CCPA (California Consumer Privacy Act)

The California Consumer Privacy Act (CCPA) is a state-level privacy law granting California residents the right to know what personal information is collected about them, to delete it, to opt out of its sale, and to non-discrimination for exercising these rights.

Definition

The California Consumer Privacy Act (CCPA), effective January 1, 2020, and substantially amended by the California Privacy Rights Act (CPRA) effective January 1, 2023, is the most comprehensive state-level privacy law in the United States. It applies to for-profit businesses that collect personal information from California residents and meet one of three thresholds: annual gross revenue exceeding $25 million, buying or selling personal information of 100,000 or more consumers or households, or deriving 50% or more of revenue from selling or sharing personal information.

The CCPA grants California residents four foundational rights: the right to know what personal information is collected and how it is used; the right to delete personal information held by businesses; the right to opt out of the sale or sharing of personal information; and the right to non-discrimination for exercising these rights. The CPRA amendments added the right to correction and the right to limit the use of sensitive personal information, and established the California Privacy Protection Agency (CPPA) as a dedicated enforcement body.

Why It Matters

California’s GDP exceeds $4 trillion, making it the fifth-largest economy in the world if counted as a sovereign nation. Any business with a meaningful US consumer base almost certainly falls under CCPA jurisdiction. The California Attorney General’s office reported receiving over 300 consumer complaints per month under CCPA by late 2024, and the CPPA launched its first enforcement actions in 2024 with fines up to $7,500 per intentional violation per consumer.

The CCPA’s influence extends far beyond California. By 2025, 16 US states had enacted comprehensive consumer privacy laws modeled on CCPA principles—including Colorado, Connecticut, Virginia, Texas, and Oregon. CCPA effectively functions as a national standard by commercial gravity: businesses find it simpler to apply California-grade protections uniformly than to maintain 50 different compliance frameworks.

For AI applications, CCPA creates specific obligations around automated decision-making. The CPRA regulations require businesses to disclose when personal information is used for automated profiling and grant consumers the right to opt out of such profiling when it produces legally significant effects.

How It Works

CCPA operates through a notice-and-rights framework:

Disclosure requirements: Businesses must provide a “notice at collection” detailing categories of personal information collected, purposes, and whether information is sold or shared.
Consumer requests: Consumers submit verifiable requests. Businesses must respond within 45 days (extendable to 90). Deletion requests must be forwarded to service providers.
Opt-out mechanisms: Businesses selling personal information must provide a “Do Not Sell or Share” link. The Global Privacy Control (GPC) browser signal must be honored.
Service provider contracts: Businesses must contractually restrict service providers from using personal information beyond the stated business purpose.
Enforcement: The CPPA imposes administrative fines. Consumers have a private right of action for breaches involving unencrypted personal information, with statutory damages of $100-$750 per consumer per incident.

Stealth Cloud Relevance

Stealth Cloud approaches CCPA compliance through architectural elimination of the regulated activity. The CCPA regulates the collection, retention, sale, and sharing of personal information. Stealth Cloud’s PII stripping engine ensures personal information is removed client-side before processing. The zero-persistence architecture ensures nothing is retained. Cryptographic shredding ensures nothing survives session termination.

The right to deletion becomes moot when there is nothing to delete. The right to opt out of sale becomes moot when there is nothing to sell. The right to know what is collected becomes trivially satisfiable when the answer is provably “nothing.”

This is the structural advantage of privacy-by-design architecture over compliance-by-policy. Traditional SaaS platforms must build deletion pipelines, opt-out mechanisms, data inventories, and consumer request portals. Stealth Cloud achieves the same legal outcomes by never creating the regulated data in the first place—an approach that scales across GDPR, CCPA, FADP, and every other data protection regime simultaneously.

The Stealth Cloud Perspective

CCPA builds an elaborate legal framework to govern data collection and retention. Stealth Cloud renders the entire framework inapplicable—not by ignoring it, but by ensuring there is no personal information to collect, retain, sell, or share. The most elegant compliance is the absence of the regulated activity.