CCPA / CPRA

The California Consumer Privacy Act (and its 2020 amendment CPRA) is the most comprehensive U.S. state privacy law, with material penalties and a private right of action for breaches.

What is CCPA / CPRA?

The California Consumer Privacy Act (CCPA) took effect January 2020, granting California consumers rights to know, delete, opt out of sale of, and not be discriminated against for exercising privacy rights. The California Privacy Rights Act (CPRA) amended CCPA effective January 2023, adding a sensitive personal information category, the right to correct, the right to limit use, and creating the California Privacy Protection Agency (CPPA) as a dedicated enforcement body.

Who is in scope

CCPA/CPRA applies to for-profit entities doing business in California that meet at least one of: (1) annual gross revenue over $25M, (2) buy/sell/share personal information of 100,000+ California residents or households, or (3) derive 50%+ of annual revenue from selling or sharing California personal information. Non-profits and government entities are out of scope. Employee and B2B data are now in scope as of January 2023.

CCPA vs GDPR for AI

CCPA is rights-based and disclosure-focused; GDPR is processing-basis-based. For AI vendors, CCPA's most consequential requirement is the right to opt out of "sharing" personal information for cross-context behavioral advertising, plus the right to limit the use of sensitive personal information. AI vendors using prompts for model training likely fall under the disclosure and opt-out requirements; the legal analysis is unsettled and worth specific legal counsel.