Skip to content
In development

CCPA and CPRA: what California actually requires

California Consumer Privacy Act, as amended by the CPRA · California, United States

The CCPA, as amended by the CPRA, gives California residents the right to know what personal information a business collects, to delete it, to correct it, and to opt out of its sale or sharing. It applies to for-profit businesses meeting a revenue, volume, or revenue-share threshold, and centres on disclosure and opt-out rather than prior consent.

Who it applies to

  • For-profit businesses doing business in California that meet at least one threshold
  • Annual gross revenue above $25 million, or
  • Buying, selling, or sharing the personal information of 100,000 or more consumers or households, or
  • Deriving 50% or more of annual revenue from selling or sharing personal information

What it requires

Disclose what you collect, and why

Categories of personal information, the purposes, the categories of recipients, and retention periods — at or before the point of collection.

Honour consumer rights within 45 days

Right to know, delete, correct, and to data portability. Extendable by a further 45 days where reasonably necessary.

Provide an opt-out of sale and sharing

A clear "Do Not Sell or Share My Personal Information" mechanism, and honouring of Global Privacy Control signals.

Limit use of sensitive personal information

CPRA introduced a right to limit the use and disclosure of sensitive personal information to what is necessary to deliver the service.

Contract properly with service providers

Written terms restricting how service providers and contractors may use the personal information you pass them.

Do not retaliate

You cannot deny goods, charge different prices, or degrade service because a consumer exercised a right.

Penalties

Civil penalties assessed per violation by the California Privacy Protection Agency, with a higher tier for violations involving consumers under 16. A limited private right of action exists for certain data breaches.

CCPA / CPRA support is in development

To be straight with you: RegRely runs GDPR today. CCPA / CPRA is not shipped yet. The underlying workflows — data subject requests, records of processing, consent, risk, and evidence — are the same across regimes, which is what makes the extension tractable rather than a rewrite.

If CCPA / CPRA is on your critical path, tell us your timeline and we will tell you honestly whether we can meet it.

See what ships today

Frequently asked questions

Under the CPRA, disclosing identifiers to an advertising network for cross-context behavioural advertising is treated as a sale or share, even when no money changes hands. Most businesses running standard retargeting pixels are in scope and owe consumers an opt-out.

No. GDPR is the higher structural bar, but it does not include CCPA's specific mechanics — the "Do Not Sell or Share" opt-out, Global Privacy Control signal handling, and the CCPA disclosure requirements. Most GDPR-compliant companies still have CCPA work to do.

45 days from receipt, extendable by a further 45 days where reasonably necessary, provided you notify the consumer of the extension within the first 45 days.

Yes, if it does business in California and meets one of the thresholds. There is no requirement to have a physical presence in the state.