What is the California Consumer Privacy Act (CCPA)?
Explore IBM's CCPA compliance solution Subscribe to Security Topic Updates
Illustration showing collage of cloud, fingerprint and mobile phone pictograms
What is the CCPA?

The California Consumer Privacy Act (CCPA) is a California state law enacted in 2020 that protects and enforces the rights of Californians regarding the privacy of consumers’ personal information (PI).

Within the digital world, marketers consider consumer data as the new gold, recognizing its immense potential value. However, despite the wishes of corporate interests to mine this data, a growing movement insists that the consumers being studied by such data should have a say in how the information they’ve generated is used or not used.

In California, that movement’s aims have been transformed into law, through passage of the CCPA. It strikes a forceful blow for consumer rights and cybersecurity by giving the State of California a capable framework for enforcing data privacy laws and regulations. It provides California residents with a path toward private right of action, in order to seek legal recourse from data breaches.

IBM Security X-Force Threat Intelligence Index

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.

Related content

Register for the Cost of a Data Breach report

CCPA rights and protections

CCPA guidelines were designed to give California consumers a set of rights that deals expressly with personal data privacy and affords them reasonable security safeguards. These rights include Californians’ ability to make consumer requests about their customer data. These requests can include how to:

  • Prevent sale of their personal information to third-party companies (that is, The Right to Prevent Resale) by issuing the so-called “Do not sell my personal information” directive

  • Ask for data about any personal information that has been collected (The Right to Access)

  • Request that all collected data about that consumer be deleted (The Right to Be Forgotten)

The California Privacy Protection Agency makes sure that California residents also have protections and are suitably notified about data changes affecting them. It also enforces anti-discriminatory rules that mandate persons cannot be subjugated or otherwise penalized because they choose to exercise these rights.

What categories of personal information are regulated?

Although most consumers possess a general idea of what is meant by “personal data,” the phrase can mean different things to different people, and considerably more things than first imagined.

Within the context of the CCPA, personal data is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1

CCPA guidelines cover these specific examples of personal data:

  • Name

  • Address

  • Phone number

  • Email address

  • IP address

  • Birthdate

  • Social Security number

  • Driver’s license number

  • Passport number

  • Banking account information

  • Credit card or debit card numbers

  • Education data and credentials

Marketers find that personal data becomes even more valuable when each type of information is combined through data analytics. They can use it to create composite views of particular consumers or groups of consumers. They can also make broader inferences about consumer marketing trends, for example. Some of the other forms of PI routinely collected can be equally revealing, including:

  • Consumer shopping preferences

  • Personal browsing histories

  • Articulated personal attitudes

  • Specified personal behaviors

Another area of concern involves cookies and how they are used as unique identifiers by websites. This includes first-party cookies, which are designed to delete themselves once their business purpose has concluded. And there are third-party cookies, which don’t automatically self-delete. Third-party cookies have the functionality to collect various types of personal data, including sensitive personal information.

Because of the potential for misuse of third-party cookies by websites, the CCPA considers data gathered over a website through the use of cookies to be PI and therefore worthy of protection.

Learn how to discover and classify your data
CCPA compliance strategies

Most affected organizations approach CCPA compliance not as a single step but as a process. The first part of that process often involves a shift in mindset toward the consumer, and realizing that their privacy needs matter and do carry enforceable rights.

Maintaining CCPA compliance involves upholding the various California consumers by providing them with options for how their personal data inventory is administered (including opt-in choices). It also means keeping up with any evolutionary changes in the CCPA in order to keep pace with new technology (such as biometrics) and CCPA policy revisions.

Becoming CCPA-compliant involves a set of steps that might require six months or even a year to achieve in full. Nonetheless, each plays a vital role in establishing CCPA compliance. (Since certain compliance requirements can be undertaken concurrently, we use bullet points to steps rather than numbers.)

Locating all customer data

The first step is getting an accurate idea of what consumer data to gather, as well as cataloging its various locations. This data would pertain to both the “exterior” consumer data collected from consumers outside the company and consumer data gathered “internally” from company employees and job applicants.

Protecting all collected data

It’s essential to maintain secure housing for all gathered personal data, whether it comes from consumers or job applicants. There are also additional provisions related to the protection of information gathered from minors.

Learn more on data security and protection
Alerting consumers that their data has been collected

A “notice at collection” statement should be issued to all consumers (or even company workers and job seekers). Importantly, this privacy notice should be communicated before or at the time the data-collection activities begin—and not after they’ve already started.

Establishing and announcing a company privacy policy

Most organizations now maintain a detailed data privacy policy for their company, and publish it on their website.

Determining how to administer requests for consumer data

It’s also important to configure an effective and timely means for handling any requests related to consumer information.

Limiting the amount of PI collected to only what’s needed

Data minimization rules should be developed and implemented to ensure that the organization collects only the minimum amount of PI necessary to achieve a given purpose. Organizations should also consider possible dangers to consumers if the collected data is breached and implement appropriate preventive measures (for example, automatic deletion of collected data after its use). 

Keeping everybody on the same page

One key aspect of achieving compliance is making sure company managers and all employees are aware of CCPA requirements, especially requirements directly impacting their scope of work. Updates can be achieved through training sessions and webinars.

Staying up to date on CCPA developments

Laws and regulations are often subject to change and amendments. (The CCPA itself underwent such revisions before its 2023 re-launch.) Therefore, it’s a good idea to remain current on CCPA developments.

CCPA enforcement and noncompliance penalties

Data brokerage—the buying and selling of PI—is a booming business, which experts valued at USD 240 billion globally in 2021. That amount is expected to nearly double and balloon to more than USD 450 billion annually by decade’s end.2

Anything as valuable as data must be protected vigorously. Accordingly, the California Privacy Protection Agency (CPPA) is empowered to strike at the bottom line of companies that violate CCPA tenants. CCPA penalties are capped at a relatively low rate of either USD 2,500 for an offending contact that is unintentional or USD 7,500 for an intentional violation. It is worth noting that these CCPA penalties apply to just a single offense, such as a data breach involving one person.

But the reality is that data breaches rarely involve a single impacted party. Instead, they are more typically mass events involving thousands or even hundreds of thousands of consumers. So if you multiply possible CCPA fines by a large number of California residents, you could soon be calculating gigantic penalties.

The CCPA does offer offending companies a way out of paying these hefty fines, by giving offenders a 30-day grace period to remediate the error they’ve committed. If an offender can enhance their security measures and “fix” the problem within a month, then the penalty fee can be waived. Obviously, companies are financially obliged to remedy such offenses, but that can prove difficult or even impossible in some situations. It is because offenses such as data breach often involve data disclosures that can’t be reversed.

Recent CCPA news and trends

The scope of the CCPA continues to expand and evolve in order to keep pace with technology’s explosive growth, such as the Internet of Things (IoT).

For example, the CPPA has recently announced a new focus of attention—“connected” vehicles (CVs) that are equipped with data-collection mechanisms. Modern vehicles have the means to collect a comprehensive amount of information about drivers as well as geolocation data and transmit that data. California has more than 35 million registered vehicles, making it a huge undertaking. But according to the CPPA’s Executive Director, it’s a need that requires attention.

“Modern vehicles are effectively connected computers on wheels,” Ashkan Soltani stated in July 2023. “They’re able to collect a wealth of information via built-in apps, sensors and cameras, which can monitor people both inside and near the vehicle.”3

The phrase “near the vehicle” is noteworthy. It implies that not only drivers’ data is protected, but also anyone who might be riding in that car and even individuals walking near the vehicle. On-board cameras on the vehicles can capture momentary images of these people.

This announcement also seems significant because it shows the CCPA using its authority to protect personal data generated through IoT, in this case, from connected vehicles. The announcement may prove even more significant if it signals an agency's intention to rule on an increasing number of cases involving IoT-related matters in coming years.

CCPA versus GDPR

When the European Union (EU) enacted the General Data Protection Regulation (GDPR) in May 2018, it launched the most proactive framework possible for protecting personal and/or consumer information. The CCPA has become known as the strictest data privacy policy in effect within the US. Consequently, some observers want to know how the two standards compare.

In most ways, the two standards are cut from the same cloth. Both the GDPR and the CCPA:

  • Are guided by an instinct to protect and empower the individual citizen

  • Give the consumer the right to object to collected data and have it corrected, if the collected data is in error

  • Give the consumer the right to access their personal information, relocate it or (should they choose to do so) erase it permanently

  • Demand that consumers be personally notified if the security of their collected data is breached

There are also differences. The GDPR has cross-border transfer requirements not needed in single-state California. Likewise, the CCPA applies restrictions on the sale of PI, which the GDPR does not.

Still, there are more similarities than differences between the GDPR and the CCPA. Both standards face challenges with third-party risks. This challenge arises when one company essentially outsources its management of personal data to an outside firm. That third-party firm must then be ready and legally able to assume the same CCPA-based responsibilities for PI. These are the same responsibilities that the original company incurred after originally collecting or purchasing the data in question. Both the CCPA and GDPR require companies to share the categories of third parties with which they share information, what information they share with each, and why.

The GDPR and the CCPA also share another major trait—the ability to financially penalize service providers and other companies that commit non-compliance infractions. Recently, they demonstrated this ability in a dramatic manner with the largest data-privacy penalty fine yet recorded.

In May 2023, the Irish Data Protection Commission (DPC) levied a record-setting fine of EURO 1.2 billion (approximately USD 1.3 billion) against Meta (formerly Facebook). This fine was for unlawfully using European data within its American businesses, which include Instagram.

Related solutions
IBM Security® Guardium® Insights

Automate compliance auditing and reporting, discover and classify data and data sources, monitor user activity and respond to threats in near real-time. Guardium Insights supports a modern, zero-trust approach to data security, by helping to uncover unusual activity around sensitive data and reducing the risk of exposure.

Explore Guardium Insights

Data security and protection solutions

Gain sharper visibility and keen insights to assist you in investigating and remediating cyberthreats. Enforce security policies and access controls in near-real time to quickly address regulatory compliance needs.

Explore data security and protection solutions

Data privacy solutions

Deliver trusted customer experiences and grow your business with a holistic, adaptive approach to data privacy based on zero trust principles and proven data privacy protection. With IBM data privacy solutions, you can strengthen data privacy protection, build customer trust and also grow your business.

Explore data privacy solutions
Resources Cost of a Data Breach Report 2023

Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs. Learn from the experiences of more than 550 organizations that were hit by a data breach.

What is personally identifiable information (PII)?

PII is personal data that can be used to uncover a specific individual's identity, such as Social Security numbers, full names, and phone numbers.

What is information security?

Information security protects an organization's important digital files and data, paper documents, physical media and more against unauthorized access, disclosure, use or alteration.

Take the next step

IBM Security Guardium Insights offers a unified data security solution with both SaaS and on-premises capabilities to protect data where ever it lives. Improve you data security posture with centralized visibility, continuous data monitoring, and advanced compliance features with automated  workflows. Connect and protect data in 19+ cloud environments and detect data security vulnerabilities from a single location.

Explore Guardium Insights Book a live demo

14 Types of Personal Data Under the California Consumer Privacy Act (CCPA),” Eric Andrews, securiti website (link resides outside ibm.com)

2Data Brokers Market Outlook 2031,” Data Brokers Market, Transparency Market Research website (link resides outside ibm.com)

3CPPA to Review Privacy Practices of Connected Vehicles and Related Technologies,” reported 23 July 2023 on the California Privacy Protection Agency website (link resides outside ibm.com)