Guidesdata privacy regulationCCPA (California Consumer Privacy Act)

The California Consumer Privacy Act (CCPA): What It Is and What It Means for AdTech and MarTech

CCPAGDPRprivacy rightsdata collectionopt-outconsent managementdata breachthird-party datafirst-party datadata portabilityright to be forgottenCaliforniafederal legislationCONSENT Actdata protection officertransparency standardsclass action lawsuit

For roughly two decades, concerns about online privacy have steadily built momentum. Consumers want faster page loads, less clutter, and — more than anything — meaningful protection of their personal data. The rise of ad blockers and growing awareness of data brokers and opaque tracking technologies helped push the issue into the mainstream. Governments have been slower to respond, but that gap is narrowing.

In May 2018, the European Union's General Data Protection Regulation (GDPR) came into force, representing the most significant change in EU data protection law in 25 years. The EU wasn't alone for long. California followed with its own legislation — the California Consumer Privacy Act (CCPA) — and at the federal level, the proposed CONSENT Act signals that US lawmakers are increasingly serious about data rights.

Note: This article is intended as an educational overview of the CCPA and should not be taken as legal advice. Consult a qualified lawyer to understand the specific obligations that apply to your business.

What Is the California Consumer Privacy Act?

Technology has consistently outpaced regulation, but California has historically led the way on consumer protection — from emissions standards to earlier privacy statutes. On June 28, 2018, the California State Legislature passed the California Consumer Privacy Act, a regulation broadly analogous to the GDPR but adapted to the US legal framework. The full bill text is available here.

The CCPA came into effect in early 2020. Its central purpose is to give California residents more visibility into and control over how companies collect and use their personal data.

When reading about the CCPA, it's common to encounter a related piece of legislation called the CONSENT Act. The two are distinct but related, so it's worth clarifying the difference.

The CONSENT Act is a pending federal bill — not yet passed — that would apply nationwide across the US. Like the CCPA and the GDPR, it would require companies to obtain explicit user consent before using, sharing, or selling personal data. The acronym stands for Customer Online Notification for Stopping Edge-provider Network Transgressions (full text here).

If enacted, the CONSENT Act could either complement the CCPA or, if amended with a preemption provision, supersede it. In its currently proposed form, it does not include a preemption clause.

Both the CCPA and the CONSENT Act are aimed at improving online privacy protections in the US and curbing privacy violations. The remainder of this article focuses specifically on the CCPA.

How the CCPA Works

At its core, the CCPA empowers consumers to know what personal information businesses collect about them and gives them the right to refuse the sale of that data to third parties. More specifically, the CCPA grants California residents the following rights:

  • Right to know all data a business has collected about them
  • Right to opt out of the sale of their personal information
  • Right to request deletion of their data
  • Right to be informed about the categories of data being collected before collection begins, and to be notified of any changes
  • Mandated opt-in consent before any sale of data belonging to children under the age of 16
  • Right to know the categories of third parties with whom their data is shared
  • Right to know the categories of sources from which their data was acquired
  • Right to know the business or commercial purpose behind data collection
  • Enforcement authority vested in the California Attorney General
  • Private right of action when a business suffers a data breach affecting their data

Non-Compliance Fines

Fines under the CCPA are enforced by the California Attorney General. Intentional violations can attract penalties of up to $7,500 per violation; non-intentional violations carry a maximum fine of $2,500 per violation.

Beyond regulatory fines, the CCPA grants affected consumers the right to bring individual or class-action lawsuits against violating businesses. Statutory damages range from $100 to $750 per consumer per incident — or higher if actual damages can be demonstrated. For companies with large user bases, this private right of action represents a potentially significant financial exposure.

CCPA vs. GDPR: Similarities and Differences

The net effect of the CCPA closely mirrors that of the GDPR. The two frameworks overlap considerably, and one clearly influenced the other. Both cover the right to be forgotten, the right to data portability, and the right of access — concepts well-established in EU data protection practice.

There are notable differences, however. The CCPA explicitly allows individuals to claim damages in the event of a data breach, whereas the GDPR does not provide the same direct private right of action. Conversely, the GDPR requires every organization processing personal data to appoint a Data Protection Officer; the CCPA has no equivalent requirement.

The table below summarizes the most important similarities and differences:

California Consumer Privacy Act (CCPA) comparison table with GDPR

Impact on AdTech and MarTech

The CCPA has real implications for how AdTech and MarTech platforms collect, process, and distribute data about online users. Here are the primary areas of change:

More Selective Use of Third-Party Data

The CCPA requires companies to disclose "the categories of sources from which personal information is collected." This creates an incentive — and an obligation — to be more deliberate about third-party data acquisition. Businesses may be asked to justify both the scope of their data collection and its sources, making indiscriminate data buying a legal liability rather than just an ethical concern.

Shift from Third-Party to First-Party Data

The transparency requirements introduced by laws like the GDPR and CCPA naturally push companies to reduce their reliance on third-party data and invest instead in first-party data — information collected directly from users through owned channels such as registration forms, surveys, and logged-in experiences.

Reduced Over-Collection of User Data

Under both the CCPA and the GDPR, the data controller bears primary responsibility for collecting data and managing consent. This accountability encourages companies to collect only what is genuinely necessary rather than harvesting every available data point. The risk of liability makes data minimization a practical business decision, not just a compliance checkbox.

Both the CCPA and the GDPR give consumers the ongoing right to request deletion of their personal data. Every business subject to these laws needs a functional mechanism for users to access, amend, or delete their information on request. For many AdTech and MarTech platforms, this means investing in or integrating a Consent Management Platform (CMP).

Higher Transparency Standards

The CCPA requires companies to maintain records of all data sales for a period of one year. While the CCPA defaults to an opt-out model (unlike the GDPR's opt-in approach), every website must display a clearly visible link reading specifically "Do Not Sell My Personal Information", giving visitors an easy path to opt out.

The presence of that link can itself raise concerns in users' minds about a company's data practices. From a practical standpoint, the most straightforward way to avoid the reputational friction associated with that disclosure is to not sell customer data in the first place.

Why the CCPA Matters Beyond California

At first glance, a state-level regulation might seem like a regional compliance concern. But context matters. California is home to nearly 40 million residents — roughly 12% of the US population. That's a larger population than Canada, and not something any company with a meaningful US presence can realistically ignore.

By GDP, California would rank as the fifth largest economy in the world, comparable to the United Kingdom. Any brand operating at scale in the US is effectively operating in California, and the CCPA applies accordingly.

The US Congress had previously introduced online privacy legislation in 2011 and again in 2015; neither bill passed. The landscape shifted considerably in subsequent years, driven by high-profile incidents — including the Cambridge Analytica scandal involving Facebook and controversies surrounding Huawei — alongside the introduction of the GDPR in Europe. These events created the political conditions for the CCPA to move forward where earlier bills had not.

For AdTech and MarTech businesses already operating in compliance with the GDPR, the CCPA adds relatively modest incremental requirements. The underlying principles — transparency, data minimization, user rights, and accountability — are consistent across both frameworks. Companies that have done the work for GDPR compliance are well-positioned to extend that work to meet CCPA obligations.

<Related />