California Consumer Privacy Act (“CCPA”)

The CCPA’s broad privacy requirements are entirely new to the United States -- and with a compliance deadline of January 2020, the clock has already started.


+91 980 627 9784


+1 909 939 9672


+973 366 83 371


+49 1516 584 9029

What is the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a bill passed by the state of California legislature on June 28, 2018. The CCPA is set to be the toughest privacy law in the United States. It broadly expands the rights of consumers and requires companies within scope to be significantly more transparent about how they collect, use, and disclose personal information. The CCPA is effective January 1, 2020, and enforcement is slated to begin no later than July 1, 2020.

Applies to

  • Any business that offers products or services to CA residents and collects their personal information, regardless of the location of the business, and:

  • has $25 million or more in annual gross revenues;

  • Possesses the personal data of 50,000 or more consumers, households, or devices; or

  • Earns more than 50% of its annual revenue from selling consumers’ personal data.

GDPR Gap Assessment

Does not apply

  • To nonprofit organizations.

  • If every aspect of a business’s collection/sale of PI takes place wholly outside of California.

  • Sale to/purchase from a consumer reporting agency.

  • Deidentified or aggregated PI.

  • PI covered by HIPAA or the California Confidentiality of Medical Information Act.

  • PI covered by Gramm-Leach-Bliley Act or the California Financial Information Privacy Act.


  • Attorney General Enforcement (AG) regulations by July 1, 2020

  • Enforceable by AG starting July 1, 2020

  • Subject to a 30-day cure period.

  • Civil penalty up to $2,500 per violation or $7,500 per intentional violation, plus injunction

  • Damages: $100 to $750 per consumer per incident or actual damages.

Highlights of CCPA

  • Gives consumers ownership, control and security of their personal information.
  • Personal information definition: identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
  • Consumers are given rights to:
    • Access report
    • Remove or erase data from business systems
    • Opt out of sell of data at any time
  • Opt in consent requirements
    • Consent required to prior to any sale of PHI including minors
    • Only access for opt in every 12 months if consumer exercises rights
  • Business required to post details on website or other public means how they’re using or not using consumer data for rolling 12 months and opt out instructions
  • Businesses will have to develop processes and procedures to accommodate all consumer rights including data mapping / access reports
  • Requirements for businesses to reasonably safeguard consumer data
  • Significant damage implications for business if fail to comply (enforced by CA AG)
  • Compliance required by Jan. 2020

Aristi "CCPA" Services

Determine whether your company is in scope, and what you need to do to to achieve California Consumer Privacy Act (CCPA) compliance.