CCPA and CPRA Compliance: Track California Privacy Obligations and Map Them to Your Policies
The CCPA, as amended by the CPRA, gives California consumers strong privacy rights and is enforced by the California Privacy Protection Agency and the Attorney General. RegSpace monitors the sources that move, scores your policies against the law, and keeps the registers that evidence your programme, all as draft intelligence for your counsel to review.
What is CCPA / CPRA?
The California Consumer Privacy Act of 2018 (CCPA) is California's landmark consumer privacy law, significantly expanded by the California Privacy Rights Act of 2020 (CPRA, Proposition 24, approved by voters in November 2020). The CPRA amendments took full effect on 1 January 2023, and enforcement of those amendments began on 1 July 2023. Together the two are usually referred to as the CCPA as amended, or simply CCPA/CPRA. The law gives California residents rights over their personal information and imposes transparency, opt-out and data-handling obligations on businesses that meet defined thresholds. The CPRA also created a dedicated regulator, the California Privacy Protection Agency (CPPA), which shares enforcement and rulemaking authority with the California Attorney General. The CPPA has adopted further regulations on automated decisionmaking technology (ADMT), risk assessments and cybersecurity audits, with compliance phased in over staggered dates that you should confirm against the final text.
Who does CCPA / CPRA apply to?
The CCPA/CPRA applies to for-profit businesses that do business in California, collect California residents' personal information and meet at least one of the law's size or data thresholds, plus the service providers, contractors and third parties they share data with.
- For-profit businesses doing business in California that determine the purposes and means of processing consumers' personal information and meet at least one statutory threshold
- Businesses with more than 25 million US dollars in annual gross revenue (measured in the preceding calendar year)
- Businesses that annually buy, sell or share the personal information of 100,000 or more California consumers or households
- Businesses that derive 50 percent or more of their annual revenue from selling or sharing California consumers' personal information
- Service providers and contractors that process personal information on a business's behalf under a written contract, plus third parties that receive personal information
- Entities that control or are controlled by a covered business and share common branding, which can be swept into scope as part of the same business
Key CCPA / CPRA obligations
Notice and transparency obligations
Provide a notice at or before the point of collection and maintain a comprehensive privacy policy that lists the categories of personal information and sensitive personal information collected, the purposes, sources, the categories disclosed, sold or shared, and how consumers can exercise their rights, refreshed at least every 12 months.
Honour consumer rights requests
Operationalise the rights to know, delete and correct personal information, generally responding within 45 days (extendable by a further 45 days where reasonably necessary), with at least two designated methods to submit requests and a verification process before disclosing or acting on data.
Opt-out of sale and sharing
Where you sell personal information or share it for cross-context behavioural advertising, provide a clear Do Not Sell or Share My Personal Information mechanism and honour opt-out preference signals such as the Global Privacy Control (GPC) sent through a consumer's browser or device.
Limit the use of sensitive personal information
Give consumers the right to limit use and disclosure of sensitive personal information (for example precise geolocation, government IDs, health, racial or ethnic origin, contents of communications) to what is necessary to provide the requested goods or services, and offer a Limit the Use of My Sensitive Personal Information link or equivalent where applicable.
Non-discrimination and financial incentives
Do not discriminate against consumers for exercising their rights, for example by denying goods or services or charging different prices, except where a difference is reasonably related to the value of the data under a properly disclosed financial incentive programme.
Service provider and contractor contracts
Put in place contracts with service providers, contractors and third parties that include the CCPA/CPRA-required terms restricting how they may process personal information, so that disclosures to them are not treated as sales and so onward obligations flow down the chain.
Data minimisation, purpose limitation and retention
Collect, use, retain and share personal information only as reasonably necessary and proportionate to the disclosed purposes, and tell consumers how long each category of personal information and sensitive personal information is retained, or the criteria used to set that period.
Reasonable security and accountability
Implement reasonable security procedures and practices appropriate to the nature of the personal information; failure to do so can give rise to the CCPA's limited private right of action for certain unauthorised-access data breaches, alongside CPPA and Attorney General enforcement.
Key dates
- 28 June 2018The California Consumer Privacy Act of 2018 (AB 375) was signed into law, establishing California's baseline consumer privacy regime.
- 1 January 2020The original CCPA took effect, with Attorney General enforcement commencing later that year.
- 3 November 2020California voters approved the California Privacy Rights Act (CPRA, Proposition 24), which amended and expanded the CCPA and created the California Privacy Protection Agency (CPPA).
- 1 January 2023The CPRA amendments took full effect, adding rights such as correction and the right to limit use of sensitive personal information and introducing the concept of sharing for cross-context behavioural advertising.
- 1 July 2023Enforcement of the CPRA amendments began, with the CPPA and the California Attorney General sharing enforcement authority.
- Phased compliance dates (approximate, confirm against the final text)Under the CPPA's adopted regulations, new obligations on automated decisionmaking technology (ADMT), risk assessments and cybersecurity audits phase in on staggered compliance dates running into the later 2020s; the exact operative dates depend on the final regulations, so treat them as approximate until confirmed.
How RegSpace helps with CCPA / CPRA
Draft, source-linked intelligence for your team to review. Not legal advice.
Weekly-monitors the US and California sources and legislative trackers that touch you, including the California Privacy Protection Agency and the California Attorney General, and drafts a source-linked digest of changes such as new or amended CCPA/CPRA regulations on ADMT, risk assessments and cybersecurity audits. Where a change hits a policy you have published, Watcher prepares a DOCX redline in track-changes for your counsel to review.
Scores your uploaded California privacy policy, notice at collection and related documents against the law and corpus, showing which obligations are covered, partial or missing with an overall gap score, so you can see where your CCPA/CPRA documentation falls short before a regulator does.
Scores vendor and third-party risk and reconciles your published privacy notice against what your registers actually record, which supports the service-provider, contractor and third-party tracking and the sale and sharing disclosures the CCPA/CPRA expects you to keep accurate.
Gives you the registers a California privacy programme leans on in one place, including a processing-activities register, a risk register with a 5x5 matrix, a controls library, incidents, DPIAs, cookies, assets and vendors, plus a review and approval workflow, tickets and dashboards to evidence accountability.
Builds your compliance profile by crawling your website and classifying the policies it finds, then hands it to your counsel to review and edit, so your CCPA/CPRA programme starts from an accurate picture of what you have actually published.
CCPA / CPRA FAQ
Who does the CCPA/CPRA apply to?
It applies to for-profit businesses that do business in California, collect California residents' personal information and meet at least one threshold: more than 25 million US dollars in annual gross revenue; buying, selling or sharing the personal information of 100,000 or more California consumers or households per year; or deriving 50 percent or more of annual revenue from selling or sharing personal information. Service providers, contractors and third parties that handle that data are pulled in through contractual obligations.
What is the difference between the CCPA and the CPRA?
The CCPA is the original 2018 law. The CPRA (Proposition 24, approved in 2020) is an amendment that expanded it, adding rights such as correction and the right to limit use of sensitive personal information, introducing the concept of sharing for cross-context behavioural advertising, and creating the California Privacy Protection Agency. The CPRA amendments took full effect on 1 January 2023, with enforcement from 1 July 2023, so the current law is usually called the CCPA as amended.
What rights do California consumers have under the CCPA/CPRA?
Consumers have the rights to know what personal information is collected and how it is used, to delete it, to correct inaccurate information, to opt out of the sale or sharing of their personal information, to limit the use and disclosure of sensitive personal information, and to non-discrimination for exercising any of these rights.
What are sale and sharing under the CCPA/CPRA?
Sale means disclosing personal information to a third party for monetary or other valuable consideration. Sharing was added by the CPRA and specifically targets disclosing personal information for cross-context behavioural advertising, even where no money changes hands. Businesses that sell or share must offer a Do Not Sell or Share My Personal Information option and honour opt-out preference signals such as the Global Privacy Control.
Does the CCPA/CPRA require honouring the Global Privacy Control?
Yes. Where a business sells or shares personal information, it must treat an opt-out preference signal sent by a consumer's browser or device, such as the Global Privacy Control (GPC), as a valid request to opt that consumer out of sale and sharing, without requiring a separate manual request.
What new rules are coming on automated decisionmaking, risk assessments and cybersecurity audits?
The California Privacy Protection Agency has adopted regulations on automated decisionmaking technology (ADMT), risk assessments and cybersecurity audits. These obligations phase in on staggered compliance dates running into the later 2020s. The exact operative dates depend on the final regulations, so they should be treated as approximate until confirmed, which is the kind of change RegSpace's Watcher is designed to track and surface with the source attached.
Does RegSpace make my business CCPA/CPRA compliant?
No. RegSpace produces draft regulatory intelligence, gap analysis and register tooling for your qualified counsel to review, and every digest item is source-linked. RegSpace does not provide legal advice, does not form a lawyer-client relationship, does not file anything with a regulator, and does not guarantee compliance or replace your legal team.
Stay ahead of CCPA / CPRA changes, automatically.
RegSpace monitors the regulators that touch you, scores your policies against the law, and drafts the redlines. Every claim cited, every output lawyer-reviewed.