Term

California Consumer Privacy Act (CCPA)

The CCPA is a California state law giving consumers four rights over their personal data: access, deletion, opt-out of sale or sharing, and non-discrimination. It binds businesses meeting one of three tests: $25M annual revenue, data on 100,000+ California consumers, or 50%+ of revenue from selling personal data. The 2023 CPRA amendment added a regulator (the California Privacy Protection Agency) and a sensitive-personal-information category.
Reviewed by 7wData

Why it matters

For AI, any consumer data flowing into training sets, embeddings, or automated decisions tied to California consumers triggers CCPA obligations. Most US-based AI products treat CCPA as the de facto baseline because it is the strictest state law actually being enforced, with fines and consent decrees on the public record. Other states have followed (Colorado, Virginia, Texas, and more), but CCPA still sets the bar. If a US AI vendor claims “state privacy compliant” without naming CCPA, I read that as a tell.

Where you’ll encounter it

Three contexts. A California customer submits a “do not sell or share my personal information” request and the AI pipeline has to honour it end to end, embeddings and retraining included. A vendor risk review asks how deletion propagates; “we retrained without the record” is not “the model forgot.” A privacy notice update is required when sensitive personal information (geolocation, biometrics, health, race, sexual orientation) enters the training set, often by accident through enriched features. The pitfall: teams treat CCPA’s right to delete as GDPR’s right to erasure. Carve-outs and verification differ. Map them side by side.

Part of the 7wData AI Glossary. Tracking how concepts like this move in the expert conversation: daily signals at ins7ghts.com.