The California Consumer Privacy Act (CCPA) which became law in January 2020, and which is to be enforced from 1 July, marks a further example of global homogenisation of data protection law, along a European model exemplified by the General Data Protection Regulation (GDPR) (and the Council of Europe Convention 108+).
CCPA is, in many key respects, similar to GDPR, and those companies who comply with the latter should generally find compliance with the former to be relatively familiar and straightforward. It is worth noting some of the areas of divergence though.
Perhaps the fundamental difference is that CCPA only applies to the personal data (or “personal information”) of California residents (unlike GDPR, which in many cases has wide effect beyond European borders), and only applies to businesses with gross revenues of more than $25m (or those dealing in or sharing large volumes of consumer data – 50,000 consumers or more – or those who have more than 50% of their revenue deriving from sale of personal information).
CCPA lacks some of the rights conferred by GDPR on individuals, such as the rights to object to processing, or to rectification, or to the restriction of processing. It does, however, confer an express right to opt out of having one's data sold, and an obligation on a business to provide a "Do Not Sell My Personal Information" link on its internet homepage (a similar obligation can only be inferred from GDPR).