CCPA and CPRA: what California actually requires
California Consumer Privacy Act, as amended by the CPRA · California, United States
The CCPA, as amended by the CPRA, gives California residents the right to know what personal information a business collects, to delete it, to correct it, and to opt out of its sale or sharing. It applies to for-profit businesses meeting a revenue, volume, or revenue-share threshold, and centres on disclosure and opt-out rather than prior consent.
Who it applies to
- For-profit businesses doing business in California that meet at least one threshold
- Annual gross revenue above $25 million, or
- Buying, selling, or sharing the personal information of 100,000 or more consumers or households, or
- Deriving 50% or more of annual revenue from selling or sharing personal information
What it requires
Disclose what you collect, and why
Categories of personal information, the purposes, the categories of recipients, and retention periods — at or before the point of collection.
Honour consumer rights within 45 days
Right to know, delete, correct, and to data portability. Extendable by a further 45 days where reasonably necessary.
Provide an opt-out of sale and sharing
A clear "Do Not Sell or Share My Personal Information" mechanism, and honouring of Global Privacy Control signals.
Limit use of sensitive personal information
CPRA introduced a right to limit the use and disclosure of sensitive personal information to what is necessary to deliver the service.
Contract properly with service providers
Written terms restricting how service providers and contractors may use the personal information you pass them.
Do not retaliate
You cannot deny goods, charge different prices, or degrade service because a consumer exercised a right.
Penalties
Civil penalties assessed per violation by the California Privacy Protection Agency, with a higher tier for violations involving consumers under 16. A limited private right of action exists for certain data breaches.
CCPA / CPRA support is in development
To be straight with you: RegRely runs GDPR today. CCPA / CPRA is not shipped yet. The underlying workflows — data subject requests, records of processing, consent, risk, and evidence — are the same across regimes, which is what makes the extension tractable rather than a rewrite.
If CCPA / CPRA is on your critical path, tell us your timeline and we will tell you honestly whether we can meet it.