Brennan Gamwell

Document Type

Blog Post

Publication Date



The California Consumer Privacy Act (CCPA) has been touted as a “landmark” and one of the “strictest digital privacy laws in the United States.” Californians for Consumer Privacy first sponsored the CCPA in 2018 as a ballot initiative. Soon after, the CCPA was introduced into the California Assembly as AB 375 and signed into law later that same year. The CCPA went into effect on January 1, 2020, granting California residents rights regarding their personal information collected and sold by businesses.

Privacy protections for California consumers will become even stronger once the California Privacy Rights Act (CPRA) goes into effect on January 1, 2023. The CPRA is an amendment to the CCPA that will expand the definition “businesses” subject to the law and introduce a new classification of protectable, personal information, among other changes.

In spite of being hailed as a “landmark” and for its “strict” protections, CCPA’s limitations render it far less protective of individuals’ privacy and therefore dramatically less effective than its European counterpart, the General Data Protection Regulation (GDPR). Notably, rights granted under CCPA apply only to consumers against businesses, a narrow band of for-profit entities that excludes many small and medium-sized businesses, non-profits, universities, government agencies, and health institutions. Unlike CCPA, the General Data Protection Regulation applies generally, as the name suggests, which includes the very types of entities excluded by the CCPA.