California Consumer Privacy Act / California Privacy Rights Act
California's landmark consumer privacy law with nationwide implications
// What is CCPA/CPRA?
CCPA, significantly expanded by CPRA in 2023, gives California residents unprecedented control over their personal information. The law applies to businesses meeting revenue, data volume, or data sales thresholds, regardless of where they're headquartered—making it effectively a national privacy standard.
CPRA strengthened CCPA by creating a dedicated enforcement agency, adding new consumer rights, establishing requirements for sensitive personal information, and introducing data minimization obligations. The California Privacy Protection Agency now handles rulemaking and enforcement.
As the most comprehensive state privacy law in the US, CCPA/CPRA has influenced similar legislation in Virginia, Colorado, Connecticut, and other states, creating a patchwork of compliance requirements for businesses operating nationally.
// Inside the Regulation
CCPA/CPRA grants California residents specific rights regarding their personal information and imposes obligations on businesses that collect, sell, or share that information.
Consumer Rights
Civil Code §1798.100-125California residents have extensive rights over their personal information that businesses must honor within specific timeframes.
Right to Know
Consumers can request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties receiving data.
Right to Delete
Consumers can request deletion of personal information, with certain exceptions for legal compliance and transactions.
Right to Correct
Added by CPRA—consumers can request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing
Consumers can direct businesses not to sell or share their personal information. Businesses must provide 'Do Not Sell or Share' links.
Right to Limit Sensitive PI Use
CPRA addition—consumers can limit use of sensitive personal information to what's necessary for services requested.
Right to Non-Discrimination
Businesses cannot discriminate against consumers exercising privacy rights (pricing, quality, service levels).
Business Obligations
Businesses meeting thresholds must implement specific practices and provide required disclosures.
Privacy Notice
Provide notice at or before collection describing categories collected, purposes, retention periods, and consumer rights.
Opt-Out Mechanisms
Provide clear, conspicuous link titled 'Do Not Sell or Share My Personal Information' on homepage.
Request Handling
Respond to verifiable consumer requests within 45 days (extendable to 90 days with notice).
Service Provider Contracts
Written contracts with service providers restricting their use of personal information.
Data Minimization
CPRA requires collection limited to what's reasonably necessary for disclosed purposes.
Sensitive Personal Information
CPRA AdditionCPRA created a new category with enhanced protections and consumer rights.
Categories
Social Security numbers, financial account information, precise geolocation, race/ethnicity, religious beliefs, health information, sex life/orientation, biometric/genetic data.
Right to Limit Use
Consumers can limit sensitive PI use to what's necessary to perform services or provide goods requested.
Enhanced Notice
Businesses must disclose sensitive PI categories collected and purposes, plus provide 'Limit the Use of My Sensitive Personal Information' link.
Security Requirements
While not prescriptive, CCPA creates liability for security failures.
Reasonable Security
Businesses must implement and maintain reasonable security procedures appropriate to the nature of the information.
Private Right of Action
Consumers can sue directly for data breaches resulting from failure to implement reasonable security, with statutory damages of $100-$750 per consumer per incident.
Risk Assessments
CPRA regulations require cybersecurity audits for high-risk processing activities.
Note: CCPA applies to for-profit businesses doing business in California that meet ANY of: $25M+ annual revenue, buy/sell/share 100,000+ consumers' or households' personal information annually, or derive 50%+ of revenue from selling/sharing personal information.
// Who Must Comply
- 1 For-profit businesses with $25M+ annual gross revenue
- 2 Businesses buying, selling, or sharing personal information of 100,000+ California consumers/households annually
- 3 Businesses deriving 50%+ of annual revenue from selling/sharing California consumer personal information
- 4 Joint ventures or partnerships where any member meets thresholds
- 5 Entities controlling or controlled by covered businesses sharing common branding
// Key Requirements
Privacy Notice
Provide comprehensive notice at collection describing categories, purposes, retention, and rights
Opt-Out Links
Display 'Do Not Sell or Share My Personal Information' link prominently on website
Request Response
Respond to verified consumer requests within 45 days with ability to extend to 90
Reasonable Security
Implement and maintain reasonable security procedures and practices
Service Provider Contracts
Execute compliant contracts with service providers handling personal information
Data Minimization
Limit collection to what's reasonably necessary for disclosed purposes
// Enforcement & Penalties
CCPA/CPRA enforcement includes administrative fines from the CPPA and California Attorney General, plus a private right of action for data breaches. Intentional violations carry higher penalties than unintentional ones.
$7,500 per intentional violation; $2,500 per unintentional violation
Examples:
- Sephora - $1.2 million settlement for sale of personal information without opt-out (2022)
- DoorDash - Investigation for sale of customer data to marketing companies
- Private lawsuits: $100-$750 per consumer per incident for data breaches
- No cure period for CPPA enforcement actions (businesses cannot fix violations to avoid fines)
// Cyber Insurance Impact
Cyber insurers increasingly require CCPA/CPRA compliance documentation for California-exposed businesses. The private right of action for data breaches creates direct liability exposure. Policies should cover regulatory defense, consumer claims, and breach response. Some insurers exclude or sublimit CCPA-specific claims.
// How Breach Craft Helps
We help organizations achieve CCPA/CPRA compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of CCPA/CPRA.
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873