CCPA/CPRA Compliance Guide

Reviewed by Danielle Vargas, CIPP/US, CIPM

CPRA replaced key parts of the original CCPA in 2023, expanding consumer rights, broadening the definition of personal information, and creating a dedicated enforcement agency. Any for-profit business collecting data from California residents is likely in scope. Penalties run $2,500-$7,500 per violation, and private breach claims reach $100-$750 per consumer per incident.

You just received a request from a California resident asking for a copy of all the personal data you've collected about them. Or they've asked for their data to be deleted. Or they've opted out of data sales. If you're not prepared for these requests, you're about to discover that California's privacy law — and the newer version that replaced parts of it — creates real operational obligations that go far beyond policy documents.

California's privacy landscape shifted significantly when the California Privacy Rights Act (CPRA) began taking effect in early 2023, expanding and tightening the rules that had been in place under the original California Consumer Privacy Act (CCPA) since 2020. Understanding what applies to you, what your obligations actually are, and what happens if you miss the mark is essential. Most companies operating in this space, even those not headquartered in California, don't realize they're already in scope simply by accepting personal information from California residents online or storing data from anyone who lives there.

CPRA fundamentally reshaped CCPA — update your compliance systems accordingly

The original CCPA was drafted quickly to address what California legislators saw as a gap in consumer privacy protection at the federal level. It went into effect in January 2020 and immediately created compliance chaos because the definitions were ambiguous, the requirements were broad, and the penalties were substantial.

The CPRA arrived in 2020 as a ballot initiative and began phasing in over the following three years. It was not a minor amendment — it fundamentally reshaped several core CCPA requirements. The CPRA added new consumer rights (correction and deletion refinements), expanded the definition of personal information, created new restrictions on children's data, and created new categories of sensitive personal information that get stronger protections. As of early 2023, CPRA requirements are largely in effect, meaning the law you need to understand is the CPRA, not the original CCPA.

Here's what matters for your operations: if you've built compliance systems around the original CCPA, you need to update them. The scope is broader, the definitions are stricter, and the obligations are more demanding. A dedicated regulatory agency — the California Privacy Protection Agency — was created specifically to enforce CPRA, giving the state a dedicated privacy enforcement mechanism. Enforcement has increased noticeably since the agency became operational. CCPA knowledge from years past is partially outdated. You need CPRA understanding for current compliance.

The law applies to any for-profit business collecting California residents' data

This is where most companies get it wrong. The law doesn't only apply to California-based companies. It applies to any for-profit business that collects personal information from California residents, regardless of where the business is located. If you have a website that accepts customers from California, you're in scope. If you collect email addresses from anyone in California for any reason — a mailing list signup, a contact form, a survey — you're in scope.

To qualify for the small business exemption, your annual revenue must be under $25 million, you must not buy, sell, or share personal information of 100,000 or more consumers or households, and you must not derive 50 percent or more of your annual revenue from selling or sharing consumers' personal information. If you fail even one of those tests, you're in scope.

Most companies don't meet the exemption criteria, which is why the law applies more broadly than many businesses expect. The "sale or sharing of personal information" definition is extraordinarily broad. It includes not just direct monetization but any transfer of personal information to third parties in exchange for anything of value — and "anything of value" includes marketing value or service improvements. Even if you're not explicitly selling customer lists, you may be "selling" data under the law simply by sharing it with partners, vendors, or analytics companies.

Consumers have four core rights — and the 45-day response clock is real

CPRA gives California residents four core rights: the right to access (request a copy of their personal information), the right to delete (request deletion of personal information you hold), the right to correct (request correction of inaccurate personal information), and the right to opt out of personal information sales or sharing. These are consumer-initiated requests that your organization must be equipped to handle.

The access right requires you to provide consumers with a copy of their personal information, including the categories collected, the sources, the purposes for collection, and the categories of third parties with whom you share it. You must do this within 45 days of receiving the request. That 45-day clock is enforceable, and missing it creates liability.

The deletion right requires you to delete personal information a consumer requests deleted, with limited exceptions — fulfilling a legal obligation, complying with another law, or completing services the consumer explicitly requested. Absent those exceptions, the deletion must happen within 45 days. The correction right allows consumers to request correction of inaccurate personal information, which requires you to have systems to determine accuracy, implement corrections, and notify third parties you've shared incorrect information with. The opt-out right allows consumers to block the sale or sharing of their personal information for at least 12 months, requiring systems to track and honor opt-outs across your data handling practices.

Implementing these rights requires that you first understand what data you have, where it's stored, and who has access to it. Most companies discover during this exercise that they don't know the answers — data lives in multiple systems, vendors hold some of it, and nobody has a comprehensive picture. That's why most organizations start with a data mapping exercise: catalog everything you collect, where it lives, and what systems would need to be updated to handle consumer requests.

CPRA restricts data collection to disclosed purposes and requires clear retention policies

Beyond consumer rights, CPRA imposes requirements on how you collect, handle, and share personal information. You're required to limit collection to what's necessary to fulfill the purposes you've disclosed. You cannot collect personal information and then repurpose it later without disclosure. You must be specific about your purposes at the point of collection.

You must provide clear privacy disclosures — a detailed privacy policy covering what you collect, why, how long you retain it, who you share it with, and what consumer rights apply. This policy must be written in plain language that actual humans can understand, not the dense legal prose that many privacy policies use to avoid accountability.

You must limit retention of personal information to what's necessary for your stated purposes. If you collect data for a specific transaction and that transaction is complete, you should be deleting that data, not warehousing it indefinitely. CPRA requires that you explain your retention policy — why you keep what you keep for as long as you keep it. You must also implement safeguards to protect personal information from unauthorized access. The Ponemon Institute's 2023 Cost of a Data Breach Report found the average breach cost reached $4.45 million globally, with inadequate security controls cited as a contributing factor in the majority of incidents. If your data is breached and it was protected inadequately, the breach itself may constitute a CPRA violation in addition to triggering breach notification obligations.

The definitions of "sale" and "sharing" are far broader than you think

The law restricts the "sale or sharing" of personal information, but the definitions are extraordinarily broad. Under CPRA, "sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to another business or third party for monetary or other valuable consideration. "Other valuable consideration" includes marketing value, service improvements, or analytics insights. If you share customer information with a vendor who uses it to improve their service and that improvement benefits you, you may be "selling" that data under the law.

"Sharing" has a parallel definition emphasizing behavioral targeting. If you share personal information with another business and that business uses it for targeted advertising or behavioral targeting, you're "sharing" for purposes of CPRA even if no money changes hands.

What this means in practice is that many common business practices — sharing customer data with analytics partners, sharing contact lists with marketing vendors, sharing information with business intelligence companies — may require explicit consumer consent. If you don't have clear opt-in consent, you're in violation. The exemptions are narrow: you can share information with your own service providers bound by contract, and you can share as part of a business transfer. Most other sharing requires consent or an opt-out mechanism.

Penalties are per-violation — and enforcement is active and accelerating

The California Attorney General and the California Privacy Protection Agency both enforce CPRA. Penalties are up to $2,500 per violation or $7,500 per intentional violation. Here's the multiplication problem: if you improperly shared data for 10,000 consumers at $2,500 per violation, that's $25 million in potential liability. Even if a regulator settles for a fraction of the maximum, the financial exposure is serious.

Beyond civil penalties, CPRA allows private rights of action for data breaches involving unencrypted personal information. Consumers can sue directly for statutory damages of $100 to $750 per consumer per incident. A single breach affecting 10,000 consumers could generate $1 million to $7.5 million in private claims. The enforcement landscape has changed since the California Privacy Protection Agency came online — companies have already been fined for CPRA violations, and that trend is accelerating. This is not a framework where you can treat compliance as optional or hope nobody notices.

Start with data mapping, then build consent and vendor compliance systems

The practical place to start is a data mapping exercise. You need to understand what personal information your organization collects, where it comes from, where it's stored, how long you retain it, who has access, and who you share it with. This sounds straightforward until you start doing it. Data lives in CRM systems, email systems, spreadsheets, backup systems, third-party vendors, and archived locations.

Once you've mapped your data, you build compliance systems: documented data handling practices, processes to honor consumer rights requests, consent management systems for activities requiring consent, and adequate technical safeguards. You also need to audit your vendor relationships — any vendor handling personal information on your behalf needs to be contractually bound to CPRA-compliant practices. If you're sharing personal information with vendors without certainty they're using it only for specified purposes, you may be "selling" data under the law.

The good news is that once you've built a CPRA-compliant foundation, extending it to other state privacy laws becomes easier. Most emerging state privacy laws follow a similar pattern. A CPRA-level compliance posture gives you flexibility to adapt without starting from scratch. The reality is that CPRA compliance is expensive and time-consuming, but treating it as inevitable and investing in compliance infrastructure now is dramatically cheaper than scrambling during an investigation or after a breach exposes gaps.

Frequently Asked Questions

Does CPRA apply to my business if I'm not based in California?
Yes, if you collect personal information from California residents. Physical location is irrelevant. If you have a website accessible to California consumers, accept California customers, or collect data from anyone residing in California, and you don't meet all three small-business exemption thresholds, CPRA applies.

What's the difference between CCPA and CPRA?
CPRA replaced and expanded key parts of the original CCPA starting in 2023. It added new consumer rights (correction, expanded deletion), created new categories of sensitive personal information, broadened the definition of data "sales," and established a dedicated enforcement agency. If your compliance program was built for the original CCPA, it needs updating.

How do I handle a consumer data access request?
You must respond within 45 calendar days. Your response must include the categories of personal information collected, the sources, the purposes for collection, the categories of third parties you share it with, and the specific data you hold. This requires knowing where all personal data resides across your systems — which is why data mapping is a prerequisite.

What counts as "selling" data under CPRA?
The definition extends far beyond direct monetization. Any transfer of personal information to a third party in exchange for "valuable consideration" — including marketing value, service improvements, or analytics insights — qualifies. Sharing customer data with an analytics partner who provides insights in return is a "sale" under CPRA.

Can I be sued directly by consumers under CPRA?
Yes, but only for data breaches involving unencrypted or inadequately protected personal information. Consumers can bring private claims for statutory damages of $100-$750 per consumer per incident. Broader CPRA violations (like failure to honor opt-out requests) are enforced by the Attorney General and Privacy Protection Agency, not through private lawsuits.

Fully Compliance provides educational content about IT compliance and privacy regulations. This article reflects general information about CCPA and CPRA as of its publication date. Regulations, penalties, and requirements evolve — consult a qualified compliance professional for guidance specific to your organization.