CCPA/CPRA

California Consumer Privacy Act & California Privacy Rights Act

apartmentPublishing Organization:State of California

United States Technology Finance & Banking Retail Healthcare Services

Standard Introduction

CCPA/CPRA is an active standard published by State of California. It is commonly used across Technology, Finance & Banking, Retail, Healthcare, Services and applies in United States.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with CCPA/CPRA.

privacy_tip

Consumer Rights

Grants California residents the right to know, delete, correct, and opt out of the sale or sharing of their personal information — including rights over automated decision-making.

account_balance

Dedicated Enforcement Agency

The California Privacy Protection Agency (CPPA), established by CPRA, is the first dedicated state privacy enforcement body in the US, with rulemaking and enforcement authority.

gavel

Private Right of Action

Consumers can bring private lawsuits for data breaches involving unencrypted or non-redacted personal information, with statutory damages of $107 to $799 per consumer per incident.

list_alt Core Consumer Rights

Right to know what personal information is collected
Right to delete personal information
Right to correct inaccurate personal information
Right to opt out of sale/sharing of personal information
Right to limit use of sensitive personal information
Right to non-discrimination for exercising rights
Right to opt out of automated decision-making technology

Who Needs to Comply?

groups

For-profit businesses that collect California residents' personal information and meet any threshold: annual gross revenue over $26.6 million, buy/sell/share data of 100,000+ consumers or households, or derive 50%+ of revenue from selling/sharing personal information.

Key Requirements

Privacy Notice & Disclosures

Provide a comprehensive privacy policy disclosing categories of personal information collected, purposes of collection, consumer rights, and whether information is sold or shared. Update at least annually.

Consumer Request Handling

Establish processes to receive and respond to consumer requests to know, delete, correct, and opt out. Verify consumer identity and respond within 45 days (extendable to 90 days).

Opt-Out Mechanisms

Provide a clear "Do Not Sell or Share My Personal Information" link. Honor Global Privacy Control (GPC) signals. Obtain opt-in consent before selling data of consumers under 16.

Data Minimization & Purpose Limitation

Collect, use, retain, and share personal information only as reasonably necessary and proportionate to the disclosed purposes. Inform consumers before using data for new purposes.

Service Provider Agreements

Enter written contracts with service providers and contractors restricting their use of personal information to the specific business purposes outlined in the agreement.

Penalties & Enforcement

warning

Administrative fines up to $2,663 per unintentional violation and $7,988 per intentional violation or violations involving minors (2025 adjusted amounts). Private lawsuits for data breaches can yield $107-$799 per consumer per incident. The largest settlement to date exceeded $1.5 million.