Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

CCPA (California Consumer Privacy Act)

The CCPA is the California Consumer Privacy Act, a US state privacy law giving California residents rights over the personal information businesses hold about them.

CASRAI research-methods explainer — CCPA (California Consumer Privacy Act)

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

What the CCPA is

The California Consumer Privacy Act is a state-level US privacy law, signed in 2018 and effective from 1 January 2020. It applies to certain for-profit businesses that handle the personal information of California residents and meet defined thresholds of size, revenue or data volume. The CCPA was a landmark because, unlike the federal patchwork of sector-specific US rules, it established broad consumer privacy rights across industries within a single state. It is often discussed alongside the GDPR as the other major modern privacy framework, though the two differ in structure and concepts.

Rights it grants residents

The CCPA gives California consumers a set of rights over their personal information: to know what is collected and how it is used, to access and delete it, to opt out of its sale, and to be free from discrimination for exercising these rights. The later CPRA amendment added rights to correct inaccurate information and to limit the use of sensitive personal information, and introduced the concept of sharing for cross-context behavioural advertising. These rights are exercised against businesses rather than framed primarily around a lawful-basis model as in the GDPR.

The CPRA amendment

The California Privacy Rights Act, approved by ballot in 2020, substantially amended and strengthened the CCPA, with most provisions becoming operative on 1 January 2023. It broadened consumer rights, introduced a category of sensitive personal information with extra protections, and established the California Privacy Protection Agency as a dedicated regulator. Because of this, references to the CCPA today usually mean the CCPA as amended by the CPRA. The combined framework is the most prominent US state privacy regime and has influenced privacy laws in other states.

Key facts

At a glance

  • Definition: California state law giving residents rights over their personal information
  • Enacted: 2018, effective 1 January 2020
  • Amended by: the CPRA (approved 2020, mostly operative 2023)
  • Applies to: for-profit businesses meeting defined size or data thresholds
  • Core rights: know, access, delete, opt out of sale, correct, limit sensitive use
  • Regulator: California Privacy Protection Agency (created by the CPRA)

Common misconceptions

What people often get wrong

Often heard: The CCPA and the GDPR are essentially the same law.

Actually: They are different frameworks. The GDPR is an EU regulation built on lawful bases and broad principles; the CCPA is a US state law centred on consumer rights such as opting out of the sale of personal information. They overlap in spirit but differ in scope and mechanics.

Often heard: The CCPA applies to every business that handles Californians’ data.

Actually: The CCPA applies to for-profit businesses that meet defined thresholds — for example on annual revenue, the volume of personal information handled, or revenue from selling it. Many small entities fall outside its scope.

Often heard: The CPRA replaced the CCPA with an entirely new law.

Actually: The CPRA amended and expanded the existing CCPA rather than replacing it. References to the CCPA today generally mean the CCPA as amended by the CPRA, including its added rights and the new privacy agency.

Going deeper

Related CASRAI guidance

GDPRRight to be forgottenConsent managementData minimisationData anonymisationStandards dictionary
LAC

Partner Deal

LAC Health Supplies Mobile App

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →