CCPA/CPRA Compliance Guide

This article is for educational purposes only and does not constitute professional compliance advice or legal counsel. Privacy laws and regulatory requirements evolve — consult a qualified compliance professional about your specific situation.

You just received a request from a California resident asking for a copy of all the personal data you've collected about them. Or maybe they've asked for their data to be deleted. Or they've opted out of data sales. If you're not prepared for these requests, you're about to discover that California's privacy law — and the newer version that replaced parts of it — creates real operational obligations that go far beyond policy documents.

California's privacy landscape shifted significantly when the California Privacy Rights Act (CPRA) began taking effect in early 2023, significantly changing and expanding the rules that had been in place under the original California Consumer Privacy Act (CCPA) since 2020. Understanding what applies to you, what your obligations actually are, and what happens if you miss the mark is essential. Most companies operating in this space, even those not headquartered in California, don't realize they're already in scope simply by accepting personal information from California residents online or storing data from anyone who lives there.

From CCPA to CPRA: What Changed

The original CCPA was drafted quickly to address what California legislators saw as a gap in consumer privacy protection at the federal level. It went into effect in January 2020 and immediately created compliance chaos because the definitions were ambiguous, the requirements were broad, and the penalties were substantial. Businesses had 18 months to figure out how to comply with a law that was still being interpreted.

The CPRA arrived in 2020 as a ballot initiative and began phasing in over the following three years. It wasn't a minor amendment — it fundamentally reshaped several core CCPA requirements. The CPRA added new consumer rights (correction and deletion refinements), expanded the definition of personal information, created new restrictions on children's data, and created new categories of sensitive personal information that get stronger protections. As of early 2023, CPRA requirements are largely in effect, meaning the law you need to understand is the CPRA, not the original CCPA.

Here's what matters for your operations: if you've built compliance systems around the original CCPA, you'll need to update them. The scope is broader, the definitions are stricter, and the obligations are more demanding. Additionally, a regulatory agency called the California Privacy Protection Agency was created specifically to enforce CPRA, giving the state a dedicated privacy enforcement mechanism — and enforcement has increased noticeably since the agency became operational.

The practical implication is that CCPA knowledge from years past is partially outdated. You need CPRA understanding for current compliance.

Applicability: Does This Law Apply to You

This is where most companies get the first part wrong. The law doesn't only apply to California-based companies. It applies to any for-profit business that collects personal information from California residents, regardless of where the business is located. If you have a website that accepts customers from California, you're in scope. If you have a customer in California, you're in scope. If you collect email addresses from anyone in California for any reason — a mailing list signup, a contact form submission, a survey — you're in scope.

The California Attorney General has published guidance stating that the law applies broadly. It's not limited to large companies, though there's a "small business" exemption if your business meets specific thresholds. To qualify for the exemption, your annual revenue must be under $25 million, you must not buy, sell, or share personal information of 100,000 or more consumers or households, and you must not derive 50 percent or more of your annual revenue from selling or sharing consumers' personal information. If you meet all three thresholds, you're exempt. If you don't meet even one, you're in scope.

Most companies don't meet the exemption criteria, which is why the law applies more broadly than many businesses expect. The revenue threshold sounds high until you consider that the "sale or sharing of personal information" definition is extraordinarily broad. It includes not just direct monetization but any transfer of personal information to third parties in exchange for anything of value — and "anything of value" includes things like marketing value or service improvements. This means that even if you're not explicitly selling customer lists, you might be "selling" data under the law simply by sharing it with partners, vendors, or analytics companies.

Consumer Rights and How to Implement Them

CPRA gives California residents four core rights: the right to access (request a copy of their personal information), the right to delete (request deletion of personal information you hold), the right to correct (request correction of inaccurate personal information), and the right to opt out of personal information sales or sharing. These aren't theoretical rights — they're consumer-initiated requests that your organization must be equipped to handle.

The access right requires you to provide consumers with a copy of their personal information that you've collected, with specific required elements included in the response. You must provide the categories of personal information you've collected, the sources of that information, the purposes for which you collected it, and the categories of third parties with whom you share it. You must do this within 45 days of receiving the request. That 45-day clock is real, and missing it creates liability.

The deletion right requires you to delete personal information a consumer has requested deleted, with some exceptions. You can refuse to delete if the deletion would prevent you from fulfilling a legal obligation, if the deletion would violate another law, or if the information is necessary to provide services the consumer explicitly requested. But in the absence of those exceptions, the deletion must happen. Again, the window is 45 days.

The correction right allows consumers to request correction of inaccurate personal information. This sounds simpler than access or deletion, but it requires you to actually have systems to determine what's accurate versus inaccurate, to implement corrections, and to notify third parties you've shared the incorrect information with. The correction window is also 45 days.

The opt-out right allows consumers to tell you not to sell or share their personal information. Once a consumer submits an opt-out request, you're prohibited from selling or sharing that consumer's personal information for at least 12 months. Implementing this requires a system for tracking opt-outs and ensuring that you're honoring them in your data handling practices.

Implementing these rights isn't trivial. It requires that you first understand what data you have, where it's stored, and who has access to it. Most companies discover during a compliance exercise that they don't actually know the answer to these questions — data lives in multiple systems, vendors hold some of it, and nobody has a comprehensive picture. Building systems to honor consumer rights without this foundation creates paralysis. That's why many organizations start with a data mapping exercise: catalog everything you collect, where it lives, and what systems would need to be updated to handle consumer requests.

Data Handling Requirements and Restrictions

Beyond consumer rights, CPRA imposes requirements on how you collect, handle, and share personal information. You're required to limit collection to what's necessary to fulfill the purposes you've disclosed. You can't collect personal information and then claim you might use it for something else later. You must be specific about your purposes at collection.

You must provide clear privacy disclosures, which in practice means a detailed privacy policy that covers what you collect, why you collect it, how long you retain it, who you share it with, and what consumer rights apply. This policy must be written in plain language that actual humans can understand — not the dense legal prose that many privacy policies use to exempt themselves from accessibility.

You must limit retention of personal information to what's necessary for your stated purposes. If you collect data for a specific transaction and that transaction is complete, you should be deleting that data, not warehousing it indefinitely. CPRA requires that you be able to explain your retention policy — why you keep what you keep for as long as you keep it. Many companies retain data because "we might need it" without ever articulating why they actually need it.

You must implement safeguards to protect personal information from unauthorized access. The law doesn't specify what safeguards are required, which creates ambiguity. Most companies look to other frameworks like SOC 2 or NIST Cybersecurity Framework as guidance for what "safeguards" means. But the core requirement is that you're protecting the data with reasonable technical and administrative safeguards — encryption, access controls, monitoring, incident response capabilities. This isn't theoretical. If your data is breached and it was protected inadequately, the breach itself may constitute a CPRA violation in addition to triggering breach notification obligations.

The Complexity of Data Sales and Sharing

One section of CPRA creates persistent confusion, so it deserves dedicated attention. The law restricts the "sale or sharing" of personal information, but the definitions of "sale" and "sharing" are extraordinarily broad. This is the part that trips up most organizations.

Under CPRA, "sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to another business or third party for monetary or other valuable consideration. This doesn't mean you only get in trouble if you're directly monetizing data. "Other valuable consideration" includes things like marketing value, service improvements, or analytics insights. If you share customer information with a vendor who uses it to improve their service (and that improvement benefits you), you might be "selling" that data under the law.

"Sharing" has a parallel definition and essentially includes the same behaviors but with an emphasis on behavioral targeting. If you share personal information with another business and that business uses it for targeted advertising or behavioral targeting, you're "sharing" for purposes of CPRA even if no money changes hands.

What this means in practice is that many common business practices — sharing customer data with analytics partners, sharing contact lists with marketing vendors, sharing information with business intelligence companies — may require explicit consumer consent under CPRA. If you don't have clear opt-in consent, you're potentially violating the law.

The exemptions exist but are narrow. You can share information with your own service providers who are bound by contract to use it only for your specified purposes. You can share information as part of a business transfer. But most other sharing requires consent or an opt-out mechanism.

Enforcement and Financial Consequences

This is where CPRA's teeth show. The California Attorney General can bring enforcement actions for violations, and the California Privacy Protection Agency (the dedicated regulatory body created by CPRA) can also enforce. Penalties are up to $2,500 per violation or $7,500 per intentional violation. The word "intentional" is important — if you knowingly violate CPRA, the penalties are higher. But even unintentional violations carry penalties.

Here's the multiplication problem: if you violate CPRA by improperly sharing data with a vendor without consent, and you did that for 10,000 consumers, you're looking at 10,000 violations. At $2,500 per violation, that's $25 million in potential liability. Even if a regulator settles for a fraction of the maximum, the financial exposure is serious.

Beyond civil penalties, CPRA also allows private rights of action for data breaches involving unencrypted personal information. This means that if your personal information is breached and you didn't have adequate safeguards (or didn't have encryption protecting it), consumers can sue you directly for statutory damages of between $100 and $750 per consumer per incident. A single breach affecting 10,000 consumers could generate $1 million to $7.5 million in private claims.

The enforcement landscape has changed since CPRA's enforcement agency came online. The California Privacy Protection Agency has started bringing enforcement actions, which means the theoretical penalties are becoming real. Companies have already been fined for CPRA violations, and that trend is accelerating.

This isn't a framework where you can treat compliance as optional or where you can hope nobody notices. Enforcement is active, penalties are severe, and private action exposure means that even if the state doesn't fine you, affected consumers can.

Starting Your Compliance Program

The practical place to start is with a data mapping exercise. You need to understand what personal information your organization collects, where it comes from, where it's stored, how long you retain it, who in your organization has access to it, and who you share it with. This sounds straightforward until you start doing it. Data lives in customer relationship management systems, email systems, spreadsheets, backup systems, third-party vendors, and archived locations. A complete picture requires effort.

Once you've mapped your data, you can build reasonable compliance systems. This means documenting your data handling practices, creating processes to honor consumer rights requests, building consent management systems if you're doing things that require consent, and ensuring your technical safeguards are adequate.

You'll also need to audit your vendor relationships. Any vendor that handles personal information on your behalf needs to be contractually bound to CPRA-compliant practices. If you're sharing personal information with vendors and you're not certain they're using it only for your specified purposes, you might be "selling" data under the law.

The good news is that once you've built a CPRA-compliant foundation, extending that to other state privacy laws becomes easier. Most emerging state privacy laws follow a similar pattern, though with variations. A CPRA-level compliance posture gives you flexibility to adapt to new state laws without starting from scratch.

The reality is that CPRA compliance is expensive and time-consuming. It requires proactive work, not reactive policy changes. But treating it as inevitable and investing in compliance infrastructure now is dramatically cheaper than scrambling during an investigation or after a privacy breach has exposed gaps in your practices.

Fully Compliance provides educational content about IT compliance and privacy regulations. This article reflects general information about CCPA and CPRA as of its publication date. Regulations, penalties, and requirements evolve — consult a qualified compliance professional for guidance specific to your organization.