top of page
  • Oliva Venus

California Consumer Privacy Act (CPAA)

Updated: Jan 20, 2023

by Olivia Venus

bridge and palm trees


  • Applies to businesses that collect personal information of California residents that meet any of the following 3 thresholds:

    • Gross annual revenue greater than $25 million

    • Buy, receive, sell or share personal information of 50,000 or more consumers, households or devices

    • Derives 50% or more of its annual revenue from selling personal information

  • Personally identifiable information (PII) is defined as: information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer. This includes:

    • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers

    • Characteristics of protected classifications (such as those protected under the ADA) under CA or federal law

    • Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies

    • Biometric information

    • Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement

    • Geolocation data

  • Allows individuals to view what information about them and to opt-out completely of information being sold. MUST post a link that allows customers to opt-out of sale “do not sell my information.” This only applies to CA residents. However, website views are not restricted to only one state. There will likely be CA residents visiting a site, so the opt-out is always necessary.

  • Companies should have had data tracking systems in place by early 2019 to meet “12-month history” compliance

  • Companies have a 30-day window after a violation complaint is filed to fix the issue and comply.

  • Businesses will now have to honor CA residents’ requests to access, delete, and opt-out of sharing and selling of their data.

  • 5 things that are changing:

    • Data inventory and mapping of in-scope personal data and instances of “selling” data

    • New individual rights to data access and erasure

    • New individual right to opt-out of data selling

    • Updating service-level agreements with third-party data processors

    • Remediation of information security gaps and system vulnerabilities

Advice for our clients:

  • Limit the use and collection of personal information, if possible. If your company is below the threshold of 50,000 consumers' PII, you do not need the additional links and privacy policy to comply with this law. Even if you are above the threshold, limiting use and collection of PII can be helpful to prevent a lawsuit for any reason. Information can be routinely used and deleted.

  • Limit sharing and sale of PII to third parties.

  • Update agreements with third-party data processors.

  • Update and ensure the security of software to inventory and map PII. Scope out vulnerabilities and fix them as well as possible.

What our clients need to do to comply:

  • #1 most important thing: be sure to have a footer on any website that says, “do not sell my information,” and when clicked will allow customers to fully opt-out from the sale of their personal information. Customers MUST be allowed to choose not to have their data shared (even without profit) with ANY third parties. Once this link is clicked, it should lead to instructions on how to opt-out of that website’s specific cookies, as well as non-cookie-based services. Here is an example from Deloitte US:

  • Update their privacy policy, terms and conditions, and cookie agreement. Be sure it is presented to customers when personal information is collected (usually in the form of a pop-up). The privacy policy must comply with the above points.

What our company has done to comply: ​

  • Update our privacy policy and be sure it is presented to customers when personal information is collected.

  • Limit collection of PII or collect and routinely delete.

  • Limit or cease sharing PII with third parties. If we do not share with third parties at all, then the “do not share my information” compliance above is not necessary.

15 views0 comments

Recent Posts

See All


Commenting has been turned off.
bottom of page