CCPA and CPRA Compliance Reference

California's Consumer Privacy Act (CCPA) and its successor amendment, the California Privacy Rights Act (CPRA), establish the most comprehensive state-level consumer data protection framework in the United States. Together they define enforceable rights for California residents, impose compliance obligations on qualifying businesses, and created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body. This reference covers the statutory scope, operational mechanics, representative compliance scenarios, and the classification boundaries that determine which obligations apply to which entities.

Definition and scope

The CCPA, codified at California Civil Code §1798.100 et seq., took effect January 1, 2020. The CPRA, passed by ballot initiative in November 2020, amended and substantially expanded the CCPA with most provisions effective January 1, 2023. The CPRA also established the California Privacy Protection Agency as an independent regulatory body with rulemaking authority, separating enforcement from the California Attorney General's office for administrative matters.

The combined framework applies to for-profit businesses that collect personal information of California residents and meet at least one of three thresholds (Cal. Civ. Code §1798.140(d)):

  1. Annual gross revenues exceeding $25 million
  2. Annually buying, selling, or sharing personal information of 100,000 or more consumers or households
  3. Deriving 50 percent or more of annual revenue from selling or sharing consumers' personal information

The CPRA introduced a distinct sensitive data categories tier — covering Social Security numbers, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, health and medical data, and the contents of private communications — that carries heightened restrictions beyond standard personal information. Businesses may not use sensitive personal information for purposes other than those specified in §1798.121 without offering consumers the right to limit such use.

Nonprofit entities and government agencies fall outside the statute's direct scope, though their commercial activities may invoke coverage in specific circumstances. The law's jurisdiction is triggered by the residency of the consumer, not the location of the business.

How it works

CCPA/CPRA compliance operates through five functional pillars:

  1. Notice obligations — Businesses must provide a privacy notice at or before collection, disclosing categories of data collected, purposes of use, and whether data is sold or shared. The CPPA's final regulations (effective March 2023) detail required disclosure formats.
  2. Consumer rights fulfillment — Covered businesses must build mechanisms to receive and respond to requests to know, delete, correct, and opt out of sale or sharing. Response windows are 45 calendar days, extendable by another 45 days with notice (Cal. Civ. Code §1798.145).
  3. Opt-out infrastructure — Businesses that sell or share personal information must post a "Do Not Sell or Share My Personal Information" link and honor opt-out preference signals, including the Global Privacy Control (GPC) browser signal, which the CPPA confirmed as a valid opt-out mechanism.
  4. Contractual controls on service providers — Data disclosed to service providers must be governed by written contracts restricting the recipient's use to the specified business purpose. This parallels third-party vendor data security requirements seen in federal frameworks.
  5. Data minimization and retention limits — The CPRA added explicit data minimization principles and proportionality requirements, prohibiting collection or retention of personal information beyond what is reasonably necessary for the disclosed purpose.

The CPPA holds rulemaking authority and has issued regulations covering risk assessments, cybersecurity audits for high-risk processing, and automated decision-making technology. Businesses meeting certain thresholds for sensitive data processing are required to conduct annual cybersecurity audits and submit privacy risk assessments — a structural parallel to privacy impact assessments under federal frameworks.

Common scenarios

E-commerce and retail — An online retailer generating $30 million annually and collecting purchase and browsing data on California residents is covered under the revenue threshold. The retailer must maintain a privacy notice, honor deletion requests within 45 days, and disclose any data sharing arrangements with advertising platforms as "sharing" (not merely "sale") of personal information.

Data brokers — Under California Civil Code §1798.99.80 (added by CPRA), data brokers must register annually with the CPPA. As of the CPPA's activated registry, covered data brokers are subject to registration fees and must honor opt-out requests submitted through the CPPA's Delete Request mechanism. This intersects directly with data broker regulation in the US.

HR and employment data — The CPRA's removal of the workforce exemption (which lapsed in 2023) means California-based employees, contractors, and job applicants now hold full CCPA rights against covered employers. Employers subject to CCPA/CPRA must issue workforce privacy notices and respond to employee requests to know and delete.

Health and wellness apps — An application collecting precise geolocation and health data triggers the sensitive data category provisions, requiring both a "Limit the Use of My Sensitive Personal Information" opt-out mechanism and heightened data security obligations. This creates compliance overlap with healthcare cybersecurity standards where applicable.

Decision boundaries

Two classification questions govern whether and how CCPA/CPRA applies to a given entity:

Business vs. service provider vs. third party — A business determines the purpose and means of processing. A service provider processes on the business's behalf under contract. A third party receives data without that contractual limitation. The distinction determines which obligations attach: businesses bear the primary compliance burden; service providers carry contractual restrictions; third parties receiving data from consumers' opt-outs are prohibited from further sale.

Sale vs. sharing vs. service provider disclosure — "Sale" under CCPA/CPRA includes any disclosure for monetary or other valuable consideration. "Sharing" covers cross-context behavioral advertising even without monetary exchange. Service provider disclosures are exempt from opt-out requirements only if the contract meets the statutory requirements of §1798.140(ag). Misclassifying a "sharing" relationship as a service provider exemption is a primary enforcement risk identified in CPPA guidance.

The CCPA's private right of action is narrow: it covers only data breach notification scenarios involving unauthorized access to non-encrypted or non-redacted personal information, with statutory damages between $100 and $750 per consumer per incident (Cal. Civ. Code §1798.150). The CPPA and California Attorney General hold broader administrative enforcement authority, with civil penalties up to $7,500 per intentional violation (Cal. Civ. Code §1798.155).

CCPA/CPRA does not displace federal-sector statutes. Where HIPAA or GLBA applies, the sector-specific statute governs data covered under those frameworks, and CCPA/CPRA exemptions apply to that data. A full comparison of how California's framework interacts with other statutes is covered in US Data Protection Laws Overview and the State Data Privacy Laws Comparison.

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator