north america
California
California's CCPA, as amended by the CPRA, is the leading US state comprehensive privacy law.
Editorial caveat
Structured values summarize official materials for research and planning. They are reviewed by humans before publication and should not be treated as legal advice.
Breach
- Breach deadline (hours)
- Immediate / without undue delay
- Breach notification required
- Yes
Marketing
- Cookie consent rule
- No blanket cookie consent rule, but sharing and sale opt-out signals matter.
Transfers
- Cross-border transfer restricted
- No
- Data localization required
- No
Governance
- DPO required
- No
- Impact assessment required
- Yes
- Records of processing required
- No
Identity
- Effective date
- 2023-01-01
- Effective status
- in-force
- Last amended
- 2023-03-29
- Law status
- active
Scope
- Extraterritorial application
- Yes
- Private sector coverage
- Yes
- Public sector coverage
- No
- Territorial scope
- Applies to covered businesses doing business in California and meeting statutory thresholds.
Legal Basis
- Legal bases
- Requires legal basis
- No
Enforcement
- Maximum fine
- Agency enforcement up to $2,500 per violation or $7,500 for intentional or children's-data violations.
- Private right of action
- Yes
Definitions
- Personal data definition
- Information that identifies, relates to, describes, or could reasonably be linked with a consumer or household.
- Sensitive data recognized
- Yes
Rights
- Right of access
- Yes
- Right to appeal
- No
- Right to deletion
- Yes
- Right to object
- Yes
- Right to portability
- Yes
Official sources
- California legislative informationofficial-law • en • html
- California Privacy Protection Agency regulationsofficial-regulator • en • html