re-identification, processes preventing inadvertent release of deidentified information, no actual attempts to re-identify the information, a public commitment to maintain and use information in deidentified form, and contractual obligations requiring recipients to comply with all deidentification requirements. This comprehensive process requirement means data technically deidentified under HIPAA Safe Harbor may still be "personal information" under CCPA if process requirements aren't satisfied.
The 2020 AB 713 amendment created important harmonization with HIPAA by exempting from CCPA scope any patient information de-identified according to HIPAA's Expert Determination method—an acknowledgment that healthcare-specific approaches may be appropriate for medical data even when CCPA would otherwise apply.
Enforcement is handled by the California Privacy Protection Agency (CPPA), the first dedicated state privacy enforcement agency in the United States. For data breaches resulting from failure to implement reasonable security, consumers have a private right of action with statutory damages of 750 per consumer per incident, plus actual damages if greater. The Attorney General retains authority for other violations, with civil penalties up to $7,500 per intentional violation.
CCPA's influence extends beyond California as a de facto national standard for U.S. privacy compliance. As of 2025, over a dozen states have enacted comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, and others), most modeling their frameworks on CCPA's consumer rights structure while varying in enforcement mechanisms and de-identification standards. For businesses operating nationally, CCPA compliance typically serves as a baseline for multi-state privacy programs.