CCPA / CPRA
California Consumer Privacy Act / California Privacy Rights Act
California's comprehensive consumer privacy law granting residents rights over their personal information and establishing the California Privacy Protection Agency.
Overview
The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, granting California residents sweeping rights over their personal information and imposing significant obligations on businesses. It was substantially amended by the California Privacy Rights Act (CPRA), passed by ballot initiative in November 2020 and effective January 1, 2023. Together, CCPA/CPRA represent the most comprehensive US state privacy law and serve as the model for privacy legislation across the country.
The CPRA created a first-of-its-kind dedicated privacy enforcement agency β the California Privacy Protection Agency (CPPA) β and added new rights including the right to correct inaccurate information and the right to limit the use of sensitive personal information. It also introduced a new category of 'sharing' data for cross-context behavioural advertising, tightened rules around service providers, contractors, and third parties, and mandated annual privacy risk assessments and cybersecurity audits for businesses engaged in high-risk processing.
CCPA/CPRA applies to for-profit businesses meeting any one of three thresholds: annual gross revenue exceeding $25 million; buying, selling, or sharing the personal information of 100,000 or more consumers or households annually; or deriving 50% or more of annual revenue from selling or sharing consumers' personal information.
Scope & Applicability
For-profit businesses operating in California that meet at least one of the following thresholds: (1) annual gross revenues above $25 million; (2) annually buying, selling, receiving, or sharing for commercial purposes the personal information of 100,000 or more consumers or households; or (3) deriving 50% or more of annual revenues from selling or sharing consumers' personal information. The law covers personal information about California residents collected while they are in California.
Key Principles
- 1Transparency β businesses must inform consumers about what personal information is collected and how it is used at or before the point of collection
- 2Consumer Rights β California residents have comprehensive rights to know, delete, correct, opt-out, and limit processing
- 3Purpose Limitation β personal information collected for one purpose cannot be used for unrelated purposes without additional notice
- 4Data Minimisation β collection must be reasonably necessary and proportionate to the disclosed purpose
- 5Security β businesses must implement reasonable security measures appropriate to the nature of the data
- 6Non-Discrimination β consumers exercising privacy rights cannot be denied services, charged different prices, or given different quality without justification
- 7Accountability β businesses must conduct annual privacy risk assessments and cybersecurity audits for high-risk processing
Data Subject Rights
Consumers can request disclosure of the categories and specific pieces of personal information collected, the purposes of collection, categories of sources, and categories of third parties with whom information is shared.
Consumers can request deletion of their personal information, subject to exceptions for completing transactions, security, legal obligations, and other permitted purposes.
Added by CPRA, consumers can request correction of inaccurate personal information held by a business, taking into account the nature of the data and the risks of harm from inaccuracy.
Consumers can direct businesses not to sell or share their personal information, including for cross-context behavioural advertising. Businesses must honour Global Privacy Control (GPC) signals.
Consumers can limit the use of sensitive personal information (SSN, financial data, health data, precise geolocation, etc.) to purposes necessary to provide requested services.
Consumers cannot be denied goods or services, charged different prices, or given a different quality of service for exercising their CCPA/CPRA rights.
Consumers can request their personal information in a portable, readily usable format that allows transmission to another entity.
Business Obligations
Privacy Notice at Collection
Businesses must provide a clear and conspicuous notice at or before the point of collection describing categories of personal information collected and the purposes for use.
Privacy Policy
A comprehensive privacy policy must be published and updated at least annually, covering all categories of data collected, consumer rights, and how to submit requests.
Opt-Out Infrastructure
Businesses that sell or share personal information must provide a clear 'Do Not Sell or Share My Personal Information' link and honour Global Privacy Control (GPC) browser signals.
Verifiable Consumer Request Process
Businesses must establish a process for verifying consumer identity before fulfilling access or deletion requests, without creating excessive barriers.
Service Provider and Contractor Contracts
Written contracts with service providers, contractors, and third parties must restrict their use of personal information and require equivalent privacy protections.
Annual Privacy Risk Assessment
CPRA requires businesses engaged in processing that presents significant risk to consumers to conduct and submit annual privacy risk assessments to the CPPA.
Data Retention Policy
CPRA requires businesses to disclose retention periods for each category of personal information and avoid retaining data longer than reasonably necessary.
Cross-Border Transfer Rules
CCPA/CPRA does not impose transfer restrictions comparable to GDPR adequacy requirements. However, businesses must ensure that any transfer of personal information to third parties outside California β including to service providers, contractors, or third parties β is governed by contracts that prohibit the recipient from selling or sharing the data and require the recipient to maintain equivalent privacy protections. The CPPA's rulemaking may introduce additional requirements for certain high-risk data transfers.
Breach Notification Requirements
California's breach notification law (Civil Code Β§1798.82) requires notification 'in the most expedient time possible and without unreasonable delay'
California Attorney General must be notified if the breach affects more than 500 California residents
Affected California residents must be notified of any breach of unencrypted personal information without unreasonable delay
How TruePrivacy Helps
Purpose-built tools for every CCPA / CPRA obligation.
A branded, accessible portal allows California consumers to submit know, delete, correct, and opt-out requests with built-in identity verification and 45-day deadline tracking.
TruePrivacy automatically detects and honours Global Privacy Control opt-out signals across all web properties, ensuring CPRA compliance for browser-based opt-outs.
Automated data discovery identifies and tags sensitive personal information categories, enabling businesses to build the infrastructure to limit its use on request.
Guided annual privacy risk assessment templates aligned with CPPA guidance help document high-risk processing and demonstrate accountability.
TruePrivacy manages 'Do Not Sell or Share' link placement and routing across web properties, keeping the opt-out pathway conspicuous and functional.
Track and manage data processing agreements with service providers and contractors, ensuring all contracts contain required CPRA clauses.
Ready to achieve CCPA / CPRA compliance?
TruePrivacy automates your compliance workflows so your team can focus on what matters.