California Consumer Privacy Act (CCPA)



The California Consumer Privacy Act (CCPA) was enacted into law on June 28, 2018. The CCPA seeks to ensure California consumers have a certain level of privacy rights. 

To read more about the CCPA please visit California Legislative Information.

AWS offers best practices and resources, including two whitepapers — Using AWS in the Context of Common Privacy & Data Protection Considerations and Preparing for the California Consumer Privacy Act. We have service capabilities that may help enable customer compliance, such as deletion, encryption, and monitoring of processing on our AWS Service Capabilities page.

For information on how AWS collects and uses customer personal information, please visit our Privacy Notice, and our Data Privacy FAQ.

  • As a customer, how do I comply with CCPA?

    Although AWS designs services to be used by customers globally to securely process data, including personal data, under a wide variety of data protection regimes (see our Data Privacy page), we cannot provide advice to customers about their compliance with legal requirements and recommend that customers consult their own legal counsel on how best to approach compliance.

  • What is the customer's role in securing their content?

    Under the AWS Shared Responsibility Model, customers can build on the technical and organizational security measures and controls offered by AWS to manage their own compliance requirements. Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. Customers can use familiar measures to protect their data, such as encryption and multi-factor authentication, in addition to AWS security features like AWS Identity and Access Management.

    When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:

    • Security measures that AWS implements and operates - "security of the cloud", and
    • Security measures that customers implement and operate, related to the security of their customer content and applications that make use of AWS services - "security in the cloud"