标准简介
CCPA/CPRA 是由 加利福尼亚州 发布的有效标准,常用于科技、金融银行、零售、医疗健康、服务业等行业,并适用于美国等市场。
本页汇总了 CCPA/CPRA 的官方文档、当前状态以及常见相关认证或评估机构,便于快速理解要求与落地路径。
Consumer Rights
Grants California residents the right to know, delete, correct, and opt out of the sale or sharing of their personal information — including rights over automated decision-making.
Dedicated Enforcement Agency
The California Privacy Protection Agency (CPPA), established by CPRA, is the first dedicated state privacy enforcement body in the US, with rulemaking and enforcement authority.
Private Right of Action
Consumers can bring private lawsuits for data breaches involving unencrypted or non-redacted personal information, with statutory damages of $107 to $799 per consumer per incident.
list_alt Core Consumer Rights
- Right to know what personal information is collected
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt out of sale/sharing of personal information
- Right to limit use of sensitive personal information
- Right to non-discrimination for exercising rights
- Right to opt out of automated decision-making technology
谁需要合规?
For-profit businesses that collect California residents' personal information and meet any threshold: annual gross revenue over $26.6 million, buy/sell/share data of 100,000+ consumers or households, or derive 50%+ of revenue from selling/sharing personal information.
关键要求
Privacy Notice & Disclosures
Provide a comprehensive privacy policy disclosing categories of personal information collected, purposes of collection, consumer rights, and whether information is sold or shared. Update at least annually.
Consumer Request Handling
Establish processes to receive and respond to consumer requests to know, delete, correct, and opt out. Verify consumer identity and respond within 45 days (extendable to 90 days).
Opt-Out Mechanisms
Provide a clear "Do Not Sell or Share My Personal Information" link. Honor Global Privacy Control (GPC) signals. Obtain opt-in consent before selling data of consumers under 16.
Data Minimization & Purpose Limitation
Collect, use, retain, and share personal information only as reasonably necessary and proportionate to the disclosed purposes. Inform consumers before using data for new purposes.
Service Provider Agreements
Enter written contracts with service providers and contractors restricting their use of personal information to the specific business purposes outlined in the agreement.
实施路线图
确定覆盖业务范围
确认组织是否达到 CCPA/CPRA 适用门槛,映射加州消费者、家庭、员工和 B2B 个人信息,并识别服务提供商、承包商、第三方和数据经纪人。
建立隐私清单和通知
按类别、来源、目的、保留期限、披露、出售、共享和敏感信息使用建立个人信息清单。更新收集时通知、隐私政策、保留披露和消费者权利流程。
运行权利和选择退出
实施请求入口、身份验证、响应跟踪、删除和更正流程、出售或共享选择退出、敏感信息限制、授权代理处理和供应商合同控制。
保持监管就绪
监控 CPPA 规则制定、执法趋势、网络安全审核、风险评估、自动化决策技术和数据经纪人义务。测试面向消费者的链接,并在处理变化时刷新记录。
合规检查清单
checklist CCPA/CPRA 合规范围
checklist 加州消费者隐私权利
checklist 治理和保证
处罚与执行
Administrative fines up to $2,663 per unintentional violation and $7,988 per intentional violation or violations involving minors (2025 adjusted amounts). Private lawsuits for data breaches can yield $107-$799 per consumer per incident. The largest settlement to date exceeded $1.5 million.
常见问题解答
谁需要遵守 CCPA/CPRA?
expand_more
该法律适用于在加州开展业务并达到收入、处理个人信息数量,或出售/共享个人信息收入比例等法定门槛的营利性企业。关联方和共同品牌实体也可能纳入范围。
加州消费者有哪些权利?
expand_more
消费者享有知情、访问、删除、更正、获取个人信息,以及选择退出出售或共享的权利。还包括与敏感个人信息相关的权利,以及不会因行使权利而受到歧视的保护。
出售和共享有什么区别?
expand_more
出售通常指以金钱或其他有价对价披露个人信息。共享侧重于为跨情境行为广告披露个人信息。两者都可能触发选择退出义务。
员工和 B2B 联系人是否受保护?
expand_more
是。CPRA 修订全面实施后,员工和商业联系人个人信息通常也受保护,因此 HR 和 B2B 数据也应纳入通知、清单和权利流程。
企业应保留哪些证据?
expand_more
应保留数据映射、通知、权利请求日志、身份验证决策、供应商合同、选择退出测试证据、培训记录、保留计划,以及高风险处理所需的评估。