California Consumer Privacy Act (CCPA)


The California Consumer Privacy Act (CCPA) was enacted into law on June 28, 2018. The CCPA seeks to ensure California consumers have a certain level of privacy rights. 

To read more about the CCPA please visit California Legislative Information.

AWS offers best practices and resources, including two whitepapers — Using AWS in the Context of Common Privacy & Data Protection Considerations and Preparing for the California Consumer Privacy Act. We have service capabilities that may help enable customer compliance, such as deletion, encryption, and monitoring of processing on our AWS Service Capabilities page.

For information on how AWS collects and uses customer personal information, please visit our Privacy Notice, and our Data Privacy FAQ.

  • The California Consumer Privacy Act (CCPA) is a bill passed by the California State Legislature and signed into law on June 28, 2018, and amended on September 23, 2018. The CCPA seeks to ensure California consumers the following rights:

    • The right of Californians to know what personal information is being collected about them.
    • The right of Californians to know whether their personal information is sold or disclosed and to whom.
    • The right of Californians to say no to the sale of personal information.
    • The right of Californians to access their personal information.
    • The right of Californians to equal service and price, even if they exercise their privacy rights.
  • The CCPA defines a business as a for-profit entity that collects consumer personal data. A business in the state of California that meets at least one of the following thresholds may be subject to compliance:

    • Businesses that earn $25,000,000 or more a year in revenue
    • Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
    • Business that derive 50% or more of its annual revenue from selling consumer personal information

    Consult your legal team if you think the CCPA may apply to you.

  • Although AWS designs services to be used by customers globally to securely process data, including personal data, under a wide variety of data protection regimes (see our Data Privacy page), we cannot provide advice to customers about their compliance with legal requirements and recommend that customers consult their own legal counsel on how best to approach compliance.

  • Under the AWS Shared Responsibility Model, customers can build on the technical and organizational security measures and controls offered by AWS to manage their own compliance requirements. Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. Customers can use familiar measures to protect their data, such as encryption and multi-factor authentication, in addition to AWS security features like AWS Identity and Access Management.

    When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:

    • Security measures that AWS implements and operates - "security of the cloud", and
    • Security measures that customers implement and operate, related to the security of their customer content and applications that make use of AWS services - "security in the cloud"