CCPA/CPRA — California Consumer Privacy Act

Effective overview last updated: January 2026

What Is CCPA/CPRA

The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, making California the first US state with a comprehensive consumer privacy law. The California Privacy Rights Act (CPRA), passed by ballot measure in November 2020, significantly amended the CCPA and took effect on January 1, 2023 (with a lookback period to January 1, 2022).

Together, CCPA/CPRA grant California residents broad rights over their personal information and impose detailed disclosure requirements on businesses that collect it.

Who Must Comply

CCPA/CPRA applies to for-profit businesses that collect California residents' personal information and meet any one of these thresholds:

• Annual gross revenue exceeding $25 million (adjusted for inflation starting 2027)
• Annually buy, sell, or share the personal information of 100,000 or more consumers or households
• Derive 50% or more of annual revenue from selling or sharing consumers' personal information

Important notes on scope:

• The business does not need to be based in California or even have a physical presence there
• The thresholds are measured at the business entity level, including affiliates under common branding
• Non-profit organizations and government agencies are exempt
• HIPAA-covered entities are exempt for PHI (but not necessarily for other personal information they collect)

Service Providers, Contractors, and Third Parties

CCPA/CPRA distinguishes between:

• Service providers: Process personal information on behalf of the business under a written contract, for business purposes
• Contractors: Similar to service providers but with additional contractual and compliance requirements added by CPRA
• Third parties: Everyone else who receives personal information. "Sale" or "sharing" to third parties triggers additional obligations

What Counts as Personal Information

CCPA defines personal information broadly as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household. The law enumerates specific categories:

• Identifiers: Name, alias, postal address, unique personal identifier, online identifier, IP address, email, account name, SSN, driver's license number, passport number
• Customer records: Information in customer records (name, address, telephone, financial information, medical information)
• Protected classifications: Race, religion, sexual orientation, gender identity, disability, veteran status
• Commercial information: Records of products or services purchased, obtained, or considered
• Biometric information: Physiological, biological, or behavioral characteristics used for identification
• Internet or network activity: Browsing history, search history, interaction with websites or ads
• Geolocation data: Precise location information
• Sensory data: Audio, electronic, visual, thermal, olfactory, or similar information
• Professional or employment information: Current or past job history, performance evaluations
• Education information: Non-public information per FERPA
• Inferences: Profiles drawn from any of the above reflecting preferences, characteristics, behavior, attitudes

Sensitive Personal Information (CPRA Addition)

CPRA created a new subcategory — sensitive personal information — with additional restrictions:

• SSN, driver's license, state ID, or passport numbers
• Account log-in credentials (username with password or security questions)
• Financial account numbers with access codes
• Precise geolocation
• Racial or ethnic origin, religious or philosophical beliefs, union membership
• Contents of mail, email, or text messages (when the business is not the intended recipient)
• Genetic data, biometric data used for unique identification, health data, sex life or sexual orientation data

Consumers have the right to limit a business's use of their sensitive personal information to what is necessary to perform the services or provide the goods they requested.

Consumer Rights

Right to Know (Access)

Consumers can request that a business disclose:

• The categories of personal information collected
• The categories of sources
• The business or commercial purpose for collecting, selling, or sharing
• The categories of third parties with whom the information is shared
• The specific pieces of personal information collected about that consumer

Businesses must respond within 45 days (extendable by another 45 days with notice). Consumers can make these requests up to twice in a 12-month period.

Right to Delete

Consumers can request deletion of personal information collected from them. Businesses must comply and direct service providers and contractors to delete as well. Exceptions exist for completing transactions, security, legal compliance, internal uses compatible with the consumer's expectations, and certain other specified purposes.

Right to Correct (CPRA Addition)

Consumers can request correction of inaccurate personal information. The business must make commercially reasonable efforts to correct the information.

Right to Opt Out of Sale or Sharing

Consumers can opt out of the "sale" of their personal information and the "sharing" of their personal information for cross-context behavioral advertising. CPRA distinguished "sharing" as a separate concept from "selling" — sharing means transferring personal information for cross-context behavioral advertising, regardless of whether money changes hands.

Right to Limit Use of Sensitive Personal Information

Consumers can direct a business to limit its use of sensitive personal information to what is necessary to perform the services or provide the goods requested.

Right to Non-Discrimination

Businesses cannot discriminate against consumers for exercising their CCPA/CPRA rights. This means no denying goods or services, charging different prices, providing different quality of service, or suggesting they'll receive different treatment.

Privacy Policy Requirements

CCPA/CPRA is one of the frameworks where the privacy policy is a central compliance obligation, not a secondary concern. The law is specific about what must be disclosed.

Required Disclosures

Your privacy policy must include:

• Categories of personal information collected in the preceding 12 months, using the CCPA's enumerated categories
• Categories of sources from which personal information is collected
• Business or commercial purpose for collecting, selling, or sharing each category
• Categories of personal information sold or shared in the preceding 12 months, and for each category, the categories of third parties to whom it was sold or shared (or a statement that you have not sold or shared)
• Categories of personal information disclosed for a business purpose in the preceding 12 months, and for each category, the categories of recipients
• Retention periods for each category of personal information, or the criteria used to determine the retention period (CPRA addition)
• Description of consumer rights and how to exercise them, including at least two designated methods for submitting requests
• Contact information for questions or complaints

Website Requirements

• A conspicuous "Do Not Sell or Share My Personal Information" link on your homepage
• A conspicuous "Limit the Use of My Sensitive Personal Information" link if you collect sensitive PI and use it beyond what's necessary for the requested service
• These can be combined into a single link titled "Your Privacy Choices" or "Your California Privacy Choices" accompanied by a specific opt-out preference signal icon

Update Frequency

Your privacy policy must be updated at least annually and must display the date it was last updated.

Enforcement

CCPA was originally enforced exclusively by the California Attorney General. CPRA created the California Privacy Protection Agency (CPPA), a new dedicated enforcement body.

• Administrative fines: Up to $2,500 per violation, $7,500 per intentional violation or violation involving a minor's data
• Private right of action: Consumers can sue directly (without the AG or CPPA) in cases of data breaches resulting from a business's failure to implement reasonable security measures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages if greater.
• 30-day cure period: Under the original CCPA, businesses had 30 days to cure alleged violations before the AG could bring an action. CPRA removed this automatic cure period — the CPPA and AG now have discretion on whether to provide a cure opportunity.

The CPPA has been ramping up enforcement activity since 2024, with particular focus on opt-out compliance, dark patterns in consent flows, and privacy policy completeness.

Common CCPA/CPRA Privacy Policy Failures

• Not using the CCPA's specific enumerated categories when listing personal information collected
• Failing to disclose retention periods (a CPRA requirement many organizations haven't implemented)
• Not distinguishing between "selling" and "sharing" (CPRA treats them as separate concepts)
• Missing or non-functional opt-out links on the homepage
• Omitting the right to correct personal information (CPRA addition)
• Using vague business purpose descriptions instead of the CCPA's defined purposes
• Not updating the privacy policy within the past 12 months
• Not providing at least two methods for consumers to submit requests

How Privacy Policy Review Helps

Your privacy policy is the primary compliance artifact under CCPA/CPRA — it's where regulators look first. Our service reviews your policy against every CCPA/CPRA disclosure requirement, including the CPRA amendments. The AI checks whether you're using the correct enumerated categories, identifies missing disclosures, and flags areas where your language doesn't match the law's terminology. An attorney verifies the findings in a signed Record of Review.