Skip to Main Content

Top Questions About the New California Data Privacy Law, Answered

We’ve covered quite a bit about the CCPA, data, privacy, and security. But no series is complete without a final wrap-up.

Take a look at some of the most common CCPA questions and answers to help you further understand and retain details of the legislation and what it means for you.

Who is directly affected by the new California data privacy law?

On January 1, 2020, the CCPA went into effect. This legislation provides Californians with more control over their personal data and is considered the most expansive consumer privacy law in the country.

The CCPA affects two main groups as follows:

Businesses collecting California-based data

In the simplest terms, a business that collects data on people in California must meet the requirements of the new law. This certainly applies to companies within the state of California but can also include businesses outside of the Golden State. For example, a company selling privacy software located in New York would still have to follow the CCPA when a California resident downloads one of their programs.

A business that…

  • Collects data of a personal nature of a California resident
  • Decides how such data is used

…falls under the requirements of the CCPA, assuming they also satisfy at least one of the following criteria:

  • Has an annual gross revenue of more than $25 million
  • Buys, receives, sells, or shares personal data of at least 50,000 consumers on an annual basis
  • (e.g. data brokers)

If so, then the business must follow all requirements of the new California data privacy law.

Residents of California

The CCPA covers the personal data of all California residents. The legislation also covers those who are considered California residents but are temporarily residing in another state.

The CCPA includes additional restrictions for minors as well. Under CCPA regulations, the personal data of a consumer under the age of 17 may not be sold without consent. Children aged 13-16 may provide direct consent while the data of a child under the age of 13 may only be sold with parental consent.

What type of data is protected under the CCPA? What isn’t?

The CCPA protects the following types of consumer data:

  • Names
  • Post addresses
  • IP addresses
  • Email addresses
  • Social security numbers
  • Driver’s license numbers
  • Records of purchased products or services
  • Biometric information
  • Browsing history
  • Geolocation data
  • Employment-related data

The CCPA does not protect against data found in public government documents. For example, marriage licenses and criminal records are public information. But such collected data must come directly from a government document and not from a personal profile or social media page.

What new responsibilities does a company have under the CCPA?

A company who collects data on California residents and meets the size and operational criteria as previously listed must then meet the following requirements under the CCPA:

  • Update their privacy policy to include the type of information collected and processed, why the data is being collected, how the data is being collected, how consumers can request access or changes to their data, how consumers can request data to be moved or deleted, and how consumers can opt out of the data selling process all together.
  • Implement a verification system to identify consumers requesting personal data usage changes
  • Include a “Do Not Sell My Personal Information” link that allows consumers to opt out of data selling on website’s home page.
  • Obtain consent before selling data of a minor

Failure to follow such requirements may result in penalties between $2,500 and $7,500 for each data record in non-compliance. Consumers may also bring forth litigation against

As a consumer, what are my rights under the CCPA?

As a consumer covered under the CCPA, you have the right to:

  • Know what personal information is collected about you. This is to be provided through a general privacy policy or notice.
  • Know whether and to whom your personal data is being shared, sold, or disclosed to. You also have the right to opt-out of its sale to third parties. The term “sale” can be interpreted to also apply to data sharing.
  • Access your personal information once collected through a direct request to the collecting entity. Businesses have 45 days to disclose any requested information free of charge, with extensions being available under unique circumstances.
  • Request a business delete your personal information. This does not include information under legal hold or information legally required for record-keeping.
  • Not be discriminated against for exercising your rights under the CCPA. A business may not deny a consumer goods or services or implement a different pricing method after acting within their rights of the CCPA. For example, a consumer who requests a video chat service to delete their data cannot be denied service or presented with a higher user rate only applicable to their account.

Is my personal data safer under the CCPA?

CCPA terms require companies to provide “reasonable security” for collected consumer data. However, the depth of “reasonable” is not laid out in clear terms, leading to the assumption that any company suffering a data breach will be penalised.

As a consumer, it’s always in your best interest to consider a company’s stance on data security before interacting with them. Remember, the CCPA does not stop a business from collecting your data but rather provides rights to you as a consumer after the fact.

In theory, your data is safer under the new California data privacy law for two reasons. First, it puts a spotlight on the responsibility a company has to its customers in regard to their personal data. The CCPA also grants new and advantageous rights to consumers, allowing them the ability to understand and influence how their information is being used.

However, any online interaction comes with risks. Private data breaches are still a serious threat to businesses and consumers alike, even under the newly enforced regulations of the CCPA.

Is the CCPA identical to the GDPR?

While it’s safe to say that the CCPA was inspired by the GDPR, they are not identical.

The main difference to know about the two is that while the CCPA allows California consumers to opt-out of data collection and data sales, the GDPR requires permission from consumers BEFORE data can be collected.

The GDPR is a bit more polite in nature, asking for permission before collecting, analyzing, and selling any data. The CCPA, while still effective, is a bit more brash by assuming data collection is okay but having to back down if requested by a consumer.

Another big difference between the two is their reach. The CCPA applies to California residents only while the GDPR applies to anyone living within the 28 member states of the EU.

Will internet privacy laws make it safer for consumers to browse and shop online? Yes and no. Data is still being collected and processed the same as it was before the laws. Data can still be sold, and data breaches are still a prevalent threat.

But now that consumers under the CCPA have the ability to opt-out of data collection, learn how their data is being used, and ask that their information be deleted from data storage, the concept of combining security and privacy online becomes easier to achieve.

How will the CCPA affect American consumers outside of California?

The CCPA is likely to affect all Americans, even those who don’t call California home. If you’re a resident of another state, you don’t have the right to opt out of the sale of your data just yet. But you may find other aspects of the new legislation available to you.

For example, Microsoft is applying CCPS regulations to all users, not just those in California, while Mozilla is allowing all users to delete collected data no matter how far they live from the Golden State.

California is known for setting legislation trends. Thanks to the passing of the CCPA, twenty other states are considering their own privacy bills while Nevada and Maine have already passed privacy laws.

There’s movement on the federal level as well with several large tech companies requesting a blanket privacy law that covers all American businesses and residents. The Consumer Online Privacy Rights Act, or COPRA, was introduced on November 26, 2019. If passed, the bill would provide all Americans more control over their personal information.

As a whole, Americans are wary of data tracking. But Californians have been overwhelmingly supportive of the new California data privacy law. Only time will tell if similar legislation becomes standard throughout the country.


To learn more about its requirements and view the CCPA in its entirety, visit the California’s legislative website.

Avira logo

Protect your privacy online