Personal data protection according to CCPA

January 1, 2020, has become a special day in the field of personal data protection. The California Consumer Privacy Act, more commonly known as CCPA (California Consumer Privacy), has come into force.

CCPA is the first consumer privacy protection act in the United States. No other state yet provides its residents with protection like CCPA

CCPA applies to all commercial companies that do business in California, regardless of their location, and meet at least one condition:

  • the company buys, sells or provides access to personal information of more than 50,000 consumers – individuals – residents of California (even if the individual is temporarily out of state);
  • the company’s annual gross income is over USD 25 million;
  • at least 50% of the company’s annual income is obtained from the sale of consumer personal information.

The main purpose of CCPA is to enable individuals to control the company’s actions concerning their personal information. The Act requires transparency in the collection, use, and dissemination of information.

CCPA guarantees the following privacy rights for California residents:

  • the right to be informed before or during the collection of personal information;
  • the right to know about the personal information that is collected, how it is used and distributed;
  • the right to access your personal information;
  • the right to delete collected personal information (with some exceptions);
  • the right to opt-out of the sale of their personal information;
  • the right to non-discrimination for exercising their CCPA rights.

Personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. For example, name, nickname, social security number, email address, IP address, cookies, geolocation data, health, and family data.

It is immediately worth noting the difference between personal information under CCPA and personal information under the GDPR: CCPA also applies to information about the family and household. Interestingly, in the United States, it is common to use the term personal information rather than personal data. Unlike the GDPR, CCPA also lacks principles and grounds for processing personal information.

In addition, CCPA does not provide for the creation of a specialized regulatory body, and the California attorney general is responsible for overseeing compliance with the Act. In some cases, consumers can also bring claims against businesses. For example, if, as a result of a company’s inability to maintain reasonable security procedures and practices, personal information is stolen through a hack.

In CCPA, fines are established for violations in the amount of:

  • $ 2,500 for unintentional and $ 7,500 for intentional violation.
  • $ 100-750 per incident per customer – or actual damages, if higher – for damages caused by a security breach.

It may seem that the size of the fines is rather small. However, you need to understand that they are imposed for each violation and are summed up. A personal information protection incident could affect hundreds of thousands of consumers, which would have a significant impact on the company’s well-being.

At the initial stages, business owners, as a rule, do not have the time and opportunity to independently figure out all the nuances of legislative regulation. And then – incorrectly written documentation, violations, fines, and a damaged reputation.

CCPA is a completely new act, and the practice of its application is just being developed

To avoid mistakes and unnecessary costs, we advise you to delegate all legal issues to VigoLex professionals and concentrate on more important issues of strategic business development.

Personal data protection according to CCPA

Get a consultation

I consent to the processing of my personal data


    63739 street lorem ipsum City, Country


    +12 (0) 345 678 9


    [email protected]