Frameworks

CCPA and CPRA: California Privacy Compliance

Navigate California's Consumer Privacy Act and Privacy Rights Act. Understand consumer rights, business obligations, and required policies for handling California residents' data.

Updated January 6, 202611 min read
CCPACPRACalifornia PrivacyData PrivacyConsumer RightsPrivacy Compliance

The US's most important privacy law

If GDPR is Europe's landmark privacy regulation, CCPA/CPRA is America's.

The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), gives California residents unprecedented rights over their personal information. And because California is the world's fifth-largest economy—and home to much of the tech industry—these laws effectively set the privacy standard for the entire United States.

If your business collects personal information from California residents, you need to understand these laws. Violations can result in penalties up to $7,500 per intentional violation—and in a data breach involving thousands of records, that adds up fast.

CCPA vs. CPRA: What's the difference?

CCPA (California Consumer Privacy Act) went into effect January 1, 2020. It established foundational privacy rights for California consumers.

CPRA (California Privacy Rights Act) amended and expanded CCPA, with most provisions effective January 1, 2023. CPRA:

  • Created new consumer rights
  • Expanded the definition of sensitive personal information
  • Established the California Privacy Protection Agency (CPPA) for enforcement
  • Added new obligations for businesses

When people refer to "CCPA" today, they usually mean CCPA as amended by CPRA. We'll use "CCPA/CPRA" to refer to the combined requirements.

Does CCPA/CPRA apply to your business?

CCPA/CPRA applies to for-profit businesses that collect personal information from California residents AND meet any of these thresholds:

  • Annual gross revenue exceeds $25 million, OR
  • Data volume: Buy, sell, or share personal information of 100,000+ California residents/households annually, OR
  • Revenue from data: Derive 50%+ of annual revenue from selling/sharing personal information

Key points

California residents, not California businesses: It doesn't matter where your business is located. If you collect data from Californians, the law may apply.

Personal information is broad: Names, email addresses, browsing history, purchase history, device identifiers, geolocation—all potentially covered.

The 100,000 threshold is lower than you think: Website visitors count. If you have a moderately popular website with California traffic, you may hit this threshold.

Who's exempt?

  • Nonprofits (though this may change)
  • Government agencies
  • Businesses below all three thresholds
  • Information covered by certain other laws (HIPAA, GLBA, FCRA)

Consumer rights under CCPA/CPRA

California residents have significant rights over their personal information:

Right to know

Consumers can request:

  • What personal information you've collected
  • Where it came from
  • Why it was collected
  • Who it was shared with
  • What you do with it

You must respond within 45 days (extendable to 90 in some cases).

Right to delete

Consumers can request deletion of their personal information. You must:

  • Delete the data
  • Direct service providers to delete it
  • Notify third parties who received it

Some exemptions apply (legal obligations, security, internal uses).

Right to correct

Added by CPRA. Consumers can request correction of inaccurate personal information.

Right to opt out of sale/sharing

Consumers can tell you to stop selling or sharing their personal information. This includes:

  • Traditional data sales
  • Sharing for cross-context behavioral advertising
  • Third-party cookies that track users across sites

You must provide a "Do Not Sell or Share My Personal Information" link.

Right to limit use of sensitive information

CPRA added the concept of "sensitive personal information":

  • Social Security numbers
  • Financial account details
  • Precise geolocation
  • Racial/ethnic origin
  • Religious beliefs
  • Contents of communications
  • Genetic/biometric data
  • Health information
  • Sex life/orientation

Consumers can limit use of sensitive PI to what's necessary for providing requested services.

Right to non-discrimination

You can't penalize consumers for exercising their rights:

  • No service denial
  • No different prices
  • No different quality

Right to data portability

Consumers can request their data in a portable, usable format.

What CCPA/CPRA requires from businesses

Privacy policy requirements

Your privacy policy must disclose:

  • Categories of personal information collected
  • Sources of information
  • Purposes for collection/use
  • How consumers can exercise their rights
  • Categories of third parties information is shared with
  • Categories of information sold/shared (if applicable)
  • Retention periods for each category

The privacy policy must be updated at least annually.

Collection notices

At or before collecting personal information, you must inform consumers:

  • What categories you're collecting
  • Why you're collecting it
  • Whether it's sold or shared
  • How long you'll keep it

Consumer request handling

You must:

  • Provide at least two methods to submit requests (e.g., web form, email, toll-free number)
  • Verify consumer identity before responding
  • Respond within 45 days (90 with extension)
  • Provide information free of charge
  • Train personnel who handle requests

Opt-out mechanisms

If you sell or share personal information:

  • Provide a "Do Not Sell or Share My Personal Information" link
  • Honor Global Privacy Control (GPC) signals
  • Process opt-outs within 15 days

Contracts with service providers

You need written contracts with service providers that:

  • Define the purpose of data sharing
  • Prohibit further use beyond the contract
  • Require compliance with CCPA/CPRA
  • Allow you to ensure compliance

Security requirements

You must implement reasonable security measures. CCPA provides a private right of action for breaches of unencrypted/unredacted personal information resulting from failure to implement reasonable security.

CCPA vs. GDPR: Key differences

If you're already GDPR compliant, you're partway to CCPA compliance—but there are important differences:

Aspect CCPA/CPRA GDPR
Applies to For-profit businesses meeting thresholds Any organization processing EU data
Legal basis for processing Not required (opt-out model) Required (opt-in model)
Consent Opt-out of sale/sharing Opt-in for most processing
Private right of action Yes (for data breaches) No (enforcement by authorities)
Penalties $2,500–$7,500 per violation Up to €20M or 4% global revenue
Data portability Yes Yes
Right to delete Yes (with exemptions) Yes (with exemptions)
Security requirements Reasonable measures Appropriate measures

Key takeaway: GDPR is opt-in; CCPA is opt-out. Both give consumers significant rights, but the default position differs.

See: GDPR Compliance

Building a CCPA/CPRA compliance program

Here's how to approach compliance:

Step 1: Data mapping

Understand what personal information you collect:

  • What categories of PI do you collect?
  • Where does it come from?
  • Where is it stored?
  • Who has access?
  • Who do you share it with?
  • How long do you keep it?

You cannot comply with consumer requests if you don't know where data lives.

Step 2: Update your privacy policy

Your privacy policy must include all required disclosures:

  • Categories collected and sources
  • Purposes for collection
  • Consumer rights and how to exercise them
  • Sharing and selling practices
  • Retention periods
  • Contact information

Review and update annually (at minimum).

Step 3: Implement consumer rights mechanisms

Set up processes to handle:

  • Access requests (provide data within 45 days)
  • Deletion requests (delete and confirm)
  • Correction requests (investigate and correct)
  • Opt-out requests (stop selling/sharing)

Create intake methods (web forms, email addresses), verification procedures, and tracking systems.

Step 4: Configure opt-out mechanisms

If you sell or share personal information:

  • Add "Do Not Sell or Share My Personal Information" link
  • Implement Global Privacy Control (GPC) signal recognition
  • Update third-party tracking accordingly
  • Train your advertising/marketing team

Step 5: Review vendor contracts

Ensure contracts with service providers include required provisions:

  • Limitation of use
  • Confidentiality obligations
  • CCPA compliance commitments
  • Audit rights

Step 6: Implement security measures

CCPA's private right of action applies to breaches of unencrypted data due to inadequate security. At minimum:

  • Encrypt personal information
  • Implement access controls
  • Monitor for unauthorized access
  • Maintain incident response capability

Step 7: Train your team

Employees who handle consumer requests need training on:

  • What CCPA/CPRA requires
  • How to process different request types
  • Verification procedures
  • Response timelines

Common CCPA/CPRA compliance gaps

Gap 1: No data inventory

You can't respond to "what data do you have about me?" if you don't know where data is. Many businesses lack comprehensive data mapping.

Gap 2: Inadequate privacy policy

Privacy policies often:

  • Don't include all required disclosures
  • Haven't been updated for CPRA changes
  • Don't reflect actual practices
  • Are written in impenetrable legalese

Gap 3: No consumer request process

Having a "contact us" email isn't enough. You need:

  • Defined intake methods
  • Verification procedures
  • Response workflows
  • Timeline tracking
  • Documentation

Gap 4: Ignoring GPC signals

Global Privacy Control is a browser signal that consumers can enable. CCPA requires you to honor it—but many businesses haven't implemented detection and response.

Gap 5: Inadequate vendor management

Service provider contracts often lack required CCPA provisions, or businesses haven't verified vendor compliance.

Gap 6: No retention schedules

CPRA requires disclosure of retention periods. Many businesses have never defined how long they keep different categories of data.

Frequently asked questions

What's the penalty for non-compliance?

  • Up to $2,500 per unintentional violation
  • Up to $7,500 per intentional violation
  • Private lawsuits for data breaches: $100–$750 per consumer per incident (or actual damages)

In a breach affecting 100,000 California residents, that's potentially $7.5M–$75M in statutory damages.

Do I need consent to collect data?

No—that's a GDPR requirement. CCPA follows an opt-out model. You can collect and use data for disclosed purposes, but must honor opt-outs.

What counts as "selling" data?

Broadly defined: any exchange of personal information for money or "other valuable consideration." This can include:

  • Traditional data sales
  • Sharing with ad networks for targeted advertising
  • Data exchanges with partners

If value changes hands and data changes hands, it may be a "sale."

Does CCPA apply to B2B data?

Yes, as of January 2023. Employee and B2B contact information no longer has exemptions. If you collect business cards from California contacts, CCPA applies.

How do I verify consumer identity?

Verification must be "reasonable." Common approaches:

  • Verify through existing account authentication
  • Match information against what you already have
  • Use third-party verification services
  • Adjust verification rigor to data sensitivity

Is there a small business exemption?

Only if you don't meet any of the three thresholds. If you have significant California web traffic, you may meet the 100,000 records threshold even as a small business.

Where CyberPolicify fits

Privacy compliance requires clear policies, documented processes, and ongoing management. CyberPolicify helps:

Privacy policy generation

Generate CCPA/CPRA-compliant privacy policies tailored to your actual data practices—not generic templates that may not reflect your business.

Consumer rights documentation

Create procedures for handling access, deletion, correction, and opt-out requests—with workflows that meet response timelines.

Data inventory support

Document your data categories, sources, uses, and sharing practices in formats that support compliance.

Cross-framework alignment

If you're also targeting GDPR, SOC 2, or other frameworks, see how privacy controls overlap and build an efficient compliance program.

Ongoing maintenance

Privacy requirements evolve. State laws expand. Your practices change. CyberPolicify helps you keep documentation current as your business grows.

California set the standard for US privacy law. More states are following. Get your privacy program right now—before the regulatory landscape gets more complex.

Framework readiness

Generate documentation mapped to frameworks

Generate Privacy PoliciesRun a Privacy Gap Check

Start with policies and procedures aligned to the framework, then close gaps with a clear plan.