The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), are landmark US state privacy laws that grant California residents expansive rights over their personal information and impose strict obligations on businesses that collect, process, or sell that data. Together, CCPA and CPRA establish a comprehensive privacy framework that requires organizations to provide notice, honor consumer rights to access, delete, correct, and opt out of data sales and sharing, and maintain reasonable security practices, enforced by the California Privacy Protection Agency (CPPA).
What Do CCPA and CPRA Mean for US Organizations?
The CCPA, effective January 1, 2020, was the first comprehensive US state privacy law to establish a baseline of consumer rights. The CPRA, approved by voters in November 2020 and effective January 1, 2023, significantly expanded and refined those rights. For any organization that does business in California, handles the personal information of California residents, and meets specific thresholds, these laws are not optional. The CPRA established the California Privacy Protection Agency (CPPA) as the dedicated enforcement body, replacing partial enforcement by the Attorney General. The laws apply to for-profit entities that collect or control California residents' personal information and meet one or more of the following criteria: have annual gross revenues over $25 million; annually buy, receive, sell, or share the personal information of 100,000 or more California households or devices; or derive 50% or more of annual revenue from selling or sharing California residents' personal information.
Who Must Comply with CCPA / CPRA?
Compliance is not limited to businesses headquartered in California. Any US or international entity that collects personal information from California residents and meets the revenue, volume, or revenue-derivation thresholds must comply. The law applies to for-profit entities that determine the purposes and means of processing personal information. Nonprofits and government agencies are generally exempt, though their business partners may still be subject. The thresholds are not exclusive: a small business with $20 million in revenue but that shares data of 150,000 California consumers is still subject. Organizations should also note that the CPRA’s definition of "sensitive personal information" — including precise geolocation, race, ethnic origin, health data, and sexual orientation — introduced heightened protections. As of its effective date, the law covers any entity that alone or jointly with others determines the purposes and means of processing California residents' data.
Key Takeaways
- CCPA (2020) gave consumers rights to know, delete, and opt out of sale of personal information.
- CPRA (2023) added rights to correct, limit use of sensitive data, and opt out of sharing for cross-context behavioral advertising.
- Enforcement is by the California Privacy Protection Agency (CPPA). Fines: up to $2,500 per unintentional violation, $7,500 per intentional violation.
- Scope extends to any business meeting revenue, volume, or revenue-derivation thresholds, regardless of location.
What Are the Core Consumer Rights Under CCPA / CPRA?
The CPRA expanded the original five CCPA rights and added several new ones. Organizations must be able to operationalize each right within mandated timeframes, typically 45 calendar days for initial response with a possible 45-day extension. The ten core rights include:
- Right to Know (CCPA §1798.110 & 1798.115): Consumers can request the specific pieces of personal information collected, the categories of sources, business purpose for collection, and categories of third parties with whom the data is shared.
- Right to Delete (CCPA §1798.105): Consumers can request deletion of their personal information held by a business, subject to exceptions like completing a transaction, detecting security incidents, or complying with legal obligations.
- Right to Correct (CPRA §1798.106): Consumers can request correction of inaccurate personal information, considering the nature of the data and purposes of processing.
- Right to Opt Out of Sale/Sharing (CCPA §1798.120, CPRA expanded to include "sharing"): Consumers have the right to opt out of the sale of their data and of its use for cross-context behavioral advertising (sharing). This requires a prominent "Do Not Sell or Share My Personal Information" link.
- Right to Limit Use of Sensitive Personal Information (CPRA §1798.121): Consumers can direct a business to limit the use of their sensitive personal information (SPI) to only purposes necessary for delivering the service or for specified business purposes like security and fraud prevention.
- Right to Data Portability (CCPA 1798.100, CPRA refines): Consumers have the right to receive their data in a readily usable, portable format, at least twice per year.
- Right to Non-Discrimination (CCPA §1798.125): Businesses cannot deny goods or services, charge different prices, or provide a different quality of service to consumers who exercise their rights.
- Opt-In Consent for Minors (CCPA §1798.120): Businesses must obtain affirmative authorization (opt-in) from consumers aged 13-15, and from a parent or guardian for children under 13, before selling or sharing their data.
What Penalties and Enforcement Powers Exist?
The California Privacy Protection Agency (CPPA) has administrative enforcement authority. Fines for violations are set at $2,500 per unintentional violation and $7,500 per intentional violation, each counted per consumer per incident. The CPRA also provided for a private right of action for data breaches involving non-encrypted or non-redacted personal information resulting from a business’s failure to maintain reasonable security practices, with statutory damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. As of the latest guidance, businesses must also implement contractual safeguards with service providers and contractors, under Section 1798.81.5, requiring that contracts include provisions that the service provider not retain, use, or disclose personal information for any purpose other than performing the specified services.
How Does CCPA / CPRA Differ from US Federal Privacy Frameworks?
Unlike the Health Insurance Portability and Accountability Act (HIPAA), which applies only to covered entities and business associates handling protected health information, or the Gramm-Leach-Bliley Act (GLBA) which applies only to financial institutions, CCPA/CPRA is a general consumer privacy law that covers a wide swath of personal information. The CPRA explicitly clarified that GLBA-covered data is exempt from CCPA only if the information is collected, processed, sold, or disclosed pursuant to the GLBA and its implementing regulations, making the carve-out narrower than originally interpreted. Additionally, CCPA/CPRA does not preempt other state laws; it coexists with other state privacy laws like Virginia’s VCDPA, Colorado’s CPA, and Connecticut’s CTDPA, creating a patchwork that requires multi-state compliance strategies. Organizations must map their data processing activities to determine which exemptions apply, including the important exemption for data subject to the federal Fair Credit Reporting Act (FCRA), the Driver's Privacy Protection Act (DPPA), and certain medical information governed by the California Confidentiality of Medical Information Act (CMIA).
What Operational Changes Are Required for Compliance?
Data Mapping and Inventory
Effective CCPA/CPRA compliance begins with a comprehensive data mapping exercise. Organizations must inventory all personal information collected, its sources, the business purposes for collection, the categories of third parties with whom it is shared or sold, and the retention schedule for each element. This inventory must be maintained and updated regularly, as it is the foundation for fulfilling consumer rights requests, responding to CPPA investigations, and producing required disclosures in privacy notices. The CPRA specifically requires that businesses implement processes to retrieve all personal information associated with a consumer request within their systems, including data held by service providers, contractors, and third parties, within the 45-day response window.
Consumer Request Operationalization
Organizations must have a verified consumer request (VCR) process in place. This involves establishing a method for consumers to submit requests (usually via a toll-free number and a web portal), a verification process to authenticate the consumer's identity (using commercially reasonable methods matching the risk of the data), and a system to route the request to relevant business units and data repositories. For requests to delete, the business must also notify all service providers and contractors to delete the data from their records, except where retention is legally permitted. The CPRA introduced the concept of "service provider," "contractor," and "third party" with distinct compliance requirements, making contractual flow-down provisions critical.
Privacy Notice Updates
The CPRA significantly expanded privacy notice requirements. In addition to the categories of personal data collected and the purposes for which it is used, notices must now include the categories of sensitive personal information collected, the categories of sources, the business or commercial purpose for collecting or selling or sharing, the categories of third parties to whom the information is sold or shared, and how consumers can exercise their rights. The notice must also describe the consumer’s right to limit the use of sensitive personal information and how to opt out of sale/sharing. The law requires that the notice be available in an accessible format and at or before the point of collection of personal information.
Contractual and Procurement Changes
Businesses must update all contracts with service providers, contractors, and third parties to incorporate the specific provisions required by the CPRA. These include restrictions on retaining, using, or disclosing personal information for any purpose other than the specific services, the obligation to notify the business in the event of a breach, the requirement to assist the business in responding to consumer rights requests, and the obligation to flow down the same restrictions to any subcontractors. The CPRA grants the CPPA the authority to audit service providers and contractors for compliance, making contractual flow-downs a key enforcement risk.
What Is the Relationship Between CCPA and CPRA?
CCPA and CPRA are best understood as a single, evolving regulatory framework. The CCPA passed in 2018 and took effect in 2020, providing foundational rights. The CPRA, approved as Proposition 24 in November 2020, amended and expanded the CCPA, effective January 1, 2023, with enforcement beginning on a rolling basis. The CPRA built upon the CCPA’s structure — many original CCPA sections were reorganized and renumbered under the CPRA. For compliance purposes, organizations should treat the combined law as one set of obligations: the CPRA did not repeal the CCPA but added teeth, new rights, and new regulatory authority. The final regulations, issued by the CPPA (most recently revised in March 2023), interpret and implement both laws.
Stop Guessing on CCPA / CPRA Compliance
Your organization likely handles California residents' data — whether in sales, marketing, HR, or operations. CyberSilo’s Compliance Standards Automation platform maps your data flows, operationalizes consumer rights requests, and ensures your contracts meet CPRA requirements. Go from risk to readiness.
How Does CCPA / CPRA Compare to Other US State Privacy Laws?
CCPA/CPRA is widely considered the most stringent state privacy law in the US as of 2025, though other state laws have become increasingly strict. Unlike Virginia’s VCDPA, Colorado’s CPA, and Connecticut’s CTDPA, CCPA/CPRA does not require universal opt-in consent before processing sensitive data — it provides a right to limit, not a default obligation to obtain opt-in. However, CCPA/CPRA applies to a broader range of entities due to its lower threshold (100,000 consumers vs. 100,000 consumers in other states, but without the revenue floor for the data volume threshold in some states). The CPRA’s creation of a dedicated enforcement agency (CPPA) also sets it apart from state laws that are enforced solely by the Attorney General. The CPPA has been aggressive, issuing notices of non-compliance and settlements with fines, establishing a de facto national standard for privacy compliance given the volume of California’s economy. Organizations that achieve robust compliance with CCPA/CPRA are often well-positioned to comply with other state laws, though there are critical differences in the scope of rights, definitions of sensitive data, and exemption handling. For example, CCPA/CPRA exempts de-identified data more strictly than some other states, requiring a formal de-identification process with no re-identification attempts.
What Sectors Are Most Impacted by CCPA / CPRA?
While the law applies broadly, certain sectors face disproportionate compliance burdens. Technology and advertising companies are primary targets due to reliance on behavioral advertising, data sharing, and large-scale user data collection. Financial services firms must navigate the narrow GLBA exemption and determine whether they are exempt for specific data or processing activities. Healthcare organizations that handle non-HIPAA-covered data (such as health apps, wellness programs, or de-identified health data sold for research) face significant requirements. Retail and e-commerce companies that run loyalty programs or share customer lists must implement opt-out mechanisms. Data brokers are specifically regulated and must register with the California Attorney General and provide a dedicated opt-out mechanism. Organizations in energy, manufacturing, and education also face obligations, especially for HR data which is not exempt from CCPA/CPRA in the same way it is under some other state laws.
Common Compliance Challenges and Misconceptions
One of the most common misconceptions is that CCPA and CPRA no longer apply after the GDPR or other privacy laws. This is false: CCPA/CPRA applies regardless of other regulatory frameworks. Another common challenge is the misinterpretation of the "100,000 consumers" threshold. It is not a static count; it applies to any business that "annually buys, receives for commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 100,000 or more consumers or households." This includes one-time transactions as well as ongoing ones. A third challenge is operationalizing the right to limit use of sensitive personal information (SPI). Many organizations have not clearly mapped what data constitutes SPI (e.g., precise geolocation, racial or ethnic origin, health data, genetic data, biometrics, sexual orientation, union membership, and certain financial account credentials) and have not built the technical ability to segregate SPI processing. A final misconception is that compliance is a one-time project. The CPRA requires annual privacy notice updates, ongoing data inventory maintenance, and regular contract audits. The CPPA expects continuous compliance, not a one-off policy.
Key Operational Steps for CCPA / CPRA Readiness
- Conduct a data inventory — map all personal information collected, its sources, purposes, and sharing.
- Classify sensitive personal information (SPI) and determine purposes for processing.
- Build a consumer rights portal with identity verification workflows.
- Update privacy notices with CPRA-required disclosures.
- Audit and update contracts with all service providers and contractors.
- Implement a "Do Not Sell or Share" mechanism on your website and mobile app.
- Establish opt-in consent for minors under 16.
- Maintain records of requests for CPPA compliance audits.
Staying Ahead with Compliance Automation
Given the operational complexity of CCPA/CPRA rights management, many organizations turn to automation to reduce risk and operational cost. Platforms like CyberSilo’s Compliance Standards Automation continuously monitor data flows, automate consumer rights request processing (access, deletion, correction, opt-out, and portability), manage identity verification, and generate audit-ready records. Automation also helps manage the contractual flow-downs to service providers and contractors by providing template updates and tracking compliance obligations. For US organizations with a California footprint, investing in automation is not just a cost-saver — it is a strategic necessity to avoid the cumulative fines of multiple violations, especially given the per-violation structure. The CPPA’s enforcement history (as of early 2025) shows a focus on data brokers, online advertisers, and organizations with inadequate consumer request processes. Proactive compliance is far less expensive than a regulatory fine or a class-action breach lawsuit.
Secure Your CCPA / CPRA Compliance with CyberSilo
Navigating the patchwork of US state privacy laws requires more than a policy update. CyberSilo’s Compliance Standards Automation integrates consumer rights processing, data mapping, and contract management into a single platform built for regulated environments. Master the California privacy framework and build a foundation for nationwide compliance.
Our Conclusion & Recommendation
The California Consumer Privacy Act and the California Privacy Rights Act together form the most demanding consumer privacy framework in the United States. For any US organization — whether headquartered in San Francisco, New York, or Texas — if you collect, process, share, or sell the personal information of California residents, you must comply. The stakes are high: per-violation fines, private rights of action for data breaches, and a dedicated enforcement agency that actively investigates and penalizes non-compliance.
Our strong recommendation is to invest in a robust compliance program that goes beyond a simple privacy notice. Data mapping, rights processing automation, and contract lifecycle management are critical controls. CyberSilo’s Compliance Standards Automation provides the end-to-end operational backbone — mapping your data, handling consumer requests, tracking opt-out signals, and keeping your contracts CPRA-ready. Contact us for a compliance assessment to measure where your organization stands and what gaps need closing before the CPPA’s next enforcement sweep.
Get a Comprehensive CCPA / CPRA Compliance Assessment
Know your exposure. CyberSilo’s security and compliance engineers will audit your data flows, privacy notices, and consumer rights processes against the latest CPPA regulations. In one session, you'll receive a prioritized roadmap to full compliance.
