Even if You’re Not in California, the CCPA May Still Impact You
The California Consumer Privacy Act (CCPA) was signed into law in June 2018, and went into effect at the beginning of 2020.
The sweeping privacy law, which has implications for businesses of all sizes, was later enhanced and amended by the California Privacy Rights Act (CPRA), which came into effect in January 2023.
“But my business isn’t in California!” you say.
That may not matter. Even if you don’t have a physical presence in the Golden State, the CCPA applies to you as long as you do business with California residents. And yes: that applies to eCommerce merchants who sell through the internet, too.
Recommended reading
- Computer Fraud and Abuse Act: 10 Must-Know Facts & Tips
- Mastercard Chargeback Time Limits: The 2026 Guide
- Visa Chargeback Time Limits: The 2026 Guide
- How the Uniform Commercial Code (UCC) Governs Chargebacks
- The Credit CARD Act of 2009: What Protection Does it Offer?
- What is the Purpose of the Electronic Fund Transfer Act?
What is the California Consumer Privacy Act?
The California Consumer Privacy Act of 2018 is a state law that enhances privacy rights and consumer protections for California residents. Specifically, the CCPA grants individual consumers, households, employees, contractors, and jobseekers greater control over their personal information through four core rights:
#1 | The Right to Know
Under the CCPA, California residents can ask you to tell them exactly what personal information you have collected about them. When they ask, you need to be prepared to disclose:
- The specific pieces of information you have (e.g. name, email address, purchase history)
- Where you got the information from
- Why you collected it
- Who you share it with or sell it to
Customers can make this request up to twice per year for free.
#2 | The Right to Delete
Your customers have the right to ask you to permanently delete the personal information you have collected from them. This request also extends to any third-party service providers you’ve shared their data with; you must direct them to delete it as well. However, there are some exceptions, such as when you are legally required to keep the information for tax or transaction purposes.
#3 | The Right to Opt-Out of Sale
Customers can tell you to stop selling or sharing their personal information through a “Do Not Sell or Share My Personal Information” link. Once a customer opts out, you cannot sell or share their data unless they give you explicit permission later.
#4 | The Right to Non-Discrimination
You cannot penalize a customer for exercising any of their CCPA rights. This means you can’t charge them a different price, provide a lower level of service, or refuse to sell them goods because they chose to opt-out or request that their data be deleted.
The takeaway: “sale” is a broadly-defined term. If you collect consumer information, send it to a third party, and receive something in return — whether money, goods, or services — you could be described as having “sold” it.
What is the California Privacy Rights Act?
In November 2020, California voters approved the California Privacy Rights Act (CPRA) through a ballot initiative known as Proposition 24. The CPRA, which took effect on January 1, 2023, is not a separate law. Instead, it expands the CCPA by granting California residents two additional privacy protections:
#5 | The Right to Correct
This right allows California-based customers to demand that you fix any inaccurate personal information you have on file. If a customer informs you that their name, address, or other data is incorrect, they can request that you update it to be accurate.
#6 | The Right to Limit
Customers can also restrict how you use and disclose their “sensitive personal information.” This category includes data like Social Security numbers, geolocation data, and genetic information. A customer can direct you to use this sensitive data only for the limited purpose of providing the goods or services they requested.
- Provide a “Notice at Collection” describing what, how, and why you collect the information you do.
- Include a link to your privacy policy within your Notice at Collection, as well as a “Do Not Sell or Share” link that allows consumers to opt-out.
- Provide a toll-free telephone number for customers to make data access (“right to know”) requests.
- Obtain consent from parents or guardians when collecting information from consumers between the ages of 13 and 16.
- Update your privacy policy to include a section on California residents’ rights as guaranteed under the CCPA.
CCPA Stipulations for Minors
Another important stipulation regarding the CCPA (at least in theory) is the opt-in for people under the age of 16.
In compliance with the federal Children's Online Privacy Protection Act (“COPPA”), businesses can already be fined for not asking consent from a legal guardian before collecting data from users under 13. The CCPA ups the threshold, specifying that users under 16 are required to opt-in. But, users between 13 and 16 can provide their own authorization, rather than a guardian’s.
Ultimately, it’s kind of a distinction without a difference. It’s true that you need a layer of age verification to identify users under 13 and get authorization from a guardian. But, that should already be in place anyway as part of compliance with COPPA.
Users between the ages of 13 and 16 can provide their own opt-in authorization. But, you should be requesting that same authorization of all users, regardless of age, as a best practice anyway.
How the CCPA Differs from the GDPR
The CCPA often draws comparisons to the General Data Protection Regulation adopted in the European market. The rules have a lot of overlap, but there are two key points where the CCPA and the GDPR differ.
First, unlike the GDPR, consumers do not have a so-called “right to be forgotten.” The new California law does not give consumers the right to opt-out of data collection entirely. Buyers simply have more latitude in determining what data is stored and how it is used. That leads us to the second point: the GDPR covers a much broader scope of data.
The GDPR identifies persona data as anything that may identify you based on your physical, physiological, genetic, mental, economic, cultural, or social identity. In contrast, the CCPA covers any data that can identify, relate to, describe, or could be reasonably linked with a consumer or household.
The “personal information” covered by the CCPA includes items like Social Security number, mailing or billing address, and email. However, it does not apply to as broad a range of identifiers as the GDPR.
Does the CCPA Apply to Me?
As the nation’s largest state, California tends to determine regulatory trends throughout the country. It’s likely that, in a matter of years, the provisions of the CCPA will be expanded into a national regulation. But even if it hasn’t hit your state yet, you may need to be compliant with the California Consumer Privacy Act now.
Like GDPR, the jurisdiction of the CCPA is not based on the business’s location. Rather, it is determined by the customer’s location. Thus, if you want to sell products to buyers in California—the largest state in the US and the fifth-largest single economy in the world—you’ll need to play by the rules of the CCPA.
Not Sure How the CCPA Affects Your Fraud Management?
Click here and speak with one of our experts today
Learn More
Your sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity will need to comply with the CCPA standards if any of the following apply:
- You have annual gross revenue of at least $25 million.
- You buy, sell, or share the personal information of more than 50,000 consumers annually.
- At least 50% of your annual revenue comes from selling consumer information.
If any of those three conditions describe you, then your business will soon be under CCPA jurisdiction.
What Happens if I Don’t Comply With the CCPA?
There are tangible penalties for non-compliance with the California Consumer Privacy Act. But, the penalties can be more or less severe depending on whether you intentionally violated the law, or whether you did so unintentionally.
Businesses that unintentionally violate the CCPA can be fined up to $2,500 per infraction. Intentional violations, or infractions involving data belonging to minors, come with fines of up to $7,500 per incident.
Under the CCPA, California consumers may also file a civil suit against. Individuals may demand compensation for statutory damages of up to $750 per incident, or they can demand compensation for actual damages, like personal fraud losses resulting from your mishandling of their information (whichever is greater).
Potential Obstacles & Risk Exposures
The California Consumer Privacy Act represents an important step forward in consumer privacy protection. It does, however, impose certain burdens on merchants. For example, the CCPA can:
CCPA Compliance Can Be a Competitive Advantage, Too
It’s easy to dismiss compliance, whether with privacy laws like the CCPA or data security regulations like PCI-DSS, as little more than a chore. But, the CCPA is also an opportunity to turn transparency into trust.
For example, displaying a clear, easy-to-read privacy policy out in the open shows that you have nothing to hide, and that you’re serious about protecting personal information.
Remember: the eCommerce landscape is crowded. Showing that you care to stand apart, whether by offering better products, superior customer service, faster shipping times, or simply being honest, fair, and transparent can help you win in the marketplace.
Have questions about the CCPA, or how it relates to your broader fraud-fighting efforts? Book a demo with the experts at Chargebacks911® today. We’re here to help!
FAQs
What does the California Consumer Privacy Act do?
The California Consumer Privacy Act (CCPA), first enacted in June 2018, gives consumers more control over how their personal information is collected and used. Specifically, the CCPA grants California residents the right to know about, access, and delete their personal information, opt-out of its sale, and exercise these rights without facing discrimination.
What is a CCPA violation?
A CCPA violation happens when a business that is required to comply with the California Consumer Privacy Act (CCPA) fails to comply with the law. Businesses that unintentionally violate the CCPA face fines up to $2,500 per violation, while intentional violators can be fined up to $7,500 per violation.
What are the 7 rights given to consumers by CCPA?
The seven rights given to consumers by the CCPA are the right to know, the right to access, the right to delete, the right to correct, the right to limit use and disclosure, and the right to opt-out of sale or sharing of their personal information. Under the CCPA, consumers also have the right to non-discrimination.
What is CCPA now called?
The CCPA was amended and expanded by the California Privacy Rights Act (CPRA), which took effect in January 2023. Today, this pair of legislation is sometimes referred to as the CCPA 2.0.
What does the CCPA not apply to?
Entities not covered by the CCPA include nonprofit organizations and government agencies.
How do I opt out of the California Consumer Privacy Act?
To exercise your rights to opt-out of the sale or sharing of your personal information under the California Consumer Privacy Act (CCPA), you can look for a “Do Not Sell or Share My Personal Information” on websites, or use your browser’s Global Privacy Control (GPC) feature.
