Data protection 1, 2018

California Consumer Privacy Act (Assembly Bill No. 375)



California State Legislature


Privacy, Data protection, Data brokerage,


The California Consumer Privacy Act (CCPA) was signed into law on the 28th of June 2018 and came into effect on the 1st of January 2020, with a 6 months grace period before enforcement of the law begins. The CCPA is the most comprehensive privacy law in the United States and it grants California residents a range of new tools to protect their personal information online. These include
- the right to know what personal information is being collected about them;

- the right to access this information;

- the right to know whether this data is sold and to whom;

- the right to request that personal data be deleted, and to disallow its continued sale;

- the right to receive equal service at an equal price, even if a user decides to opt-out of the sale of their data.

The CCPA also includes special protections for minors, prohibiting companies to sell the data of anyone under age 16 without prior authorization by the minor or their parents. .

The CCPA’s definition of ‘selling data’ does not only include financial compensation in exchange for sharing data, but also the exchange of information between entities. .

According to the CCPA "personal information" comprises non-public information that directly or indirectly relates to, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household. .

The law applies to for-profit organisations that collect consumer’s personal information, does business and California and either has an annual gross revenue in excess of $25 million or buys/receives/sells/shares the personal data of at least 50 000 consumers, households or devices, or derives 50% or more of its annual revenues from selling consumers' personal information.

The law also requires businesses to place a “clear and conspicuous” link “Do Not Sell My Personal Information” on their websites, to enable consumers to opt out of the sale of their personal information. Importantly, businesses cannot require consumers to create an account in order to request the cessation of the sale of their personal information.

In addition, at least two designated methods must be made available to consumers – including a toll-free telephone number - to allow consumers to submit data requests. Businesses must supply the requested information free of charge within 45 days.

The law prescribes fines of up to $7500 for each intentional violation and $2500 for each unintentional violation.

AI Governance

This database is an information resource about global governance activities related to artificial intelligence. It is designed as a tool to help researchers, innovators, and policymakers better understand how AI governance is developing around the world.

We're collecting more examples as we find them. If you'd like to add yours to this map, please suggest an entry.

Suggest an entry
  • Filter by:
  • Current filters:
256 entries are listed below
  • Sort by: