What is CCPA / CPRA?
The California Consumer Privacy Act (CCPA) was enacted in 2018 as the first comprehensive state-level privacy law in the United States. It was significantly amended by the California Privacy Rights Act (CPRA) in 2020, with the amendments taking full effect on January 1, 2023. Together, CCPA/CPRA establish the most robust consumer privacy framework in the country, enforced by the California Privacy Protection Agency (CPPA).
CCPA/CPRA applies to for-profit businesses that collect California residents’ personal information and meet any of the following thresholds: $25 million or more in annual gross revenue; buying, selling, or sharing the personal information of 100,000 or more consumers or households; or deriving 50% or more of annual revenue from selling or sharing consumers’ personal information.
Key Consumer Rights
CCPA/CPRA grants California residents a comprehensive set of privacy rights over their personal information:
- Right to Know — consumers can request what personal information a business collects, uses, discloses, and sells
- Right to Delete — consumers can request deletion of their personal information
- Right to Opt-Out of Sale/Sharing — consumers can direct a business to stop selling or sharing their personal information
- Right to Correct — consumers can request correction of inaccurate personal information
- Right to Limit Use of Sensitive Personal Information (SPI) — consumers can restrict how businesses use their SPI
Key Requirements
CCPA/CPRA imposes specific obligations across several areas of data handling and privacy governance.
| Requirement Area | Description | Key Provisions |
|---|---|---|
| Consumer Rights | Respond to verifiable consumer requests | 45-day response window, verification procedures, appeals process |
| Service Provider / Contractor Contracts | Written agreements governing data handling | Purpose limitations, subcontractor flow-down, audit rights |
| Sensitive Personal Information | Enhanced protections for SPI categories | Use limitations, opt-out mechanisms, purpose restrictions |
| Risk Assessments | Evaluate processing activities that pose significant risk | CPRA-mandated assessments for high-risk processing |
| Cybersecurity Audits | Annual audits for businesses with significant risk processing | CPRA regulatory requirement, scope tied to risk level |
| Opt-Out Preference Signals | Honor browser-based privacy signals | Global Privacy Control (GPC), technical implementation required |
Readiness Assessment Checklist
Before engaging in a full compliance program, evaluate where your organization stands against these six readiness questions:
- Have you completed a comprehensive data mapping exercise identifying all personal information collected, used, and shared?
- Are your privacy notices updated to reflect CPRA requirements, including SPI disclosures and retention periods?
- Have you implemented opt-out mechanisms for the sale and sharing of personal information, including GPC signal support?
- Are your service provider and contractor contracts updated with CPRA-compliant data processing terms?
- Do you have procedures for handling sensitive personal information with appropriate use limitations?
- Have you conducted risk assessments for processing activities that present significant risk to consumers?
If you can’t confidently answer “yes” to most of these, a readiness sprint will get you there.
Next step: See our control domain breakdown to understand what regulators and auditors expect across all privacy control areas, with evidence examples for each.