California Privacy Law Overview
Understanding CCPA, CPRA, and your privacy rights
CCPA/CPRA Basics
- California Consumer Privacy Act (CCPA) enacted 2018, effective 2020
- California Privacy Rights Act (CPRA) enacted 2020, effective 2023
- Applies to businesses meeting size/revenue thresholds
- Creates consumer rights to know, delete, correct, and opt-out
- Limited private right of action for data breaches only
Who Is Covered?
- Businesses with $25M+ annual gross revenue, OR
- Businesses that buy/sell/share PI of 100K+ consumers, OR
- Businesses deriving 50%+ revenue from selling consumer PI
- California residents have rights regardless of where business is located
- Some exceptions for employees, B2B, public records
Key Statutes
- CC 1798.100-1798.199.100 (CCPA/CPRA framework)
- CC 1798.150 (Private right of action for data breaches)
- CC 1798.155 (California Privacy Protection Agency)
- CC 1798.185 (AG implementing regulations)
- B&P 22575-22579 (CalOPPA - Online Privacy Policy Act)
- CC 1798.29 (Data breach notification)
CCPA/CPRA Calculators
Calculate damages, deadlines, and compliance status
CCPA Violation Damages Calculator
Calculate potential damages for CCPA/CPRA violations including data breaches and enforcement penalties
Data Breach Notification Deadline Calculator
Calculate when you must notify consumers and the AG after discovering a data breach
CCPA Rights Request & Compliance Checker
Check if a business must comply with your CCPA request and when they must respond
Private Right of Action (CC 1798.150)
When you can sue for CCPA violations
Data Breach ONLY
- Private lawsuits allowed ONLY for data breaches due to inadequate security (CC 1798.150)
- No private right of action for other CCPA violations (failure to respond to requests, improper sale of data, etc.)
- Must show breach caused by failure to maintain reasonable security
- Statutory damages: $100-$750 per consumer per incident
- Actual damages also recoverable if greater than statutory
30-Day Cure Notice
- Must provide 30 days' written notice to business before filing suit
- Notice must identify specific CCPA provisions violated
- If business cures violation within 30 days, no lawsuit allowed
- Send to business's agent for service of process or designated CCPA contact
- Failure to provide notice can result in dismissal
Damages & Relief
- Statutory damages: $100-$750 per consumer per incident (court discretion)
- Actual damages if proven and greater than statutory
- Injunctive relief to stop ongoing violations
- Class action lawsuits permitted
- Attorney fees and costs recoverable by prevailing plaintiff
Your CCPA/CPRA Consumer Rights
What you can demand from covered businesses
Right to Know (CC 1798.100)
- Request disclosure of what personal information (PI) business collected about you
- Request categories and specific pieces of PI
- Request sources of PI, purposes for collection, and third parties with whom shared
- Business must respond within 45 days (+ 45-day extension if needed)
- Free service up to 2x per year
Right to Delete (CC 1798.105)
- Request business delete your PI in its possession
- Exceptions: needed to complete transaction, detect fraud, comply with legal obligations, etc.
- Business must respond within 45 days
- Must also direct service providers to delete
- Business must confirm deletion or explain why exemption applies
Right to Correct (CC 1798.106) [CPRA]
- Request correction of inaccurate PI (added by CPRA effective 2023)
- Business must use commercially reasonable efforts to correct
- 45-day response deadline
- Must also direct service providers to correct
- Business may deny if determines information is accurate
Right to Opt-Out of Sale/Sharing (CC 1798.120)
- Opt-out of sale or sharing of your PI
- "Sale" = disclosing PI for monetary or other valuable consideration
- "Sharing" = disclosing for cross-context behavioral advertising (CPRA)
- Business must honor opt-out for at least 12 months
- Must provide "Do Not Sell or Share My Personal Information" link on homepage
Right to Limit Sensitive PI Use (CC 1798.121) [CPRA]
- Limit business's use of sensitive personal information (added by CPRA)
- Sensitive PI: SSN, financial account, precise geolocation, racial/ethnic origin, religious beliefs, genetic data, biometric data, health data, sex life/sexual orientation, union membership
- Business may only use for permitted purposes (providing services, security, etc.)
- Must provide "Limit the Use of My Sensitive Personal Information" link
Non-Discrimination (CC 1798.125)
- Business cannot discriminate against you for exercising CCPA rights
- Cannot deny goods/services, charge different prices, or provide different quality
- Exception: business may offer financial incentive or different price/service level if reasonably related to value of consumer's data
- Must disclose and obtain opt-in consent for financial incentive programs
Data Breach Notification Requirements
CC 1798.29 & CC 1798.82 obligations
Who Must Notify (CC 1798.29)
- Any person/business that owns or licenses computerized data including PI
- Applies to data about CA residents
- Notification required when PI acquired by unauthorized person
- PI = first name/initial + last name PLUS SSN, driver's license, financial account, medical info, health insurance, or login credentials
Notification Timing (CC 1798.29)
- "In the most expedient time possible and without unreasonable delay"
- AG guidance: generally within ~45 days (but no hard deadline in statute)
- May delay if law enforcement requests delay for investigation
- Clock starts when breach is discovered or reasonably should have been discovered
Notification Content (CC 1798.29(d))
- Types of PI that were or believed to have been breached
- Contact information for company representative
- Toll-free number and contact info for major credit reporting agencies (if SSN breached)
- Toll-free number, address, website for FTC
- Statement that consumer can obtain info about ID theft prevention and response
AG Notification (CC 1798.29(e))
- If breach affects >500 CA residents, must notify AG
- Must provide sample copy of notification sent to consumers
- Must use AG's preferred electronic format
- Notification to AG should be contemporaneous with consumer notification
Credit Monitoring (CC 1798.82)
- If SSN or driver's license was breached, must offer 12 months of free credit monitoring
- Must provide all info necessary to enroll
- Business pays cost of credit monitoring service
- Failure to provide can be evidence of inadequate security
Penalties for Non-Compliance
- No private right of action for failure to notify per se
- But may support claim under CC 1798.150 (inadequate security)
- May constitute unfair business practice under UCL (B&P 17200)
- AG enforcement action possible
- Violation of other laws (FTC Act, etc.)
CCPA/CPRA Enforcement
Who can enforce and what penalties apply
California Privacy Protection Agency (CPPA)
- Created by CPRA (Prop 24) effective July 2020 (Gov Code 11549.3)
- Primary enforcement authority starting July 1, 2023
- Can conduct investigations and audits
- Can issue administrative fines up to $2,500 per violation / $7,500 per intentional violation
- Can seek injunctive relief
- File complaint at cppa.ca.gov
Attorney General Enforcement (CC 1798.155)
- AG retains concurrent enforcement authority
- Same civil penalties: $2,500 per violation / $7,500 per intentional
- Must provide 30-day notice to cure before filing action
- If business cures within 30 days, no penalty
- Penalties paid into Consumer Privacy Fund
Private Right of Action (CC 1798.150)
- ONLY for data breaches due to failure to maintain reasonable security
- $100-$750 per consumer per incident (statutory) or actual damages
- Must provide 30-day cure notice
- If business cures, no lawsuit allowed
- Class action permitted
- NO private right of action for other CCPA violations
Penalties Summary
- CPPA/AG administrative penalty: $2,500 per violation
- CPPA/AG intentional violation penalty: $7,500 per violation
- Private lawsuit (breach only): $100-$750 per consumer per incident
- Actual damages (if greater than statutory)
- Injunctive relief to stop violations
- Attorney fees and costs (prevailing plaintiff)
What Constitutes "Intentional" Violation?
- Business had actual knowledge of CCPA requirement
- Business willfully failed to comply
- Not necessarily malicious intent - reckless disregard can qualify
- Higher penalty reserved for egregious conduct
- CPPA/AG has discretion to seek enhanced penalty
Enforcement Priorities
- CPPA focuses on businesses with patterns of violations
- High-risk sectors: adtech, data brokers, large platforms
- Complaints can be filed online at cppa.ca.gov
- CPPA investigates before bringing enforcement action
- Most violations resolved through negotiated settlements
When to Hire a Privacy Attorney
If you've experienced a data breach involving your personal information and the business failed to maintain reasonable security measures, you may have a private right of action under CC 1798.150. I'm Sergei Tokmakov, a California attorney specializing in consumer privacy and data breach litigation.
I can help if:
- A business suffered a data breach that exposed your name + SSN, financial account, medical info, or login credentials
- The breach was caused by the business's failure to implement reasonable security measures
- You've incurred actual damages (identity theft, fraudulent charges, time spent recovering, etc.)
- You want to pursue a CCPA data breach lawsuit (individual or class action)
- A business failed to respond to your CCPA consumer rights request and you want to file a CPPA complaint
Attorney Demand Letter Service - $575
I'll draft a professional 30-day cure notice letter citing specific CCPA violations, calculate your damages under CC 1798.150, and send via certified mail. This often results in settlement before litigation.
Contact Me About Your Case - $575Frequently Asked Questions
Common questions about CCPA/CPRA
CCPA (California Consumer Privacy Act) was enacted in 2018 and became effective January 1, 2020. It created baseline privacy rights for California consumers. CPRA (California Privacy Rights Act) was passed by voters in November 2020 as Proposition 24 and became effective January 1, 2023. CPRA significantly expands CCPA by adding new rights (right to correct, right to limit use of sensitive personal information), creating a new enforcement agency (CPPA), expanding the definition of sensitive personal information, and creating stricter obligations for businesses. CPRA is often called "CCPA 2.0" because it amends and strengthens the original CCPA framework rather than replacing it entirely.
Generally, no. The CCPA provides a private right of action ONLY for data breaches caused by a business's failure to maintain reasonable security measures (CC 1798.150). You cannot sue a company for other CCPA violations such as failing to respond to your consumer rights request, selling your data without permission, or failing to post a privacy policy. For non-breach violations, your only remedy is to file a complaint with the California Privacy Protection Agency (CPPA) or Attorney General, who can investigate and impose civil penalties. The limited private right of action for data breaches includes statutory damages of $100-$750 per consumer per incident, plus actual damages if greater, and permits class action lawsuits.
Under CC 1798.150, you can recover statutory damages of $100 to $750 per consumer per incident (the exact amount is at the court's discretion), OR actual damages if you can prove they are greater. Actual damages may include identity theft costs, fraudulent charges, cost of credit monitoring, time spent recovering from the breach (at a reasonable hourly rate), emotional distress in some cases, and out-of-pocket expenses. You can also seek injunctive relief to force the business to improve security practices. If you prevail in the lawsuit, you can recover attorney fees and costs. Class action lawsuits are permitted, which can result in substantial aggregate damages across thousands or millions of affected consumers.
Yes, CC 1798.150(b) requires that you provide the business with 30 days' written notice identifying the specific CCPA provisions you claim have been violated and provide the business an opportunity to cure the alleged violation. If the business cures the violation within 30 days and provides you with an express written statement that it has cured and will not violate CCPA again, you cannot proceed with a lawsuit. The notice must be sent to the business's agent for service of process or designated CCPA contact. Failure to provide this notice can result in dismissal of your lawsuit. This cure period does not apply to Attorney General or CPPA enforcement actions.
A business must comply with CCPA if it does business in California AND meets one or more of these thresholds: (1) Has annual gross revenues exceeding $25 million, OR (2) Annually buys, sells, or shares personal information of 100,000 or more California residents or households, OR (3) Derives 50% or more of its annual revenues from selling or sharing consumers' personal information. The business need not be located in California - any business that collects PI of California residents and meets a threshold must comply. Small businesses below these thresholds are exempt. There are also specific exemptions for employee data, B2B data (until 2023), public records, and certain regulated entities.
Businesses covered by CCPA must provide at least two methods for submitting requests (typically a toll-free phone number and website submission form). Look for a "Do Not Sell or Share My Personal Information" link on the company's homepage, or check their privacy policy for contact information. You can submit requests to know, delete, or correct your personal information. You do not need to create an account to submit a request. The business may ask you to verify your identity, but cannot require you to provide more information than necessary for verification. The business has 45 days to respond (with one 45-day extension if needed). They must provide the response free of charge. You can make up to 2 "right to know" requests per year.
Under CC 1798.29, any person or business that owns or licenses computerized data including personal information about California residents must notify affected individuals in the event of a breach. Personal information is defined as first name/initial + last name plus SSN, driver's license, financial account number, medical information, health insurance information, or username/email + password. Notification must be made "in the most expedient time possible and without unreasonable delay" (AG guidance suggests ~45 days). If more than 500 California residents are affected, the business must also notify the California Attorney General. Notification must include specific elements required by CC 1798.29(d), and if SSN or driver's license was breached, the business must offer 12 months of free credit monitoring per CC 1798.82.
CPRA made significant changes effective January 1, 2023: (1) Created the California Privacy Protection Agency (CPPA) as a new enforcement authority, (2) Added a "right to correct" inaccurate personal information (CC 1798.106), (3) Added a "right to limit use of sensitive personal information" (CC 1798.121), (4) Expanded the definition of "sensitive personal information" to include precise geolocation, racial/ethnic origin, religious beliefs, union membership, genetic data, biometric data, health data, sex life/sexual orientation, (5) Changed "sale" threshold from 50,000 to 100,000 consumers, (6) Created new "sharing" category for cross-context behavioral advertising, (7) Tripled look-back period for responding to data requests from 12 to 36 months, (8) Created stricter data minimization and purpose limitation requirements, and (9) Added employee data protections (previously exempt).
Related Privacy Resources
Need Help With a CCPA Data Breach Claim?
I'm a California attorney who can evaluate your data breach case and send a professional demand letter for $575. If you have a strong case, I can refer you to class action counsel.
Get Legal Help - $575