CCPA and CPRA Compliance Guide
The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), constitute the most comprehensive state-level privacy regulatory framework in the United States. These statutes establish enforceable consumer rights, impose operational requirements on covered businesses, and created the California Privacy Protection Agency (CPPA) as the nation's first dedicated state privacy enforcement authority. This page maps the structure, mechanics, classification boundaries, and compliance requirements of both laws as a reference for compliance professionals, legal teams, and researchers operating within this regulatory sector.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps
- Reference Table or Matrix
Definition and Scope
The CCPA (Cal. Civ. Code §§ 1798.100–1798.199) took effect January 1, 2020, establishing baseline privacy rights for California residents. The CPRA, passed by California voters as Proposition 24 in November 2020 and effective January 1, 2023, amended and significantly expanded the CCPA. The CPRA created the CPPA (Cal. Civ. Code § 1798.199.10), transferred rulemaking authority from the California Attorney General to that agency, and introduced new rights including the right to correct inaccurate personal information and the right to limit use of sensitive personal information.
Applicability thresholds under the CPRA apply to for-profit businesses that:
- Earn annual gross revenues exceeding $25 million (Cal. Civ. Code § 1798.140(d)); or
- Annually buy, sell, or share the personal information of 100,000 or more consumers or households (raised from 50,000 under the CCPA); or
- Derive 50% or more of annual revenues from selling or sharing consumers' personal information.
The law applies to California residents regardless of where the covered business is physically located, giving the statute a de facto national reach for businesses with a California consumer base. Nonprofit organizations and government agencies fall outside CCPA/CPRA coverage, though they may face obligations under parallel frameworks such as the HIPAA Privacy Rule or FERPA.
Core Mechanics or Structure
The CCPA/CPRA framework operates through five functional layers: consumer rights, business obligations, data categorization, enforcement mechanisms, and regulatory rulemaking.
Consumer Rights (CPRA-Enhanced)
The CPRA recognizes the following consumer rights under Cal. Civ. Code § 1798.100 et seq.:
- Right to Know — consumers may request disclosure of specific pieces or categories of personal information collected.
- Right to Delete — consumers may request deletion of personal information, subject to enumerated exceptions. The right to deletion requirements framework governs timing and scope.
- Right to Correct — introduced by CPRA; consumers may request correction of inaccurate personal information.
- Right to Opt-Out — consumers may direct businesses not to sell or share their personal information for cross-context behavioral advertising.
- Right to Limit — CPRA addition; consumers may restrict use and disclosure of sensitive personal information to specified permitted purposes.
- Right to Non-Discrimination — businesses may not penalize consumers for exercising their rights, though financial incentive programs structured under § 1798.125 are permitted.
- Right to Portability — personal information must be provided in a readily usable format enabling transfer.
Business Obligations
Covered businesses must maintain a privacy notice at collection, a comprehensive privacy policy updated at least annually, and a "Do Not Sell or Share My Personal Information" opt-out link. Data subject access requests must be fulfilled within 45 days, with a single 45-day extension allowed when reasonably necessary. Businesses must also enter into data processing agreements — termed "contracts" under § 1798.140(ag) — with service providers and contractors.
Enforcement Mechanics
The California Attorney General retains civil enforcement authority for violations, with penalties up to $2,500 per unintentional violation and $7,500 per intentional violation (Cal. Civ. Code § 1798.155). The CPPA holds rulemaking and investigatory authority. A private right of action exists under § 1798.150 for data breaches involving nonencrypted or nonredacted personal information, with statutory damages ranging from $100 to $750 per consumer per incident.
Causal Relationships or Drivers
The CCPA originated from a ballot initiative compromise in 2018. Alastair Mactaggart's ballot initiative — which would have imposed stricter requirements — was withdrawn after the California Legislature passed AB 375 in June 2018. This legislative dynamic established the CCPA as a product of negotiated compromise rather than agency-driven rulemaking, which explains structural gaps that the CPRA subsequently addressed.
The CPRA's creation of the CPPA shifted the compliance landscape by separating enforcement from rulemaking. The CPPA issued its first set of regulations under CPRA, finalized in March 2023, addressing topics including consent management frameworks, opt-out preference signals (such as the Global Privacy Control, or GPC), and data minimization practices.
The CCPA/CPRA's influence extends beyond California. The state privacy laws comparison across states such as Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPSA) shows structural borrowing from California's framework, particularly around consumer rights architecture and applicability thresholds.
Classification Boundaries
Personal Information vs. Sensitive Personal Information
The CPRA introduced a distinct subcategory — sensitive personal information (SPI) — carrying heightened obligations. SPI under § 1798.140(ae) includes:
- Social Security, driver's license, state ID, or passport numbers
- Financial account credentials (login plus security code)
- Precise geolocation (defined as within a radius of 1,850 feet — see location data privacy)
- Racial or ethnic origin, religious beliefs, union membership
- Contents of mail, email, and text messages
- Genetic and biometric data for unique identification (see biometric data privacy laws)
- Health information and sex life or sexual orientation data
Businesses processing SPI for purposes beyond what § 1798.121 permits must honor the right to limit. Handling standards for these categories are detailed in the sensitive data handling standards framework.
Service Providers vs. Contractors vs. Third Parties
CPRA distinguishes three data recipient categories:
- Service providers receive personal information for a stated business purpose under a written contract; they may not sell or share the data.
- Contractors receive personal information but do not process it on behalf of the business; they are also bound by written contracts.
- Third parties are entities other than the business or its service providers/contractors; selling or sharing data to third parties triggers the opt-out right.
Misclassifying a third-party data recipient as a service provider is a documented compliance failure mode under CPPA enforcement guidance.
Tradeoffs and Tensions
Rulemaking Velocity vs. Operational Stability
The CPPA's ongoing rulemaking activity — including proposed regulations on automated decision-making, risk assessments, and cybersecurity audits — creates compliance uncertainty. Businesses that built compliance programs around the original CCPA text have been required to retrofit operations multiple times. The privacy impact assessments and cybersecurity audit requirements currently under CPPA rulemaking will impose substantial new compliance infrastructure when finalized.
Opt-Out Mechanisms vs. Advertising Economics
The CPRA's expansion of "sharing" — defined to include disclosure of personal information for cross-context behavioral advertising, even without monetary exchange — directly conflicts with dominant digital advertising architectures. The requirement to honor Global Privacy Control signals as a valid opt-out mechanism (per CPPA regulations) creates operational tension for publishers and adtech platforms. The online tracking and cookies sector is most directly affected.
Private Right of Action Scope
The CCPA's private right of action is narrowly scoped to data breaches, unlike European GDPR frameworks where data subjects can sue for any violation. Consumer advocacy groups have consistently argued this limitation undermines the law's deterrent effect, while industry organizations argue a broader private right of action would generate excessive litigation. This tension directly informs debates around national privacy legislation outlook.
Common Misconceptions
Misconception: CCPA/CPRA applies only to California-based companies.
Correction: The statute applies to any for-profit business meeting the threshold criteria that collects personal information from California residents, regardless of where the business is incorporated or headquartered.
Misconception: Anonymized or aggregated data is always exempt.
Correction: CCPA/CPRA exempts truly deidentified information, but the statute imposes specific technical and administrative standards for deidentification at § 1798.140(m). Data that can be re-linked to an individual does not qualify. See de-identification and anonymization for technical standards.
Misconception: Employee data is fully exempt under CPRA.
Correction: The CPRA's employee exemption expired January 1, 2023. California employees, job applicants, and contractors now hold the same CCPA/CPRA rights as consumers. See employee privacy rights for operational implications.
Misconception: A single privacy policy update achieves compliance.
Correction: CPRA compliance requires operational infrastructure — data mapping, vendor privacy management contracts, verified request handling, and technical controls — not merely a policy document update.
Checklist or Steps
The following sequence reflects the operational compliance framework under CCPA/CPRA as structured by the statute and CPPA regulations:
- Determine applicability — Evaluate whether the entity meets at least one of the three thresholds under § 1798.140(d).
- Conduct data inventory and mapping — Identify all categories of personal information collected, sources, purposes, and third-party disclosures.
- Classify sensitive personal information — Segregate SPI from general personal information and map processing purposes against the § 1798.121 permitted purpose list.
- Classify data recipients — Distinguish service providers, contractors, and third parties for each data flow; execute required contracts.
- Update privacy notices — Ensure notice at collection and the annual privacy policy reflect current practices, including categories sold or shared and consumer rights.
- Implement opt-out mechanisms — Post the "Do Not Sell or Share My Personal Information" link and configure systems to honor Global Privacy Control signals.
- Establish consumer request intake and fulfillment — Create a toll-free number and/or online portal; build verification and response workflows meeting the 45-day statutory deadline.
- Operationalize the right to limit — Build consent management controls that restrict SPI processing to permitted purposes upon consumer request.
- Train personnel — Ensure individuals handling consumer requests are trained on CCPA/CPRA rights and procedures (see privacy training and awareness).
- Conduct ongoing compliance reviews — Perform periodic privacy audit and compliance reviews and update data maps as practices change.
- Monitor CPPA rulemaking — Track proposed regulations on automated decision-making, cybersecurity audits, and risk assessments for implementation readiness.
Reference Table or Matrix
CCPA vs. CPRA: Key Structural Differences
| Dimension | CCPA (2020) | CPRA (2023+) |
|---|---|---|
| Effective date | January 1, 2020 | January 1, 2023 (full enforcement) |
| Enforcement authority | California Attorney General | CA AG + California Privacy Protection Agency (CPPA) |
| Rulemaking body | California AG | CPPA |
| Data threshold (buy/sell) | 50,000 consumers/households | 100,000 consumers/households |
| Sensitive personal information | Not separately defined | Distinct category with heightened rights |
| Right to correct | Not included | Included (§ 1798.106) |
| Right to limit SPI | Not included | Included (§ 1798.121) |
| Employee exemption | Temporary exemption in place | Expired January 1, 2023; employees fully covered |
| "Sharing" definition | Narrower (primarily monetary sale) | Expanded to include cross-context behavioral advertising without payment |
| Data retention limits | Not specified | Businesses must disclose and observe retention periods |
| Cybersecurity audits | Not required | Required by regulation (rulemaking ongoing) |
| Risk assessments | Not required | Required for high-risk processing (rulemaking ongoing) |
| Opt-out signals (GPC) | Not addressed in statute | Required to be honored per CPPA regulations |
| Max civil penalty (intentional) | $7,500 per violation | $7,500 per violation; $7,500 per violation involving minor's data |
Consumer Rights Availability by Law
| Consumer Right | CCPA | CPRA |
|---|---|---|
| Right to know (categories) | ✓ | ✓ |
| Right to know (specific pieces) | ✓ | ✓ |
| Right to delete | ✓ | ✓ (expanded) |
| Right to opt-out of sale | ✓ | ✓ (expanded to "sharing") |
| Right to non-discrimination | ✓ | ✓ |
| Right to portability | ✓ | ✓ |
| Right to correct | ✗ | ✓ |
| Right to limit SPI use | ✗ | ✓ |
| Private right of action (breach) | ✓ | ✓ |
References
- California Consumer Privacy Act — Cal. Civ. Code §§ 1798.100–1798.199 (California Legislative Information)
- California Privacy Protection Agency (CPPA) — Official Agency Site
- CPPA Rulemaking — CPRA Regulations (11 Cal. Code Regs. § 7000 et seq.)
- California Attorney General — CCPA Enforcement and Guidance
- California Proposition 24 (2020) — Official Ballot Measure Text
- Global Privacy Control Specification — GPC.privacy
- FTC Privacy Enforcement — Federal Trade Commission
- NIST Privacy Framework — National Institute of Standards and Technology