The California Consumer Privacy Act (CCPA), enacted in 2018 and effective January 1, 2020, creates new consumer rights relating to the access to, deletion of, and sharing of personal information
that is collected by businesses. The law protects the personal data of "residents" of California—either by living in California or temporarily outside the state—collected by any company that does business in California for
profit. CCPA applies to any business that (1) has annual gross revenue of more than 25 million, (2) buys, receives, sells, or shares the personal information of 50,000+ "residents," or (3) derives more than 50 percent of their annual revenue
from the sale of personal data. Personal data subject to the Health Insurance Portability and Accountability Act (HIPAA) and certain other laws are exempted from the CCPA, but data subject to the Family Educational Rights and Privacy Act
(FERPA) are not included in those exemptions.
In November 2020, California voters approved Proposition 24, a ballot measure that creates the California
Privacy Rights Act (CPRA). The CPRA modifies the CCPA, creating new and expanded rights for California residents and new compliance obligations for businesses. The CPRA applies to any for-profit entity that does business in California,
collects and uses the personal information of Californians, and either (1) has annual gross revenues of at least $25 million in the preceding calendar year, (2) buys, sells, or shares the personal information of at least 100,000 California
residents or households, or (3) derives at least 50 percent of its revenue from selling or sharing personal information. The CPRA takes effective on January 1, 2023, and enforcement begins on July 1, 2023.