Glossary>CCPA (California Consumer Privacy Act)

CCPA (California Consumer Privacy Act)

California privacy law granting residents rights to know, delete, and opt-out of sale of their personal data.

California Civil Code §1798.100Applies to 40M+ California ResidentsFines up to $7,500 per Violation

What is CCPA (California Consumer Privacy Act)?

CCPA (California Consumer Privacy Act) is a privacy law that grants California residents specific rights over their personal data. It applies to for-profit businesses that meet certain thresholds (revenue, data volume).

CCPA grants consumers:

  • Right to know: What personal data is collected and shared
  • Right to delete: Request deletion of personal data
  • Right to opt-out: Stop businesses from selling their data
  • Right to non-discrimination: Equal service even if they exercise rights

CCPA was amended by CPRA (California Privacy Rights Act) in 2020, which added new requirements (correct inaccuracies, limit use of sensitive data).

Businesses must provide a "Do Not Sell My Personal Information" link on their website and respond to consumer requests within 45 days.

Analogy

Think of CCPA like a California gym membership policy. Members (California residents) can: (1) See what data the gym collects (right to know), (2) Ask the gym to delete their profile (right to delete), (3) Tell the gym 'don't sell my workout data to supplement companies' (opt-out of sale).

Types and Use Cases

  • CIAM Platforms: Must provide "Do Not Sell" link, handle deletion/access requests
  • E-commerce: Disclose data sharing with third parties (Shopify, payment processors)
  • Marketing Platforms: Allow users to opt-out of data sale to data brokers
  • Mobile Apps: Disclose third-party SDKs that may "sell" data (ad networks)

How it Works

1
User visits website and clicks 'Do Not Sell My Personal Information' link
2
User submits opt-out request (form, email, toll-free number)
3
Business must honor opt-out within 15 days and notify third parties
4
User requests to know/delete - business has 45 days to respond
5
Business provides data in portable format (for 'right to know') or deletes data
terminal
{
  "ccpaCompliance": {
    "doNotSellLink": "https://example.com/do-not-sell",
    "consumerRights": {
      "rightToKnow": {"enabled": true, "responseDays": 45},
      "rightToDelete": {"enabled": true, "responseDays": 45},
      "optOutSale": {"enabled": true, "notificationDays": 15}
    },
    "dataCategories": [
      {"name": "email", "sold": false, "thirdParties": []},
      {"name": "browsingHistory", "sold": true, "thirdParties": ["ad-network-a", "analytics-b"]}
    ]
  }
}

CCPA (California Consumer Privacy Act) vs GDPR (General Data Protection Regulation)

CCPA (California Consumer Privacy Act)
GDPR (General Data Protection Regulation)

CCPA focuses on opt-out of sale

GDPR focuses on consent (opt-in) for processing

CCPA applies to California residents

GDPR applies to EU residents

CCPA has monetary thresholds ($25M revenue, 50K consumers)

GDPR applies to any organization processing EU data

Best Practices for CCPA (California Consumer Privacy Act)

  • Prominent 'Do Not Sell' link: Place it in footer, privacy policy, and cookie banner
  • Honor opt-outs within 15 days: Notify all third parties that you can't sell the data
  • Train support team: They must know how to handle CCPA requests (45-day response)

How LoginRadius Powers CCPA (California Consumer Privacy Act)

LoginRadius CIAM platform provides comprehensive CCPA compliance tools: 'Do Not Sell My Personal Information' link configuration, one-click opt-out management for users, data portability APIs (export in JSON/CSV), deletion APIs with automated third-party notifications, and detailed audit logs of all consumer requests. Our platform also provides data categorization tools to track which data is 'sold' vs. not, and consumer request management dashboard for your privacy team.

Resources

Blog

Loginradius And Ccpa Compliance

FAQs

CCPA is a state law (California only) focused on opt-out of sale - businesses can process data unless user opts out. GDPR is an EU regulation focused on consent (opt-in) - businesses can't process without consent. CCPA applies to businesses with $25M+ revenue; GDPR applies to any organization processing EU data.

CCPA defines 'sale' broadly: sharing personal data with third parties for monetary or other valuable consideration. This includes: (1) Selling data to data brokers, (2) Sharing data with ad networks (in exchange for free ad services), (3) Sharing data with partners for referral fees. Many businesses that don't think they 'sell' data actually do under CCPA's broad definition.

LoginRadius provides built-in CCPA compliance features: (1) 'Do Not Sell' link - configurable link in user dashboards, (2) Opt-out management - users can opt-out of data sale with one click, (3) Data export - provide user data in portable JSON/CSV format (right to know), (4) Deletion APIs - programmatically delete users and notify third parties, (5) Audit logs - record all CCPA requests and responses for compliance.

Related Terms

gdpr general data protection regulationprivacy by designconsent management

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales