Do You Prospect in California? Here’s the Newest Privacy Act Recap

California Consumer Privacy Act goes into effect on January 1, 2020. Since major tech companies are based in California, the law may set standards in the whole US.

Let’s take a closer look at the requirements of the new law and how it differs from GDPR.

What’s the California Consumer Privacy Act?

The California Consumer Privacy Act, CCPA for short, was approved by California’s State Governor back in 2018. It regulates the ways personal information is being used in a transactional sense, that is when a business makes a profit on consumer’s data.

What’s more, it seems that it concerns the one-time use of personal information, unlike GDPR which controls data processing.

Watch the Woodpecker Webinar about GDPR Basics >>

Who does the California privacy law concern?

The law gives Californians greater insight and control over the ways their personal information is used by businesses. That sounds a bit like GDPR, which regulates personal data processing.

However, businesses should meet a couple of requirements in order to be affected by CCPA.

  • They should operate for-profit
  • Their annual gross revenues should be more than $25 million
  • They process data of 50 thousand or more consumers, household, or devices
  • They have to derive at least 50% of their annual revenues from the sale of personal information

The CCPA applies not only to businesses that are located in California but also to those that are located outside of California and collect data on residents living in California for example, for lead generation or marketing purposes.

What is personal information?

The CCPA protects natural persons. It understands personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The law goes beyond the standard information that identifies a specific person, but also includes a kind of info that points to a person. Information that may be implied based on Social Security number, IP addresses or geolocation data is also seen as personal information.

GDPR, on the other hand, defines personal data as any piece of personal data based on which you can identify a person.

A quick side note: Woodpecker is compliant both with GDPR and CCPA.

What’s the main difference between GDPR and the California privacy law?

GDPR puts limits on the timespan when you can process the data. It also identifies consent-based grounds for using the data.

Watch the part of our webinar when we discuss the storage limitation under GDPR >>

The CCPA grants California residents a set of rights with which they can exercise greater control over the use of their personal information.

What are the rights coming from the California privacy law?

The California Consumer Privacy Act allows consumers a few important rights to protect their privacy.

Right to be informed

California consumers have a right to know what information, or a category of information, a business is collecting about them. Similarly, they may request that a company shares the sources from which that info is collected and the purpose of collecting and selling the information. And they have a right to know who they are sharing the information with.

Businesses are required to tell a consumer what information they are collecting and why they do that right after a consumer makes the request (the request needs to be verifiable). The same consumer can ask for information no more than two times a year.

Companies have 45 days to provide the information that a consumer asks them for. The period may be extended to 90 days if there’s a sound reason for the delay. It can be extended only if the consumer was informed about that during those 45 days.

Right to request information erasure

Californians have a right to request that a company deletes their information. Businesses cannot discriminate against the residents who made such a request.

However, that doesn’t apply in situations when the personal information is necessary to provide a service, as in the internal communication between the service and a client. The same goes for protecting the human rights of a person, like freedom of speech or freedom of personal security.

Nevertheless, it’s not the same as the right to be forgotten stated in GDPR.

Right to object to the sale of personal information

The CCPA gives people the right to ask a company to stop selling their personal information. Businesses are required to respect that request and cannot treat such consumers differently.

Selling personal information about children younger than 16 is prohibited.

Back to you

CCPA is a big step towards the personal data safety of California citizens. Just like GDPR is for EU citizens. Depending on who your target prospects are, you should make sure that you comply with the applicable regulation.

If you want to know more about running a lawful cold email campaign, check out this blog post:

Quick Legal Guide to Email Outreach: 6 rules to follow>>


This blog post was written in cooperation with Margaret Sikora, Data Protection Officer at