California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a first of its kind in U.S. state law. Comparable in some ways to the GDPR, this regulation will require organizations to reexamine the ways data is collected, used, and protected.

Jump to:    Resources     Solutions

CCPA Home Page Banner

Common Questions for CCPA Breach Notification Compliance:

Does the CCPA apply to my business?

The CCPA applies to for-profit entities that: (1) collect consumer personal information, (2) do business in California, and (3) meet any one of the following criteria:

  • Does the company have gross revenue greater than $25 million?

  • Does the company buy, receive, sell, or share the personal information of 50,000 or more consumers, households or devices on an annual basis?

  • Does the company receive 50% or more of its annual revenue from selling consumer personal information? 

What does it mean to "do business in California" under the CCPA?

Assuming that a company (1) collects consumer personal information and (2) meets one or more of these three criteria,  doing business in California means much more than being physically located in California.

For example, it includes companies that maintain mailing lists that include California residents, companies that collect online user information, companies that ship goods into California, and companies that provide services to California residents. 

What data is regulated under the CCPA?

Under the CCPA, the definition of Personal Information is relatively broad, as it includes information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including name, email, biometric information, geolocation data, household data, and IP address.

What are notification exemptions under the CCPA?

The CCPA does not exempt certain entities, such as HIPAA or GLBA regulated entities.

However, it does exempt specific data collected in certain contexts by those entities. For example, the CCPA does not apply to Personal Health Information as defined by HIPAA, but it does apply to data collected by a HIPAA regulated entity that does not fall within that definition.  Similarly, the CCPA does not apply to Personal Information collected by financial services companies pursuant to the GLBA, but it does apply to other information collected by those entities, such as information collected via marketing promotions.

As a result, if you are a HIPAA or GLBA regulated entity, it is incredibly important to understand the context in which the data is collected.

Does the private right of action apply to a breach of any data regulated under CCPA?

Private right of action applies to a breach of data regulated under the general data breach notification law, not for the expanded data regulated under CCPA. It is critical that your organization have a clear understanding of what data elements are regulated under which laws to avoid over or under reporting. While every incident comes with a presumption of breach, not every incident should trigger breach notification obligations. Only a consistent, defensible multi-factor incident risk assessment can help you avoid over-reporting.

In fact, Radar benchmarking data indicates less than 6% of the incidents impacting California residents in the past 2.5 years have triggered notification with best practices in privacy incident response.

Do CCPA breaches always impact your obligations under California’s general data breach notification law?

Breaches under CCPA do not necessarily affect the breach notification obligations under California law. 

You can have a violation of the CCPA that does not trigger breach notification under the breach notification law. Two example cases worth considering: 

  • Geolocation and IP Address 
  • Paper data

Radar and CCPA

A proactive approach to mitigate risk and remain compliant

Leverage the depth of the Radar platform to comply with the CCPA and meet regulatory requirements for breach notification in the state of California and beyond. 


Know the Law

Stay ahead of changing privacy regulations through continuous monitoring of legislative updates


Practice, Practice, Practice

Perform regular simulations and table-top exercises to better understand your company’s risk and identify areas for improvement within your privacy and incident response programs


Understand Your Data

Analyze your data inventories and determine what data is subject to the CCPA (or other applicable laws, see below) at the data flow and data element level

Track and Improve

Document and Improve

Track your privacy incidents and notifications over time, capturing enough data to establish benchmarks, run trends analysis, and report on key metrics


Want to see more?

See How it Works

Additional CCPA Resources

As CCPA Effective Date Looms, Questions Remain

Highlighting areas privacy team should consider as they operationalize their privacy program more generally, and prepare for compliance with CCPA specifically.

Benchmarking Data and CCPA: Data Points to the Risk of Over-Reporting Under Emerging Regulations

Learn how to establish strong reporting and benchmarking within your incident response program in preparation for CCPA.

Beyond California: The Influence of CCPA on Changing U.S. State Privacy Laws

Discover best practices for building compliance with the CCPA and learn how it compares to other states with CCPA-like regulations such as Nevada, New York, Hawaii and Massachusetts.

Home - Radar Laptop-01-1

Meet Breach Notification Requirements in California & Beyond

Organizations subject to the CCPA are also likely to find themselves subject to the state’s existing breach notification regulations, including the California general breach notification law, sector-specific federal (HIPAA & GLBA) and state (California Health and Safety Code, Department of Insurance) regulations.

See How it Works