California Consumer Privacy Act (CCPA)

CCPA applies to for-profit businesses that collect personal data from California residents and meet any one of the following thresholds:

• Gross annual revenues over $25 million,
• Buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices,
• Derive 50% or more of annual revenue from selling consumer personal information.

The law applies regardless of where the business is located, as long as it handles California residents' data.

Under the CCPA, California residents have the right to:

• Know what personal information is collected, sold, or shared about them.
• Access the specific data a business holds.
• Delete personal information collected by businesses (with some exceptions).
• Opt out of the sale of their personal data.
• Non-discrimination for exercising their privacy rights.

Businesses must provide clear notices and an easy-to-use opt-out mechanism, such as a “Do Not Sell My Personal Information” link.

CCPA enforcement is overseen by the California Attorney General and, more recently, the California Privacy Protection Agency (CPPA). Non-compliance can lead to:

• Civil penalties of up to $7,500 per intentional violation.
• Reputational damage from public exposure or breaches.
• Lawsuits in the case of certain data breaches involving personal information.

Complying with CCPA is also an indicator of privacy maturity and consumer trust, especially for businesses operating in the U.S. tech or e-commerce sectors.