CCPA and CPRA: California's Privacy Rights and What Businesses Must Do
A detailed explanation of the California Consumer Privacy Act and its 2020 amendment CPRA—covering consumer rights, business obligations, sensitive personal information rules, and enforcement mechanisms.
The Law That Triggered 75 State Privacy Bills: California's Privacy Revolution
When California's AB 375 passed in June 2018 with a 72-hour deadline before a ballot initiative would have created something far more restrictive, the United States got its closest equivalent to GDPR. The California Consumer Privacy Act took effect January 1, 2020, and its expanded successor—the California Privacy Rights Act, passed by 56% of California voters in November 2020—became enforceable in 2023. Together, CCPA and CPRA cover roughly 39 million people in the world's fifth-largest economy and have triggered privacy legislation in at least 19 other US states. Any serious business operating online must understand what these laws require.
Which Businesses Must Comply
CPRA applies to for-profit businesses that collect California residents' personal information and meet at least one of three thresholds:
- Annual gross revenues exceeding $25 million.
- Annually buying, selling, receiving for commercial purposes, or sharing the personal information of 100,000 or more consumers or households.
- Deriving 50% or more of annual revenues from selling or sharing consumers' personal information.
Nonprofit organisations and government agencies are generally exempt, though service providers and contractors handling data on behalf of covered businesses face their own obligations. The law applies regardless of where the business is headquartered—a New York or European company with California customers falls within scope.
Consumer Rights Under CCPA/CPRA
| Right | Description | Business Obligation |
|---|---|---|
| Right to Know | Learn what personal info is collected, used, disclosed, and sold | Respond within 45 days; free, twice per year |
| Right to Delete | Request deletion of personal information | Delete and direct service providers to delete |
| Right to Correct | Fix inaccurate personal information (CPRA addition) | Correct within 45 days |
| Right to Opt-Out | Stop sale or sharing of personal information | Honor immediately; "Do Not Sell or Share" link required |
| Right to Limit | Restrict use/disclosure of sensitive personal information (CPRA addition) | Limit to necessary purposes; honor within 15 business days |
| Right to Non-Discrimination | No penalty for exercising rights | Cannot deny goods/services or charge different prices |
| Right to Data Portability | Receive data in portable, usable format | Provide in machine-readable format |
Sensitive Personal Information: CPRA's New Category
CPRA introduced a distinct category of "sensitive personal information" (SPI) that consumers can restrict to necessary use only. This category includes Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of personal communications, genetic and biometric data, health and sex life information, and sexual orientation. Businesses that collect SPI must disclose this separately, provide a "Limit the Use of My Sensitive Personal Information" link on their homepage, and process SPI only for purposes specified in CPRA regulations unless the consumer opts in.
This is the closest US law has come to GDPR's "special categories" of sensitive data, though the enforcement mechanism differs: CPRA is opt-out (consumers must act), while GDPR requires explicit opt-in consent for most sensitive data processing.
The California Privacy Protection Agency
CPRA created the California Privacy Protection Agency (CPPA)—the first dedicated privacy enforcement agency in US history, independent of the Attorney General. The CPPA has rulemaking authority and can impose civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation or any violation involving children's data. The AG retains parallel enforcement authority. There is no private right of action for most violations, but CCPA created a limited private right for data breaches involving certain categories of sensitive data: $100–$750 per consumer per incident, or actual damages if greater.
Key Compliance Requirements for Businesses
- Privacy Policy: Must be updated at least every 12 months, disclosing categories of personal information collected, purposes, third-party sharing, and all consumer rights with instructions on how to exercise them.
- Data Map: Businesses must know what data they collect, where it flows, how long it is retained, and who has access—CPPA regulations require documented data inventories.
- "Do Not Sell or Share" Link: Required on the homepage if the business sells or shares personal information; Global Privacy Control (GPC) browser signals must be honored as opt-out requests.
- Contracts with Service Providers: Data-sharing agreements must specify permitted purposes and prohibit third parties from selling data received under the contract.
- Employee and B2B Data: CPRA permanently removed the temporary exemptions for employee and business-to-business data, bringing these fully within scope.
CCPA vs. GDPR: Key Structural Differences
| Dimension | CCPA/CPRA | GDPR |
|---|---|---|
| Default model | Opt-out (consumer must act) | Opt-in (consent required before processing) |
| Legal basis | Not required to justify collection | Must identify lawful basis for each processing activity |
| Scope | California residents only | Any EU/EEA resident globally |
| DPO requirement | No (Risk Assessment required instead) | Yes for certain controllers |
| Maximum fine | $7,500 per intentional violation | €20 million or 4% global turnover |
| Enforcement body | CPPA + AG + limited private action | 54 national supervisory authorities |
By 2025, at least 19 US states had enacted their own comprehensive privacy laws, most using either the CCPA/CPRA or Virginia CDPA model. Federal privacy legislation has repeatedly stalled in Congress, leaving a state-by-state patchwork that makes CCPA compliance the effective national baseline for most mid-sized and large companies.
Legal Disclaimer: This article is for general informational purposes only and does not constitute legal advice. CCPA and CPRA regulations are subject to ongoing CPPA rulemaking and enforcement guidance. Businesses should consult qualified legal counsel before making compliance decisions.
Related Articles
consumer law
ACA Marketplace Subsidies Explained: APTC, Silver Loading & Cliffs
Understand ACA premium tax credits, the 2026 enhancement cliff, benchmark silver plan mechanics, reconciliation risk, and silver loading strategy for smarter enrollment.
9 min read
consumer law
Chapter 7 vs Chapter 13 Bankruptcy: Which Filing Is Right for You?
Compare Chapter 7 and Chapter 13 bankruptcy: eligibility rules, the means test, discharge timelines, asset protection, and how each filing affects your credit and property.
9 min read
consumer law
Facial Recognition Regulation: Bans, Limits, and the Patchwork of US and EU Laws
A thorough examination of facial recognition regulation worldwide—covering city-level bans, the EU AI Act's prohibitions, US state laws, law enforcement use, and the ongoing debate over accuracy disparities and civil liberties.
9 min read
consumer law
How Debt Collection Laws Shield Consumers from Abuse
The FDCPA bans harassment, false statements, and unfair tactics by debt collectors. Learn your rights to dispute debts, invoke the statute of limitations, and stop contact.
9 min read