The California Consumer Privacy Act (CCPA) took effect on January 1, 2020 — but tech companies started preparing as early as January 2019. CCPA compliance matters for tech companies because the law directly affects how software developers and data-driven businesses collect, use, and share personal information. This article breaks down what CCPA is, who it applies to, and what it means in practice.
- →What the California Consumer Privacy Act (CCPA) is and why it was passed
- →Which businesses must comply — and which are exempt
- →The three core pillars CCPA enforces: user control, transparency, and data security
- →How CCPA compares to GDPR — side by side
- →What the law means for tech companies specifically
Getting Acquainted with CCPA
The California Consumer Privacy Act — widely known as CCPA or AB 375 — forms part of California’s Consumer Privacy Legislation. Lawmakers passed it on June 28, 2018. Many describe the bill as the “GDPR of the United States” because it empowers consumers over their personal data. The law primarily affects tech companies in California, including high-profile names like Google and Facebook, both of which faced public scrutiny for data violations.
CCPA passed into California law on June 28, 2018 and took effect January 1, 2020. Compliance disclosures cover personal data activity dating back to January 1, 2019.
Why Should Your Business Be Concerned?
The law does not apply to every business. It primarily targets data companies and tech giants. Lawmakers made several amendments before the law fully took effect, but the core concept remains unchanged. CCPA compliance must be an ongoing activity — not a one-time fix.
The reason is straightforward: companies must disclose any sale of personal information for the previous 12 months from the start of the law. That means disclosures apply as far back as January 1, 2019.
“CCPA will serve as a benchmark that shapes privacy legislation going forward. With a strong wave of backlash following recent privacy scandals across many platforms, the law shows no signs of slowing down.”
Amendments may refine its scope, but they will not change CCPA’s core principles.
What Does CCPA Actually Affect?
Some describe CCPA as the softer version of GDPR. But it makes no compromises on demands or penalties. The law focuses on three key areas:
Consumers can opt out (or opt in) of having their data shared. They also have the right to request deletion of their data, recall it, and sue for damages if a company breaches the agreement. A pending amendment would also allow consumers to sue for privacy failures more broadly.
Users have the right to know exactly what data is collected and why. If a company sells or shares data, it must disclose the full details of that transaction — including any sales that occurred in the previous 12 months, even if the practice has since stopped.
Companies face fines and lawsuits for failing to protect personal information from hacks or misuse — including unauthorized internal access by employees without a legitimate business reason.
What Kind of Businesses Does CCPA Target?
The law applies to two main categories:
- Data brokers — companies that generate most of their revenue from selling personal information, or that process more than 50,000 records per year.
- Mid-to-large companies — companies with annual gross revenue above $25 million.
Most small businesses and the majority of tech startups fall outside this scope.
How Are GDPR and CCPA Different?
CCPA and GDPR both protect consumer privacy, but they take different approaches. Here’s a direct comparison:
| Dimension | CCPA | GDPR |
|---|---|---|
| Businesses covered | Mainly businesses involved in sharing or selling information, with some requirements around collection | All businesses that process personal information, regardless of whether they sell or share it |
| Consumer empowerment | Requires significant transparency about the collection, use, disclosure, and sale of personal information | Requires significant transparency about all processing of personal data |
| Consent model | Companies cannot sell personal information without consumer consent or explicit notice | Companies cannot use personal information without a valid legal basis (consent, legitimate interest, contract, vital interest, public interest, or legal obligation) |
| Opt-out vs. opt-in | If selling data, companies must give consumers the opportunity to opt out | Before any data exchange, companies must secure the consumer’s opt-in consent |
Conclusion
CCPA’s most significant contribution is a massive increase in data transparency around how companies collect and use personal information. Consumers now have the freedom to share their information in exchange for services — which means practices like requiring an email address before downloading a whitepaper are no longer obligatory.
More importantly, the law will likely spread well beyond California and reshape practices across the entire tech industry. If your business hasn’t started CCPA compliance initiatives, start now.
CCPA for Tech Companies: Key Takeaways
- ✓CCPA passed on June 28, 2018 and took effect January 1, 2020 — disclosures cover data activity back to January 2019
- ✓The law applies mainly to data brokers and companies with annual revenue above $25 million — most small businesses and startups are exempt
- ✓Three core pillars: user control (opt-out rights), transparency (full disclosure of data use), and data security (liability for breaches and misuse)
- ✓Unlike GDPR’s opt-in model, CCPA allows data use by default — consumers must actively opt out of data sales
- ✓The law will likely influence privacy legislation beyond California — early compliance is a strategic advantage
Frequently Asked Questions About CCPA
What does CCPA stand for?
CCPA stands for the California Consumer Privacy Act, also known as AB 375. It is part of California’s broader Consumer Privacy Legislation and is often compared to Europe’s GDPR.
When did CCPA take effect?
CCPA took effect on January 1, 2020. Because the law requires companies to disclose data activity from the previous 12 months, compliance obligations effectively applied to data collected from January 1, 2019 onward.
Does CCPA apply to my tech company?
CCPA applies if your company has annual gross revenue above $25 million, or if your business buys, sells, or receives personal information on more than 50,000 consumers per year. Most small businesses and startups fall below these thresholds.
What is the main difference between CCPA and GDPR?
The main difference lies in the consent model. GDPR requires companies to obtain explicit opt-in consent before processing personal data. CCPA uses an opt-out model — companies can use data by default, but must give consumers a clear way to opt out of data sales.
Can consumers sue companies under CCPA?
Yes. Consumers have the right to privately sue for damages if a company breaches the agreement around their personal data. A pending amendment would broaden the right to sue to cover additional privacy failures.
Related Articles
 Why Most MMM Programs Optimize Reports, Not Outcomes
|  5 Common Mistakes in Marketing Mix Modeling
|  Explore the MASS Analytics Blog
|
Ready to Make Your Data Work Smarter?
MASS Analytics helps marketing teams turn privacy-compliant data into clear, actionable insights through marketing mix modeling.