CCPA and CPRA Compliance Reference
The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), form the most comprehensive state-level consumer data privacy framework in the United States. These statutes define enforceable rights for California residents and corresponding obligations for businesses that collect, sell, or share personal information at scale. Understanding the structural differences between these two laws — and how enforcement thresholds, exemptions, and rights inventories operate in practice — is essential for compliance professionals, legal counsel, and data governance teams operating across the data protection service landscape.
Definition and scope
The CCPA took effect January 1, 2020, establishing a foundational set of consumer rights under California Civil Code §1798.100 et seq. (California Legislative Information, Civil Code §1798.100). The CPRA, passed by California voters as Proposition 24 in November 2020 and operative from January 1, 2023, amended and significantly expanded the original statute by creating the California Privacy Protection Agency (CPPA) as a dedicated enforcement body independent of the California Attorney General.
Jurisdictional applicability under the CPRA applies to for-profit businesses that meet at least one of the following thresholds:
- Annual gross revenues exceeding $25 million (Cal. Civ. Code §1798.140(d))
The CPRA raised the consumer/household threshold from 50,000 (under the original CCPA) to 100,000, narrowing the pool of covered entities while simultaneously broadening the rights catalog and introducing a new data category: sensitive personal information, which includes precise geolocation, racial or ethnic origin, health data, and biometric identifiers.
Nonprofit organizations and state and local government entities are not covered businesses under either statute, though service providers and contractors that process data on behalf of covered businesses carry derivative obligations.
How it works
Compliance with the CCPA/CPRA framework operates through a structured set of obligations and corresponding consumer rights. The California Privacy Protection Agency, whose rulemaking authority is codified under Cal. Civ. Code §1798.185, issues binding regulations supplementing the statutory text (CPPA Rulemaking).
Core consumer rights under the CPRA:
- Right to Know — consumers may request disclosure of the categories and specific pieces of personal information collected about them
- Right to Delete — consumers may request deletion of personal information, subject to enumerated exceptions including legal obligation and internal business use
- Right to Correct — a CPRA addition allowing correction of inaccurate personal information
- Right to Opt-Out of Sale or Sharing — extends to sharing for cross-context behavioral advertising, not only monetary sale
- Right to Limit Use of Sensitive Personal Information — consumers may restrict processing of sensitive data to defined necessary purposes
- Right to Non-Discrimination — businesses may not deny goods or services for exercising privacy rights
Covered businesses must respond to verifiable consumer requests within 45 days, extendable by an additional 45 days when reasonably necessary (Cal. Civ. Code §1798.130). Privacy notices must be updated at least every 12 months. Data minimization and purpose limitation principles — explicit CPRA additions — require that collection be reasonably necessary and proportionate to the disclosed purpose.
Enforcement authority is split: the CPPA holds primary rulemaking and administrative enforcement power; the California Attorney General retains authority to bring civil actions. Statutory penalties reach $2,500 per unintentional violation and $7,500 per intentional violation (Cal. Civ. Code §1798.155). A private right of action exists for data breach scenarios limited to unauthorized access of certain nonencrypted, nonredacted data.
Common scenarios
Scenario 1 — Data broker and third-party sharing: A national e-commerce company with $30 million in annual revenue shares purchase history with 12 advertising partners. Under the CPRA, this constitutes "sharing" for cross-context behavioral advertising, triggering opt-out obligations and requiring a clear "Do Not Sell or Share My Personal Information" link on the business's homepage.
Scenario 2 — HR and B2B data: The CPRA extended full consumer rights to employees, job applicants, and B2B contacts starting January 1, 2023, eliminating the temporary exemptions that had applied under the original CCPA. A California employer with more than 100,000 employee records now must process deletion and access requests from its own workforce.
Scenario 3 — Service provider contracts: A SaaS vendor processing personal data on behalf of a covered business must execute a written contract specifying the limited purposes for which data may be processed. Processing outside that scope reclassifies the vendor as a "third party," triggering sale or sharing obligations. The CPPA's regulations detail required contract provisions (CPPA Regulations, 11 Cal. Code Regs. §7050 et seq.).
Scenario 4 — Sensitive data and biometrics: A healthcare-adjacent wellness app collecting biometric data from California users must provide a separate notice and honor requests to limit processing of that sensitive personal information to disclosures necessary to provide the requested service.
Decision boundaries
The CCPA/CPRA framework intersects with federal statutes in ways that create exemption boundaries rather than wholesale preemption. Covered businesses must map overlaps carefully:
- HIPAA-covered entities and business associates — personal health information governed by HIPAA (45 CFR Part 164) is exempt from CCPA/CPRA at the data level, not the entity level; the same organization may hold both HIPAA-regulated and non-HIPAA personal data
- FCRA-regulated data — consumer information maintained for credit reporting purposes under the Fair Credit Reporting Act (15 U.S.C. §1681 et seq.) is exempt
- GLBA financial data — financial institutions subject to the Gramm-Leach-Bliley Act (15 U.S.C. §6801) carry an exemption for data processed under GLBA's privacy framework
CCPA vs. CPRA structural contrast:
| Dimension | CCPA (2020) | CPRA (2023+) |
|---|---|---|
| Consumer threshold | 50,000 | 100,000 |
| Enforcement body | Attorney General only | CPPA + Attorney General |
| Sensitive data category | None | Defined and regulated |
| Right to correct | Not included | Included |
| Data minimization | Not required | Required |
| Employee/B2B exemption | Temporary (expired) | None |
Organizations with national operations that also handle data from residents of Virginia, Colorado, Connecticut, or Texas face parallel obligations under those states' privacy statutes — all modeled in part on the CCPA framework but diverging on enforcement mechanisms, opt-in versus opt-out defaults, and applicability thresholds. The provider network of data protection service providers and the provide additional context for navigating multi-state compliance structures.
The Federal Trade Commission retains jurisdiction over deceptive or unfair data practices under Section 5 of the FTC Act (15 U.S.C. §45), and its guidance on privacy and data security operates as a parallel federal floor regardless of CCPA/CPRA applicability.