California Consumer Privacy Act (CCPA)



The California Consumer Privacy Act (CCPA) was enacted into law on June 28, 2018. The CCPA seeks to ensure California consumers have a certain level of privacy rights. 

To read more about the CCPA please visit California Legislative Information.

AWS offers best practices and resources, including two whitepapers — Using AWS in the Context of Common Privacy & Data Protection Considerations and Preparing for the California Consumer Privacy Act. We have service capabilities that may help enable customer compliance, such as deletion, encryption, and monitoring of processing on our AWS Service Capabilities page.

For information on how AWS collects and uses customer personal information, please visit our Privacy Notice, and our Data Privacy FAQ.

As CCPA takes effect, we will keep you updated on partners and services that can help you design for specific privacy requirements on this page.

  • AWS is not in a position to provide customers with legal advice on their requirements under CCPA, and suggests that customers consult their legal counsel on how best to prepare for CCPA's implementation and enforcement.

  • What is the customer's role in securing their content?

    Under the AWS Shared Responsibility Model, customers can build on the technical and organizational security measures and controls offered by AWS to manage their own compliance requirements. Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. Customers can use familiar measures to protect their data, such as encryption and multi-factor authentication, in addition to AWS security features like AWS Identity and Access Management.

    When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:

    • Security measures that AWS implements and operates - "security of the cloud", and
    • Security measures that customers implement and operate, related to the security of their customer content and applications that make use of AWS services - "security in the cloud"