CCPA/CPRA
California Consumer Privacy Act & California Privacy Rights Act
Standard Introduction
CCPA/CPRA is an active standard published by State of California. It is commonly used across Technology, Finance & Banking, Retail, Healthcare, Services and applies in United States.
Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with CCPA/CPRA.
Consumer Rights
Grants California residents the right to know, delete, correct, and opt out of the sale or sharing of their personal information — including rights over automated decision-making.
Dedicated Enforcement Agency
The California Privacy Protection Agency (CPPA), established by CPRA, is the first dedicated state privacy enforcement body in the US, with rulemaking and enforcement authority.
Private Right of Action
Consumers can bring private lawsuits for data breaches involving unencrypted or non-redacted personal information, with statutory damages of $107 to $799 per consumer per incident.
list_alt Core Consumer Rights
- Right to know what personal information is collected
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt out of sale/sharing of personal information
- Right to limit use of sensitive personal information
- Right to non-discrimination for exercising rights
- Right to opt out of automated decision-making technology
Who Needs to Comply?
For-profit businesses that collect California residents' personal information and meet any threshold: annual gross revenue over $26.6 million, buy/sell/share data of 100,000+ consumers or households, or derive 50%+ of revenue from selling/sharing personal information.
Key Requirements
Privacy Notice & Disclosures
Provide a comprehensive privacy policy disclosing categories of personal information collected, purposes of collection, consumer rights, and whether information is sold or shared. Update at least annually.
Consumer Request Handling
Establish processes to receive and respond to consumer requests to know, delete, correct, and opt out. Verify consumer identity and respond within 45 days (extendable to 90 days).
Opt-Out Mechanisms
Provide a clear "Do Not Sell or Share My Personal Information" link. Honor Global Privacy Control (GPC) signals. Obtain opt-in consent before selling data of consumers under 16.
Data Minimization & Purpose Limitation
Collect, use, retain, and share personal information only as reasonably necessary and proportionate to the disclosed purposes. Inform consumers before using data for new purposes.
Service Provider Agreements
Enter written contracts with service providers and contractors restricting their use of personal information to the specific business purposes outlined in the agreement.
Implementation Roadmap
Determine covered-business scope
Confirm whether the organization meets CCPA/CPRA applicability thresholds, map California consumer, household, employee, and B2B personal information, and identify service providers, contractors, third parties, and data brokers.
Build privacy inventory and notices
Create a personal-information inventory by category, source, purpose, retention period, disclosure, sale, sharing, and sensitive-information use. Update notices at collection, privacy policies, retention disclosures, and consumer-rights workflows.
Operate rights and opt-outs
Implement request intake, identity verification, response tracking, deletion and correction processes, opt-out of sale or sharing, sensitive-information limitation, authorized-agent handling, and vendor contract controls.
Maintain regulatory readiness
Monitor CPPA rulemaking, enforcement trends, cybersecurity-audit, risk-assessment, automated-decisionmaking, and data-broker obligations. Test consumer-facing links and refresh records as processing changes.
Compliance Checklist
checklist Applicability and inventory
checklist Consumer rights
checklist Governance and assurance
Penalties & Enforcement
Administrative fines up to $2,663 per unintentional violation and $7,988 per intentional violation or violations involving minors (2025 adjusted amounts). Private lawsuits for data breaches can yield $107-$799 per consumer per incident. The largest settlement to date exceeded $1.5 million.
Frequently Asked Questions
Who must comply with the CCPA/CPRA?
expand_more
The law applies to for-profit businesses that do business in California and meet statutory thresholds based on revenue, volume of personal information processed, or revenue from selling or sharing personal information. Affiliates and joint-branded entities may also be in scope.
What rights do California consumers have?
expand_more
Consumers have rights to know, access, delete, correct, and obtain personal information, and to opt out of sale or sharing. They also have rights around sensitive personal information and protection from discrimination for exercising rights.
What is the difference between selling and sharing?
expand_more
Selling generally involves disclosure of personal information for monetary or other valuable consideration. Sharing focuses on disclosure for cross-context behavioral advertising. Both can trigger opt-out obligations.
Are employees and B2B contacts covered?
expand_more
Yes. Since the CPRA amendments became fully operative, employee and business-contact personal information is generally covered, so HR and B2B data must be included in notices, inventories, and rights processes.
What evidence should a business maintain?
expand_more
Maintain data maps, notices, rights request logs, verification decisions, vendor contracts, opt-out testing evidence, training records, retention schedules, and assessments for higher-risk processing where required.
Official Documentation
Official PDF for CCPA/CPRA
Official publication or summary for CCPA/CPRA
Official online resource
State of California guidance and reference material
Implementation toolkit
Templates, guidance, or companion resources for CCPA/CPRA