The California Consumer Privacy Act (CCPA), or AB-375 as it is officially known, was enacted in 2018 and goes into effect on January 1, 2020. This landmark legislation provides the broadest protections for consumers’ personal information of any state in the country. For California consumers, it is a game-changer. For many companies who do business in California, it is one more potential land mine to navigate.

New Consumer Rights Under the CCPA

  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information collected by a company;
  • The right to delete personal information held by businesses and by extension, a business’s service provider;
  • The right to opt-out of sale of personal information. Under the CCPA, consumers are now able to direct a business that sells personal information to stop selling that information;
  • Minors under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13;
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under the CCPA.

Which California Businesses Does the CCPA Apply to?

  • Any companies which do business in the State of California, and who have gross annual revenues in excess of $25 million;[1] or,
  • Buys, receives, or sells the personal information of 50,000 or more consumers, households; or devices; or,
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Note: As proposed by the draft regulations slated to go into effect on the same date as the CCPA, businesses that handle the personal information of more than four million consumers will have additional obligations.

Specific Obligations on Businesses under the CCPA

  • Businesses subject to the CCPA must provide notice to consumers at or before data collection;
  • Businesses must create procedures to respond to requests from consumers regarding their right to opt-out, know, and delete;
  • For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app;
  • Businesses must respond to requests from consumers to know, delete, and opt-out within specific time frames;
  • As proposed by the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request;
  • Businesses must now verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business;
  • As proposed by the draft regulations, if a business is unable to verify a request, it may deny it, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out;
  • As proposed by the draft regulations, businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information, and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA;
  • As proposed by the draft regulations, businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance;
  • Businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations.

For more information on this sweeping new law, click here or reach out to the trusted attorneys of Gehres Law Library to assist your company in avoiding these new land mines. Call us at 858-964-2314 or send us an email to

[1] Insurance institutions, agents, and support organizations are expressly exempted from coverage by the CCPA as they are already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).