CCPA Primer

Lesson 8 | Recap of CCPA

Download Lesson PDF


CCPA, despite only protecting data on California residents, applies to many companies. You do not have to be based in CA to have to comply with the regulation or be subject to potential penalties for violating the rules of CCPA. Below is a summary of the lessons learned in this course.

What companies need to comply with CCPA?

Companies that need to comply with CCPA are for-profit and at least one of the following - 1) annual revenue over $25M, 2) data on more than 50,000 CA residents, or 3) earn at least 50% of revenue from selling personal data on CA residents.

Data covered under CCPA.

CCPA is concerned with personal information on CA residents. Personal information is information that can identify or reasonably identify a resident as an individual. Explosions in the type of digital data collected about people make this a moving target.

Data Subject rights under CCPA?

CCPA created a new class of personal data rights for CA residents. These rights include a right to know what data is collected on them and how it is used, a right to opt-out of the sale of their data, a right to delete their data, a right to access data in a portable format, and a right to know to whom their data has been disclosed.

Your responsibilities under CCPA?

Companies have a responsibility to consumers under CCPA. They need to provide notice about data collection and usage, methods for exercising data rights, and a need to train employees who receive customer inquiries and data requests.

Penalties under CCPA.

There are two forms of penalty defined by CCPA - 1) penalties for violations of any part of CCPA that are brought by the CA Attorney General and 2) penalty payments to individuals specifically for breaches of personal information. In the case of Attorney General cases, there is a 30 day period for companies to resolve violations and avoid penalties.


CPRA, which updates and clarifies CCPA, has a high likelihood of being on the ballot in the fall of 2020. While not passed or implemented, there are several important changes that could have a significant impact on companies - new categories of data including “sensitive” data, new rules governing the handling of categories of data, and new consumer rights to correct personal data, amongst others.

Hopefully, this training has given you a baseline understanding of CCPA. CCPA is very likely going to be the standard for more and more data protection regulations in the US. A base-level knowledge of CCPA will serve as a good foundation for future regulations.