CCPA

CCPA is California's primary consumer-privacy law. It applies to businesses that collect personal information from California residents and meet at least one of: gross revenue over $25M, buy/sell personal info of 100K+ Californians annually, or earn 50%+ of revenue from selling personal info.

Core consumer rights under CCPA: (1) Right to know — what personal info is collected, how it's used, who it's shared with. (2) Right to delete — request deletion of personal info. (3) Right to opt out of sale — direct businesses to stop selling their info. (4) Right to non-discrimination — businesses can't penalize you for exercising these rights.

What sites must do to comply: post a privacy policy describing data practices, post a 'Do Not Sell My Personal Information' link if you sell data, respond to consumer requests within 45 days, verify identity before responding, and update your data-processing agreements with vendors who handle California consumer data.

CCPA vs GDPR: GDPR is broader (covers all data subjects in the EU, opt-in by default, much stricter), CCPA is narrower (covers California residents, opt-out model, only applies above revenue thresholds). Most companies that comply with GDPR are automatically compliant with CCPA — but the specific consumer-request language and the 'Do Not Sell' link are CCPA-specific requirements.

Updates: CCPA was amended by CPRA (California Privacy Rights Act, 2020) which adds the right to correct inaccurate info, the right to limit use of sensitive personal info, and establishes the California Privacy Protection Agency for enforcement. The amended law is in effect as of 2023.