California Consumer Privacy Act (CCPA): Definition and Use in Compliance

What is California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a state data-privacy law, effective January 1, 2020, that gives California residents control over how businesses collect, use, share, and sell their personal information. It was the first comprehensive consumer privacy statute in the United States, and it reshaped how companies nationwide handle data, because few businesses can cleanly wall off their California customers.

The law applies to for-profit entities doing business in California that meet at least one threshold: more than $25 million in annual gross revenue, handling personal information for 100,000 or more consumers or households, or deriving 50% or more of revenue from selling personal information. If you cross one line, you're in scope.

CCPA defines "personal information" broadly. It covers names, identifiers, geolocation, browsing history, biometric data, and inferences drawn to build a profile. That breadth matters for banks and fintechs, because marketing analytics and behavioral data often fall under CCPA even when core account data is exempt under the Gramm-Leach-Bliley Act.

Consider a digital lender running ad-retargeting pixels on its site. The account data tied to loan servicing may sit under GLBA, but the web-tracking data feeding its marketing models likely sits under CCPA. The lender has to honor a Californian's request to opt out of the sale or sharing of that tracking data.

The California Attorney General and, since 2023, the California Privacy Protection Agency enforce the law. The text and official rulemaking are published by the California Attorney General's office.

How is California Consumer Privacy Act (CCPA) used in practice?

Compliance and privacy teams operationalize CCPA through repeatable workflows rather than one-off legal reviews. The foundation is a current data inventory: what personal information exists, which systems store it, which vendors receive it, and the business purpose for each use. Most failures trace back to a stale or incomplete map.

When a consumer submits a request, the clock starts. Businesses must confirm receipt within 10 days and respond substantively within 45 days, with one 45-day extension allowed. A request to delete forces a real decision: locate the data everywhere it lives, then determine whether a legal exemption blocks deletion. For a bank, Know Your Customer records and filed reports usually can't be deleted, because retention rules under the Bank Secrecy Act and AML obligations override the consumer's request.

Here's a concrete scenario. A fraud investigations unit gets a deletion request from someone who was the subject of a Suspicious Activity Report. The team can't delete that record, and it can't tip off the subject either. The privacy response has to decline the deletion citing a legal exemption, worded so it doesn't disclose the SAR's existence.

Teams also wire up "Do Not Sell or Share My Personal Information" links, honor Global Privacy Control browser signals, and update vendor contracts to bind data processors. Strong audit trail logging proves, after the fact, that every request was handled on time and correctly.

California Consumer Privacy Act (CCPA) in regulatory context

CCPA sits inside a widening web of privacy law, and it rarely operates alone. For financial institutions, the first question is always overlap with the Gramm-Leach-Bliley Act. GLBA-regulated financial data is exempt from most CCPA provisions, but the exemption is entity-specific and data-specific, not blanket. Marketing data, employment data, and web-tracking data routinely fall outside GLBA and squarely inside CCPA.

The comparison most teams draw is with Europe's General Data Protection Regulation. The two share DNA but differ in mechanics. GDPR requires a lawful basis before processing; CCPA leans on disclosure and opt-out after collection. GDPR's right to erasure is broader than CCPA's deletion right. A bank operating in both California and the EU usually builds one privacy program that satisfies the stricter standard per data type, then maps requirements down.

Domestically, CCPA started a cascade. Virginia, Colorado, Connecticut, Utah, and more than a dozen other states have passed their own consumer privacy laws, most modeled loosely on the California framework. The Federal Trade Commission, meanwhile, enforces against unfair data practices nationally, which adds a federal layer on top.

A regional bank expanding from California into Colorado and Virginia, for example, finds three statutes with different definitions, thresholds, and request timelines. The practical answer is a unified intake and response system keyed to the consumer's state of residence. The text of the CPRA amendments and current regulations are maintained by the California Privacy Protection Agency.

Common challenges and how to address them

The hardest CCPA problem is the deletion-versus-retention conflict. AML and fraud teams are legally required to keep records that a consumer is legally entitled to ask be deleted. The resolution is policy, not technology: document which data categories carry a retention obligation, codify the exemption logic, and train staff to respond without disclosing protected filings. A deletion denial tied to BSA retention is defensible; an inconsistent one is not.

Identity verification is the second recurring pain point. The business has to verify a requester before handing over or deleting data, but over-collecting verification documents creates more regulated data and more risk. The fix is proportional verification: match the assurance level to the sensitivity of the request, and discard verification data once the request closes.

Data sprawl is the third. Personal information leaks into spreadsheets, log files, backups, and third-party tools. A request to know or delete is only as good as your ability to find the data. Continuous data discovery and a maintained data lineage record turn a frantic search into a query.

Take a mid-size payments firm that got 4,000 consumer requests in a single quarter after a publicized breach. Manual handling collapsed. The firm survived by routing requests through an automated workflow that verified identity, queried mapped systems, applied exemption rules, and logged every step. Vendor management closes the loop: contracts must bind every data processor, and you should screen new tools before they ever touch California residents' data.

Related terms and concepts

CCPA lives in the data-privacy family, and understanding the neighbors sharpens how you apply it. The closest relative is the General Data Protection Regulation, which set the global template CCPA partly followed. Both regimes lean on roles and rights that overlap, even when the labels differ.

Several technical concepts support CCPA compliance directly. Personally identifiable information is the raw material the law governs. Data minimization reduces how much of it you hold, which shrinks both your obligation and your breach exposure. Tokenization and pseudonymization let teams use data for analytics while limiting the personal information at risk. Where a deletion request can't be honored, data residency and retention policy decide what stays.

On the financial-crime side, the tension between privacy rights and reporting duties connects CCPA to Customer Due Diligence, transaction monitoring, and the broader Anti-Money Laundering framework, where retention obligations frequently trump a consumer's deletion request.

Governance roles tie it together. The Data Protection Officer role, formalized under GDPR, increasingly owns CCPA programs in firms that operate on both sides of the Atlantic. For institutions automating these workflows, identity verification and KYC/AML automation and a maintained audit trail keep privacy response and compliance retention from working against each other.