California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)

California leads U.S. privacy legislation with the California Consumer Privacy Act (CCPA), effective January 1, 2020, and significantly amended by the California Privacy Rights Act (CPRA), with key provisions effective January 1, 2023.

Regulatory Overview

Scope and Applicability

CCPA/CPRA applies to for-profit businesses that:

• Annual Revenue: $25 million or more
• Data Volume: Buy, sell, or share personal information of 100,000+ California consumers (50,000 under CPRA)
• Revenue from Sales: Derive 50% or more of annual revenue from selling/sharing California consumers’ personal information

Territorial Reach

• Applies to businesses serving California residents
• Extraterritorial application for out-of-state businesses
• Covers personal information collected from California consumers

Key Enforcement Bodies

• California Privacy Protection Agency (CPPA): Primary enforcement (established by CPRA)
• California Attorney General: Concurrent enforcement authority
• Private Right of Action: Limited to data breaches involving unencrypted personal information

Personal Information Definitions

CCPA Personal Information Categories

1. Identifiers: Name, address, email, SSN, IP address, account names
2. Protected Classifications: Race, religion, sexual orientation, veteran status
3. Commercial Information: Purchase history, tendencies, interests
4. Biometric Information: Fingerprints, facial recognition data
5. Internet Activity: Browsing history, search history, interactions
6. Geolocation Data: Physical location information
7. Sensory Information: Audio, visual, thermal, olfactory data
8. Professional Information: Employment-related information
9. Educational Information: Records from educational institutions
10. Inferences: Profiles reflecting preferences, behavior, aptitude
11. Other: Any information that identifies or is reasonably linkable

CPRA Sensitive Personal Information

Additional category requiring special protection:

• Government identifiers (SSN, driver’s license, passport)
• Financial account information
• Precise geolocation data
• Racial or ethnic origin, religious beliefs, union membership
• Contents of mail, email, text messages (unless business is intended recipient)
• Genetic data
• Biometric information for identification
• Health information
• Sex life or sexual orientation information

Consumer Rights Under CCPA/CPRA

Right to Know (Transparency)

Consumers can request disclosure about:

• Categories of personal information collected, sold, or disclosed
• Sources of personal information
• Business purposes for collection
• Third parties with whom information is shared
• Specific pieces of personal information collected

Response Requirements:

• 45 days to respond (extendable by 45 days)
• Provide information for 12-month period preceding request
• Use verifiable consumer request process
• Provide information free of charge (up to 2 requests per year)

Right to Delete

Consumers can request deletion of personal information, subject to exceptions:

• Complete the transaction for which information was collected
• Detect security incidents, protect against fraud
• Debug to identify and repair functionality errors
• Exercise free speech or another consumer’s privacy rights
• Comply with legal obligations
• Research in public interest
• Internal lawful uses reasonably aligned with consumer expectations

Implementation Requirements:

• Delete from own records
• Direct service providers to delete
• Cannot retain or use deleted information

Right to Opt-Out of Sale/Sharing

Consumers can opt-out of:

• Sale of personal information to third parties
• Sharing for cross-context behavioral advertising (CPRA)
• Processing of sensitive personal information beyond necessary purposes (CPRA)

Implementation Requirements:

• Prominent “Do Not Sell My Personal Information” link
• “Do Not Share My Personal Information” (CPRA)
• “Limit the Use of My Sensitive Personal Information” (CPRA)
• Honor Global Privacy Control (GPC) signals

Right to Non-Discrimination

Businesses cannot discriminate against consumers who exercise privacy rights:

• Deny goods or services
• Charge different prices or rates
• Provide different quality of goods or services
• Suggest different quality will be received

Permitted Financial Incentives:

• Different prices if reasonably related to value of consumer data
• Must provide notice and obtain opt-in consent
• Value of data cannot exceed cost of providing incentive

Right to Correct (CPRA)

Consumers can request correction of inaccurate personal information:

• Verify accuracy before making corrections
• Consider totality of circumstances in determining accuracy
• Inform third parties of corrections when feasible

Right to Limit Sensitive Information (CPRA)

Consumers can limit use of sensitive personal information to:

• Provide goods/services reasonably expected
• Ensure security and system functionality
• Short-term transient use
• Quality or safety improvements
• Comply with legal obligations

Business Obligations

Privacy Policy Requirements

Must Include:

• Categories of personal information collected
• Sources of personal information
• Business purposes for collection
• Categories of personal information sold or disclosed
• Consumer rights and how to exercise them
• Non-discrimination policy

CPRA Additional Requirements:

• Retention periods or criteria for determining retention
• Whether personal information is sold or shared
• Categories of third parties to whom information is disclosed

Data Minimization (CPRA)

• Collect, use, retain, and share personal information reasonably necessary and proportionate
• Disclose purpose for collection or use
• Minimize use of sensitive personal information

Consumer Request Handling

Verification Requirements:

• Match identity verification to risk level
• Use reasonable methods to verify identity
• Cannot require account creation for requests
• May deny requests if cannot verify identity

Response Standards:

• Acknowledge receipt within 10 days
• Respond within 45 days (extendable by 45 days)
• Provide denial reasons if applicable
• Free for first two requests per year

Record Keeping Requirements

Maintain records of:

• Consumer requests and business responses
• Compliance with verification procedures
• Any reasons for denying requests
• Training materials for staff handling requests

Third-Party Relationships

Service Providers

Requirements:

• Written contract required
• Limit use to business purposes specified in contract
• Prohibit retention, use, or disclosure outside contract terms
• Require certification of understanding and agreement

Contractors (CPRA)

New category for businesses that:

• Process personal information on behalf of business
• May use personal information for own business purposes
• Subject to less restrictive requirements than service providers

Requirements:

• Written contract required
• Notify business of potential uses
• Comply with applicable CCPA obligations

Sale and Sharing of Personal Information

CCPA Definition of “Sale”

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to third party for monetary or other valuable consideration.

CPRA Definition of “Sharing”

Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to third party for cross-context behavioral advertising.

Exceptions to Sale/Sharing

• Disclosure to service provider or contractor
• Disclosure to third party for business purpose
• Consumer-directed disclosure
• Merger, acquisition, bankruptcy
• Legal compliance

Enforcement and Penalties

CPPA Enforcement Powers (CPRA)

• Investigate potential violations
• Subpoena documents and testimony
• Conduct audits and inspections
• Issue regulations and guidance
• Impose administrative fines
• Seek injunctive relief

Civil Penalties

• Intentional Violations: Up to $7,500 per violation
• Non-Intentional Violations: Up to $2,500 per violation
• 30-day cure period for first-time violations (with exceptions)

Private Right of Action

Limited to data breaches involving:

• Unencrypted or unredacted personal information
• Unauthorized access and exfiltration, theft, or disclosure
• Statutory damages: $100 to $750 per consumer per incident
• Actual damages if greater than statutory damages

Sector-Specific Considerations

Healthcare

• Interaction with HIPAA
• Health information as sensitive personal information
• Medical device data collection
• Telehealth privacy considerations

Financial Services

• Interaction with GLBA and FCRA
• Financial information as sensitive personal information
• Credit reporting implications
• Fintech application considerations

Employment

• Employee personal information protections
• Background check considerations
• HR data management
• Monitoring and surveillance

Marketing and Advertising

• Cross-context behavioral advertising restrictions
• Cookie and tracking technology compliance
• Third-party marketing partnerships
• Influencer marketing considerations

Recent Developments and Trends

CPPA Regulatory Activity

• Final regulations on consumer request procedures
• Guidance on risk assessments and audits
• Enforcement priorities and investigation procedures
• Draft regulations on automated decision-making

Technology Implementations

• Global Privacy Control (GPC) adoption
• Consent management platform requirements
• Identity verification solutions
• Data mapping and inventory tools

Business Practice Changes

• Privacy program restructuring
• Vendor contract renegotiations
• Consumer request automation
• Privacy-by-design implementations

Compliance Best Practices

1. Privacy Program Development

• Conduct privacy impact assessments
• Implement privacy by design principles
• Establish privacy governance structure
• Regular compliance monitoring and auditing

2. Consumer Request Management

• Implement identity verification procedures
• Establish request handling workflows
• Train customer service representatives
• Monitor response time compliance

3. Third-Party Management

• Update vendor contracts
• Conduct due diligence on data practices
• Monitor third-party compliance
• Establish breach notification procedures

4. Data Inventory and Mapping

• Catalog personal information collected
• Identify data sources and flows
• Document retention and deletion practices
• Maintain accurate privacy disclosures

5. Employee Training

• Privacy law awareness training
• Role-specific compliance training
• Regular updates on regulatory changes
• Incident response procedures

Future Considerations

Federal Privacy Legislation

• American Data Privacy and Protection Act (ADPPA)
• State privacy law harmonization efforts
• Preemption considerations
• Cross-border data transfer implications

Technology Evolution

• Artificial intelligence and machine learning
• Internet of Things (IoT) devices
• Biometric technology advancement
• Blockchain and cryptocurrency

Regulatory Expansion

• Additional state privacy laws
• Sector-specific regulations
• International data transfer mechanisms
• Children’s privacy protections

Resources and Tools

Official Resources

• CPPA Website: cppa.ca.gov
• Attorney General Guidance: oag.ca.gov
• CCPA Regulations: ccpa-info.dtsc.ca.gov

Compliance Tools

• Privacy policy generators
• Consumer request management platforms
• Data mapping and inventory tools
• Identity verification services
• Consent management platforms

Industry Resources

• IAPP California Privacy Resource Center
• Privacy compliance checklists
• Legal analysis and commentary
• Best practice guides and templates

This jurisdiction guide provides comprehensive coverage of California privacy law requirements. For organization-specific compliance advice, consult with qualified privacy professionals and monitor ongoing regulatory developments.