CCPA/CPRA Compliance: California Privacy Guide for Businesses

California's privacy laws are the most comprehensive in the United States — and they apply to businesses worldwide that meet specific thresholds. The California Consumer Privacy Act (CCPA, effective January 1, 2020) was significantly expanded by the California Privacy Rights Act (CPRA, effective January 1, 2023), which created a dedicated enforcement agency, introduced new consumer rights, and raised compliance obligations for businesses handling "sensitive personal information." With the California Privacy Protection Agency (CPPA) now operational and actively investigating violations, the enforcement risk is real and growing.

This guide covers everything businesses need to know to achieve and maintain CCPA/CPRA compliance: scope thresholds, consumer rights, required disclosures, opt-out mechanics, data minimisation obligations, and the CPPA's enforcement approach.

Key Takeaways

• CCPA/CPRA applies to for-profit businesses meeting ANY ONE of three thresholds — revenue, data volume, or revenue from data sharing
• Consumers have 11 distinct rights under CPRA including right to correct and right to limit use of sensitive personal information
• "Do Not Sell or Share" opt-out must be a single, clearly visible link on your homepage
• Sensitive personal information (SPI) triggers additional obligations including a right to limit processing
• CPPA enforcement became active in 2023 with fines up to $7,500 per intentional violation
• Businesses must conduct annual data protection assessments for high-risk processing activities
• Service provider contracts must restrict downstream personal information use
• Retention periods must be disclosed and data must be deleted when no longer needed for stated purposes

---

CCPA/CPRA Applicability Thresholds

CCPA/CPRA applies to for-profit businesses that collect California consumers' personal information and meet ANY ONE of the following thresholds:

1. Annual gross revenues exceeding $25 million (in the preceding calendar year)
2. Buys, sells, receives, or shares personal information of 100,000+ consumers or households annually (CPRA lowered the original CCPA threshold from 50,000)
3. Derives 50% or more of annual revenues from selling or sharing consumers' personal information

Geographic scope: The law applies based on where consumers reside, not where your business is incorporated. A Pakistani software company generating $30 million in annual revenue with California customers must comply.

Exemptions: Employment data (B2B employee data) received temporary CCPA exemptions that expired January 1, 2023 under CPRA. B2B contact information exemptions also expired. Many financial institutions partially exempt under the Gramm-Leach-Bliley Act; HIPAA-covered health data has separate treatment.

Note on other US state laws: While this guide focuses on CCPA/CPRA, as of 2025, nineteen US states have enacted comprehensive privacy laws with varying thresholds and requirements. Companies conducting multi-state compliance should assess Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and others alongside California.

---

Personal Information and Sensitive Personal Information

Personal information (PI) under CCPA/CPRA means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household. This is notably broader than "personally identifiable information" (PII) under older US laws.

Categories explicitly covered include:

• Identifiers (names, email, phone, IP address, account names, SSN, driver's licence number)
• Commercial information (records of products/services purchased, browsing/purchase history)
• Biometric information
• Internet or other electronic network activity (browsing history, search history, interaction with websites)
• Geolocation data
• Professional or employment-related information
• Education information
• Inferences drawn from any of the above to create consumer profiles

Sensitive Personal Information (SPI) — a CPRA addition — includes a subset of PI requiring heightened protections:

• Social Security, driver's licence, state ID, or passport numbers
• Account log-in credentials (username/email + password or security question)
• Financial account information + access codes
• Precise geolocation (within 1/8 of a mile)
• Racial or ethnic origin
• Religious or philosophical beliefs
• Union membership
• Mail, email, or text message contents (unless the business is the intended recipient)
• Genetic data
• Health or medical condition data
• Sexual orientation or sex life
• Biometric information for unique identification

For SPI, consumers have the additional right to limit use — businesses cannot use SPI beyond what is necessary to provide the requested product or service (plus limited additional purposes), unless the consumer has opted in to broader use.

---

Consumer Rights Under CPRA

CPRA expanded CCPA's five consumer rights to eleven. Businesses must have documented processes to fulfil each:

Verification requirements: Before responding to consumer requests, you must verify the identity of the requestor using a "reasonably secure" method. For online requests, matching email address + another identifier is typically sufficient. You cannot require consumers to create accounts solely to submit requests. Unverifiable requests for specific pieces of PI should be treated as requests for categories only.

Authorised agents: Consumers may designate authorised agents to submit requests on their behalf. You may require the agent to provide proof of the consumer's signed authorisation.

---

Privacy Notice Requirements

At or before collection: Businesses must inform consumers about what PI is collected and for what purposes before or at the time of collection. This applies to all collection points: website forms, mobile apps, point of sale, chatbots, and data broker purchases.

Privacy policy requirements (update at least every 12 months):

• Categories of PI collected in the past 12 months
• Purposes for which PI is used
• Categories of PI sold or shared in the past 12 months
• Categories of third parties to whom PI is disclosed
• Categories of sources from which PI is collected
• Consumer rights and how to exercise them
• Contact information for submitting requests
• Whether PI is sold or shared, and how to opt out
• Whether SPI is processed for purposes other than providing the product/service
• Retention periods for each category of PI (or criteria used to determine retention)

"Do Not Sell or Share My Personal Information" link: Must be a clear and conspicuous link on your homepage and in your privacy policy. If the link is in a footer or navigation area shared across your site, it qualifies. The link must lead to a page where consumers can opt out with a single step (not buried in multi-step forms).

"Limit the Use of My Sensitive Personal Information" link: Required if you process SPI beyond what is necessary to provide the requested product or service. Can be a separate link or combined with the Do Not Sell/Share link.

Opt-out preference signals (GPC): Businesses must honour the Global Privacy Control (GPC) signal — a browser-level setting consumers can activate to signal opt-out from sale and sharing. Many privacy-focused browsers support GPC natively. Your website must detect and honour GPC signals. The CPPA has cited companies specifically for failing to honour GPC.

---

Sale and Sharing of Personal Information

"Sale" under CCPA/CPRA means disclosing or making available personal information to another business or third party for monetary or other valuable consideration. This is broader than the common understanding of "selling data."

"Sharing" under CPRA adds cross-context behavioural advertising even without monetary consideration — specifically targeting advertising based on a consumer's browsing across different websites or services.

In practice, the following common practices likely constitute sale or sharing:

• Sharing PI with data brokers
• Using third-party advertising pixels (Meta Pixel, Google Analytics 4 in advertising mode) that send user data to platforms for targeting
• Sharing customer lists with advertising networks for lookalike audiences
• Participating in real-time bidding ecosystems

Consent requirements for minors:

• Ages 13–15: opt-in required before selling/sharing their PI
• Under 13: parent/guardian opt-in required (COPPA also applies)

Service providers vs. third parties: PI disclosed to a service provider under a compliant service provider contract (restricting its use to providing services to you) is not a "sale." PI disclosed to a third party that can use it for its own purposes (advertising platforms, data brokers) is a "sale" or "sharing." This distinction is critical for your data-sharing architecture.

Service provider contract requirements: Must require the service provider to:

• Not sell or share PI received
• Not retain, use, or disclose PI outside the service context
• Comply with applicable CPRA requirements
• Grant the business the right to audit

---

Data Minimisation and Purpose Limitation (CPRA)

CPRA introduced explicit data minimisation requirements — businesses may collect, use, retain, and share PI only as reasonably necessary and proportionate to achieve the stated purposes. This represents a significant shift from CCPA's disclosure-focused approach.

Implementation implications:

• Audit every data collection point and eliminate collection of PI not used for disclosed purposes
• Document the business purpose for each PI category collected
• Configure retention schedules: PI must be deleted or de-identified when no longer necessary for stated purposes
• Avoid secondary use of PI for purposes incompatible with the original collection purpose without consumer consent

Retention disclosure: Privacy policies must disclose retention periods or criteria for determining retention for each category of PI. CPPA is expected to issue regulations with more specific guidance. For now, document a reasonable business-justified retention period for each PI category.

---

Data Protection Assessments and Risk Management

CPRA requires businesses to conduct risk assessments (called data protection assessments) before implementing processing activities that present significant risk to consumers. The CPPA is developing regulations specifying which activities trigger assessment requirements, but the law already identifies categories including:

• Selling or sharing PI
• Processing SPI
• Profiling that presents significant risk
• Processing PI of minors
• Using PI in ways that present significant risk of harm

Document your assessments and maintain records. Assessments should identify: the purpose of the processing, the PI involved, the potential risks to consumers, and the safeguards implemented to mitigate those risks.

---

CPPA Enforcement and Penalties

The California Privacy Protection Agency (CPPA) became fully operational in 2023 as the first dedicated privacy enforcement body in the United States. The CPPA has authority to investigate, hold administrative hearings, and impose civil penalties:

The CPPA applies penalties per violation — meaning each consumer whose rights were violated represents a separate violation. A data breach affecting 100,000 consumers could theoretically result in $750 million in penalties (100,000 × $7,500). Early CPPA enforcement has focused on large businesses with systematic non-compliance.

Private right of action: Under CCPA Section 1798.150, consumers have a limited private right of action for data breaches involving non-encrypted or non-redacted personal information resulting from the business's failure to implement reasonable security measures. Statutory damages: $100–$750 per consumer per incident, or actual damages if higher.

---

CCPA/CPRA Compliance Checklist

• Applicability threshold analysis completed
• PI and SPI inventory completed across all systems and collection points
• Privacy policy updated with all required disclosures (12-month review)
• "Do Not Sell or Share My Personal Information" link on homepage
• "Limit the Use of My Sensitive Personal Information" link if applicable
• Global Privacy Control (GPC) detection and honouring implemented
• Consumer request intake process established (web form + toll-free number)
• Identity verification procedure documented
• Response workflows for all 11 consumer rights documented and tested
• 45-day response timeline tracked and documented for all requests
• Service provider contracts reviewed and updated with CPRA-required provisions
• Third-party data sharing audited (sale/sharing determination for each recipient)
• Data minimisation audit completed — unnecessary PI collection eliminated
• Retention periods documented and automated deletion configured
• Employee training on consumer rights response procedures completed
• Data protection assessments conducted for high-risk processing activities
• Minor consent mechanisms implemented if PI of minors is collected

---

Frequently Asked Questions

Does CCPA/CPRA apply to employee data?

Yes, as of January 1, 2023, when the CPRA became effective. The temporary CCPA exemptions for B2B and employee data expired. California employees (and job applicants, contractors, and directors) now have the same rights under CCPA/CPRA as consumers regarding their personal information. This means employers in California must update privacy notices for employees, establish rights fulfilment processes for employment PI, and review HR system data practices.

What is the difference between "sale" and "sharing" under CPRA?

"Sale" involves disclosing PI for monetary or other valuable consideration — the payment can be anything of value, including data exchange arrangements. "Sharing" was added by CPRA and specifically covers cross-context behavioural advertising where PI is shared with third parties for advertising purposes, even without monetary consideration. The practical impact: sharing user data with advertising platforms for targeting (even if you pay them, not the reverse) is "sharing" under CPRA and triggers opt-out rights.

Are cookies and tracking technologies subject to CCPA/CPRA?

Yes, where they collect personal information (including online identifiers like IP addresses) and where the resulting data is shared with third parties for advertising purposes. Many common practices — Google Analytics with advertising features, Meta Pixel, programmatic advertising tags — constitute "sharing" of PI with advertising platforms, triggering opt-out requirements. Implement a cookie consent management platform (OneTrust, Osano, Cookiebot) to manage consent and honouring of opt-out signals.

How does CPRA's "sensitive personal information" differ from GDPR's "special categories"?

Both identify categories of information warranting heightened protection, but they differ in content and treatment. GDPR's special categories (Article 9) prohibit processing without explicit consent or a specific Article 9 exception — it is a near-prohibition. CPRA's SPI creates a right to limit — consumers can restrict use to providing the requested product/service, but businesses can still process SPI with consumer consent for broader purposes. CPRA's SPI list notably includes login credentials and precise geolocation, which are not in GDPR's special categories.

What are "service providers" vs. "contractors" vs. "third parties" under CPRA?

CPRA added "contractors" as a category. Service providers receive PI to provide a service on your behalf under a contract prohibiting them from using PI for their own purposes. Contractors are businesses that receive PI for business purposes under contract — similar to service providers but the contract requirements differ slightly. Third parties receive PI and can use it for their own purposes — any disclosure to a third party is potentially a "sale" or "sharing" triggering opt-out obligations. Structuring your data-sharing relationships as service provider or contractor relationships (with proper contracts) avoids classification as a "sale."

---

Next Steps

CCPA/CPRA compliance is an ongoing programme, not a one-time project. As the CPPA issues new regulations (automated decision-making rules are expected in 2025–2026), compliance requirements will evolve. Building a scalable privacy operations programme — with automated consumer rights fulfilment, data mapping, and consent management — is the sustainable path.

ECOSIRE helps businesses assess their CCPA/CPRA obligations, implement technical compliance measures in their digital platforms, and establish privacy operations workflows.

Get started: ECOSIRE Services

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. CCPA/CPRA requirements are complex and frequently updated through regulations and enforcement guidance. Consult qualified legal counsel for advice specific to your organisation.