As a marketer, consumer data protection and privacy should be a priority. On May 25th, 2018, GDPR (General Data Protection Regulation) came into effect. On January 1st, 2020, another similar law took place known as CCPA (California Consumer Privacy Act) whose main role is to protect all data and personal information related to an individual.

The difference is that this law allows users a deeper access to their data, according to Subra Ramesh, SVP of products at Dataguise, an industry-leading data privacy compliance software.

Who will be protected by CCPA regulations?

CCPA is applicable to all residents living in California, as well as Californians traveling outside the state.

This law permits Californians to have access, delete or withdraw from the sale of their data. Consumers are given the right to ask for all data that the company has gathered about them over the last 12 months.

It applies to people consuming products and services, employees and business-to-business transactions.

What businesses should conform to CCPA?

All for-profit organizations operating inside California and are in charge of processing consumers data should comply with the law.

Organizations should conform to CCPA if they meet ANY of the following thresholds:

  • Businesses earning greater than $25 million in gross revenue per year.
  • Companies holding the personal information of over 100000 data entries from households, users and devices.
  • Organizations generating more than 50% of their annual sales from selling Californians personal information.

CCPA doesn’t apply to a non-profit business, unless it’s operated, owned by a for-profit company or shares branding with it.

What penalties might result from not complying with CCPA?

Companies have a 30-day period to comply with CCPA after they are informed by regulators that they have violated the act.

If organizations fail to handle this, they will be subject to a penalty fee of $2500 for each unintentional violation and $7500 if it’s intentional.

Besides, consumers have the right to fire lawsuits against businesses if they notice that the option to opt-out of information sharing or personal data selling is missing at the footer of their privacy policy page or website homepage, or if they can’t find out how the company has gathered their personal data and failed to provide them with a proof. Personal data includes name, address, email, IP address, drivers license, passport number, social security number, biometric information, geolocation data, education information, etc…

If California Attorney General executes legal procedures toward that organization, it would cost the business a lot of money.

In which cases organizations can be exempted from deleting consumer’s data?

As mentioned, and upon the consumer’s request for data removal, the company should delete all their personal information but there are certain exceptions that create a necessity for entities to keep these information particularly when they need to conduct a business transaction, security or fraud-prevention reasons or any other cause stated in the Act.

How can I get prepared for CCPA?

CCPA is similar to GDPR but there’s a lot of overlap between the two. According to Andy Dale, general counsel and VP of global privacy at SessionM, there are some conflicts when it comes to provisions and definitions.

The major principle regarding the protection of consumers’ data and personal information is likely to remain consistent but the thing is the potential adjustments that might be conducted by the California Legislature.

At VBOUT, we provide you with all the following tools you need in order to properly comply with CCPA:

  • Data export to tell consumers what data we have collected on them.
  • The deletion of consumers’ personal information and data in case they request it.
  • Opt-in to the terms of service and privacy policy on all forms.

Ultimately, we will keep you informed with any CCPA amendments that may occur. You can subscribe to our blog in order to stay in touch with all our email releases.

The California Customer Rights Act (CPRA) - NEW

CPRA, known as California Privacy Rights Act, took effect on the 1st of January, 2023 and will become enforceable starting from the 1st of July.

This law doesn’t replace CCPA but tweaks some of their terms and regulations. According to and, there’s a new category about sensitive personal data, extended customer rights and additions of some GDPR regulations such as data minimization, and more certainty about advertising that utilizes personal information to profile and target California residents.

You can find the list of adjustments and new rules below:


  • Definition of personal information is clarified
  • The law is applicable when you buy, sell or share personal information of 100K California
    customers or have yearly sales greater than $25M
  • Additional notice requirements such as retention
  • Provides the right to correct personal information
  • “Sales” and “Sharing” are ruled
  • De-identification is simplified
  • Enforcement: New state agency and Attorney General
  • Reasonable security of all data

New Rules:

  • Limitations on utilization of “Sensitive Personal Information”
  • Data minimization requirement
  • “Dark patterns” forbidden
  • New rules on many hot-button subjects