State Privacy Laws: California
California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
Overview
The California Privacy Rights Act is the most comprehensive state data privacy law. It amended the California Consumer Privacy Act of 2018 - landmark legislation that gives consumers more control over the personal information that businesses collect about them - by adding additional privacy protections that began on January 1, 2023.
Key Dates
- CCPA signed into law: June 28, 2018
- CCPA effective date: January 1, 2020
- CPRA signed into law: May 11, 2023
- CPRA effective date: July 1, 2025
Thresholds
The CCPA / CPRA applies to businesses that:
- Earned gross annual revenue of more than US$25 million in the preceding year, or
- Buy, sell, or share the personal information of 100,000 or more California consumers or households, or
- Make 50% or more of its annual revenue by selling or sharing the personal information of California residents*.*
Consumer Rights
- The right to know about the personal information a business collects about them and how it is used and shared.
- The right to delete personal information collected from them (with some exceptions).
- The right to opt-out of the sale or sharing of their personal information.
- The right to non-discrimination for exercising their CCPA / CPRA rights.
- The right to correct inaccurate personal information that a business has about them.
- The right to limit the use and disclosure of sensitive personal information collected about them.
Sensitive Data
Sensitive data is defined as:
- Personal information that reveals:
- A consumer’s social security, driver’s license, state identification card, or passport number.
- A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
- A consumer’s precise geolocation.
- A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.
- The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.
- A consumer’s genetic data.
- The processing of biometric information for the purpose of uniquely identifying a consumer.
- Personal information collected and analyzed concerning a consumer’s health.
- Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
Penalties
Up to $7,500 per violation.
Configure Your Consent Banner for CCPA / CPRA
Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. CCPA/CPRA in California). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like CCPA/CPRA in California).
Recommended Consent Settings
Based on the current laws, we recommend the following regional settings:
- Consent Mode: Implied
- Blocking Mode: Strict
- Google Consent Mode V2: Basic
- Consent Duration: 12 months
- Enable Limit Sensitive Information: Enabled
- Enable Do Not Sell Consent: Enabled
- Enable Global Privacy Control: Enabled
For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.
Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.