CPRA / CCPA Compliance: your guide to California privacy right regulations

Key definitions in CCPA

The key definitions of the California Consumer Privacy Act (CCPA), including consumer, personal information, and business, are found in Section 1798.140 of the California Civil Code.

The California privacy law introduces several critical terms that businesses and consumers need to understand:

• Consumer: Any California resident whose personal data is collected.
• Personal information (PI): Data that identifies, relates to, or could reasonably be linked to a specific consumer or household. Examples include names, addresses, IP addresses, biometric data, browsing history, and geolocation information.
• Business: For CCPA compliance, a business is any entity that meets at least one of these criteria:
  
  1. Has annual gross revenues exceeding $25 million.
  2. Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices annually.
  3. Derives 50% or more of its annual revenue from selling consumers' personal information.
• Service provider: A legal entity that processes personal information on behalf of a business.
• Third party: Any entity that receives personal information but is not a service provider.

Key additions from CPRA

The California Privacy Rights Act (CPRA) expanded on the CCPA by:

• Introducing the concept of sensitive personal information, such as Social Security numbers, biometric data, and precise geolocation.
• Creating the California Privacy Protection Agency (CPPA) to enforce privacy laws.
• Expanding the scope of business definitions to include entities that share common branding with a business that meets compliance thresholds.

Who must comply with CCPA?

While that may seem clear in theory, many businesses are still not entirely certain if they need to comply. First, it’s important to understand that your business does not need to be physically located in California, or even in the U.S. for that matter. Regardless of whether the processing of information takes place in California or not, you need to comply if you’re handling personal data of California residents and meet any of the thresholds.

‍

‍

CCPA requirements

CCPA and CPRA are applicable to any for-profit entity doing business in California that meet any one of the following thresholds:

1. Annual revenue: The business has gross annual revenues exceeding $25 million.
2. Data handling: The business buys, receives, sells, or shares the personal information of 50,000 or more California consumers, households, or devices annually.
3. Revenue from data sales: The business derives 50% or more of its annual revenue from selling consumers' personal information.

Additionally, service providers and third parties handling consumer data on behalf of these businesses may also need to adhere to specific CCPA requirements. 

Key additions from CPRA

The CPRA lowered the threshold for compliance by:

• Expanding obligations to businesses that share personal data and receive it for cross-context behavioral advertising.
• Increasing penalties for violations involving minors.

“We are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data.”

‍- Alastair Mactaggart, Chair of Californians for Consumer Privacy and Proposition 24 sponsor

CCPA exemptions

The CCPA includes specific exemptions where its provisions do not apply. Key exemptions include:

• Nonprofit organizations: The CCPA and CPRA apply to for-profit entities; thus, nonprofit organizations are generally exempt.
• Certain data types:
  
  • Medical information: Data already protected under laws like the Health Insurance Portability and Accountability Act (HIPAA) is exempt from CCPA and CPRA provisions.
  • Financial information: Personal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act is exempt.
  • Employment-related data (limited exemption until 2023): Information collected about employees, job applicants, and contractors is exempt under certain conditions. (Extended through CPRA, but now includes additional compliance for sensitive data.)
  • Business-to-Business (B2B) communications (limited exemption until 2023): Data exchanged in B2B communications is exempt, but the CPRA narrows this scope.
  • Publicly available information: Information lawfully made available from government records.
  • Deidentified or aggregated data: Data that cannot reasonably identify individuals is not subject to the law.

These criteria and exemptions ensure that the CCPA and CPRA focus on businesses handling significant amounts of personal data, while avoiding undue burdens on smaller enterprises and organizations already governed by other privacy regulations. 

Read further: Who does CCPA apply to?

Key provisions of CCPA

CCPA consumer rights & protections

Under the CCPA, California residents have the following privacy rights regarding their personal information, as stated :

1. Right to know: Consumers can request disclosure of the categories and specific pieces of personal information a business has collected, including the purposes for collection and any third parties with whom the information is shared.
2. Right to delete: Consumers can request the deletion of their personal information, with exceptions for information necessary to complete transactions, detect security incidents, or comply with legal obligations.
3. Right to opt-out: Consumers can opt out of the sale of their personal information using a “Do Not Sell My Personal Information” link prominently displayed on business websites.
4. Right to non-discrimination: Businesses cannot discriminate against consumers exercising their CCPA rights, such as by denying services, charging different prices, or providing a different quality of service.

Read more: Understanding the CCPA right to deletion

Key CPRA changes to CCPA

Let’s take a look at the main CCPA and CPRA differences.

What Is the California Consumer Privacy Act (CPRA)?

The California Privacy Rights Act (CPRA) expands the CCPA, enhancing data privacy rights for California residents. It adds rights like data correction, limits on sensitive data use, and stricter business compliance. It also creates the California Privacy Protection Agency (CPPA) for enforcement.

Coined CCPA 2.0, the California Privacy Rights Act (CPRA) was approved by voters on November 4, 2020, as a means to improve upon the existing CCPA. The new rights and requirements outlined in the CPRA went into effect and superseded CCPA on January 2, 2023, resulting in a law more in line with the EU’s GDPR and providing greater protection for consumers and additional compliance regulations for businesses.

The California Privacy Protection Agency (CPPA)

One of the key provisions introduced in the CPRA is the establishment of the California Privacy Protection Agency (CPPA) that will be responsible for auditing and enforcing CCPA. Unlike GDPR that included a governing authority, the original CCPA lacked a dedicated “watchdog” to enforce the law and an advocate to provide businesses and consumers with an educational venue for public awareness and understanding of rights and obligations. The establishment of the CPPA fills this previous gap.

“The CPPA Board will help California residents understand and control their data privacy while holding online businesses accountable.”

- California Governor Gavin Newsom

‍Read more: CCPA vs CPRA

Expanded CCPA rights

The CPRA also expanded on the following CCPA privacy rights:

• It introduced the Right to correct inaccuracies in personal data.
• It enhanced the Right to opt-out to include cross-context behavioral advertising.
• It provided consumers with the right to limit the use of sensitive personal information.

Read more: What are the CCPA categories of personal information?

CPRA compliance in detail

CPRA also doubles CCPA’s 50,000 threshold to companies that buy, receive or sell personal information of more than 100,000 consumers or households. Additional modifications that help eliminate ambiguity, better define who must comply and provide greater protection, include:

• New requirements for service providers, contractors and third parties, requiring businesses that send personal information to these entities to ensure that they also comply.
• Expansion of the right to opt-out from “Do Not Sell” to “Do Not Sell or Share” personal Information
• Limitations regarding “sensitive” personal information (e.g., social security number, log-in credentials, health information, etc.)
• Limitations on the storage of information, preventing businesses from maintaining personal information longer than necessary and providing consumers with the right to know the length of time that each category of personal information will be maintained
• Limitations on the information businesses can collect, preventing them from collecting more information than is necessary for a particular business function
• Expanded consumer rights surrounding right to opt out, right to deletion, right to access and right to correct inaccurate data, including the right to opt out of advertisers using precise geolocation (< 1/3 mile)
• Additional restrictions on the transfer of personal information and additional penalties if information is stolen due to negligence
• Regular cybersecurity auditing and risk assessment requirements for businesses considered high-risk data processors

‍Read more: CPRA consumer rights: a trendsetter in data privacy

Is CCPA opt-in or opt-out?

California's CCPA is primarily an opt-out privacy law, meaning businesses can collect and use personal data by default, but consumers have the right to opt-out of specific data practices, such as the sale of their personal information.

Key opt-out provisions

1. Right to opt-out of data sales:
   
   • Consumers can direct businesses not to sell their personal information. Businesses must provide a clear and accessible way for consumers to exercise this right, such as a "Do Not Sell My Personal Information" link on their website.
2. CPRA updates (effective January 1, 2023):
   
   • The CPRA extends opt-out rights to include the sharing of personal information for cross-context behavioral advertising.
   • It also introduces the right to limit the use of sensitive personal information, giving consumers more control.

Read more: What Does CCPA Mean for Advertisers? [CCPA-Compliant Advertising]

Exceptions

Opt-in consent is required for consumers under 16 years old:

• Businesses must obtain affirmative opt-in consent before selling personal data of consumers aged 13–16.
• For children under 13, opt-in consent must come from a parent or guardian, in compliance with the Children's Online Privacy Protection Act (COPPA).

CCPA requirements for businesses

To comply with the CCPA, businesses must follow these CCPA legal obligations:

• Provide a clear and conspicuous privacy notice detailing their data collection, usage, and sharing practices.
• Implement a "Do Not Sell My Personal Information" link on their website.
• Establish processes to respond to consumer rights requests within 45 days of receipt.
• Verify the identity of consumers submitting requests using reasonable methods, such as account-based verification or secure identification.
• Maintain a record of requests and responses for at least 24 months.
• Train employees responsible for handling consumer inquiries on the provisions of CCPA.
• Update privacy policies at least annually to reflect any changes in data handling practices.

What the CPRA added‍

The CPRA:

• Requires businesses to provide a "Do Not Share My Personal Information" link for opting out of sharing data for behavioral advertising.
• Mandates risk assessments for high-volume data processing.
• Obligates businesses to provide data retention policies and limit data storage to what is necessary for the disclosed purpose.

Read further: What are the requirements for CCPA?

The price of non-compliance

Like GDPR, businesses required to be CPRA/CCPA-compliant must provide notice to consumers at the time they collect personal data, allow them to opt out and disclose the reason for retaining, sharing or selling personal information.

They also must allow consumers to access and delete their personal information, respond to consumer requests within specific timeframes, and maintain all records of requests for a minimum of two years.

‍

‍

CCPA fines

The California Attorney General enforces the CCPA and can impose penalties for non-compliance:

• CCPA violation penalties: Up to $2,500 per violation and $7,500 per intentional violation.
• Consumer lawsuits: Consumers can sue for statutory damages ranging from $100 to $750 per incident or actual damages in cases of data breaches resulting from negligence.

Businesses have 30 days to address alleged violations after being notified by the Attorney General. Failing to cure within this period may lead to enforcement actions.

“Beginning in 2025, monetary damages, administrative fines, and civil penalties are being increased for violations of the CCPA.”

- The California Consumer Privacy Act (CCPA) 

Penalties violating CCPA can cost businesses $2500 for each individual violation (i.e., per consumer), with higher fees for intentional violations. While you can avoid liability if you cure the noncompliance within 30 days, there are some types of non-compliance that may not be capable of a cure. For example, if a data breach has already occurred, there’s little you can do to fix it.

With the passing of the CPRA, the price of non-compliance has increased and the establishment of the CCPA is expected to result in greater enforcement. Most notably, CPRA triples the maximum penalty for an individual violation to $7500 for violations concerning minors.

While these fees seem minor, a business faced with one individual violation may likely have hundreds, thousands or even millions of violations—and all it takes is for one individual to determine and publicize the violation for the fees to stack up. 

And CPRA/CCPA has NO ceiling on the number of violations. An online retailer doing business with a million Californians could quickly find themselves faced with $2.5 billion in fines.

Just six months into 2020, more than 50 lawsuits invoked the CCPA—everything from a student data management software company that failed to safeguard student data, to a class-action lawsuit against Zoom for sharing millions of users’ personal information through third-party Facebook.

“My office is watching, and we will hold you accountable. Today’s settlement with Sephora makes clear that businesses must heed the California Consumer Privacy Act.”

- California Attorney General Rob Bonta in August 2022

CPRA updates on CCPA compliance risk management

The CPRA removed the mandatory 30-day cure period for certain violations and increased penalties for violations involving minors' data.

‍

‍

The impact of CCPA on businesses

The CCPA has reshaped how businesses handle consumer data, driving operational changes, increasing compliance costs, and offering opportunities for competitive advantage. The CPRA builds on this by adding stricter accountability and privacy requirements, further solidifying California's leadership in data privacy.

Operational changes

Businesses must overhaul their data collection, storage, and sharing practices to align with CCPA. This involves conducting data mapping exercises, implementing consent management solutions, and establishing workflows to manage consumer rights requests.

Increased costs

Compliance with the CCPA often requires significant financial investments in:

• Data privacy tools.
• Legal consultations to interpret CCPA requirements.
• Employee training on CCPA obligations.
• IT infrastructure for enhanced security measures.

Competitive advantage

Compliance demonstrates a commitment to consumer privacy, fostering trust and loyalty. Businesses that implement robust privacy policies may gain a competitive edge, particularly as consumers grow more privacy-conscious.

Read more: Turn CCPA regulations into your competitive edge in 2025

Updates from CPRA

• Greater accountability through mandatory contractual agreements with service providers and contractors.
• Increased risk assessment and privacy audit requirements.

Read further: What is the impact of CCPA on businesses?

The impact of CCPA on consumers

The CCPA marked a significant shift in data privacy rights across the United States, setting a precedent for other states to follow. As the first comprehensive consumer privacy law of its kind in the U.S., it introduced European-style protections previously unseen at this scale. 

The law paved the way for greater transparency and accountability, prompting businesses nationwide to rethink their data handling practices. It also inspired a wave of state-level privacy legislation, highlighting the growing demand for stronger consumer protections in the digital age.

The CCPA empowers consumers by granting them more control over their personal data:

• Transparency: Consumers gain insight into how their data is collected, used, and shared.
• Control: Enhanced rights allow consumers to delete data, opt out of sales, and understand their data's lifecycle.
• Privacy awareness: Increased awareness of privacy rights encourages consumers to make informed decisions about their data.

What the CPRA added

The CPRA enhances consumer rights by expanding control and increasing transparency in data practices.

Expanded consumer control

• Consumers can now limit the use of sensitive personal information, such as financial, health, and geolocation data.
• Businesses must provide clear options, like a “Limit the Use of My Sensitive Personal Information” link, making it easier for consumers to exercise their rights.

Increased transparency

• Businesses are required to disclose data retention periods and the purposes for data collection.
• This helps consumers understand how long their data is kept and why, fostering informed decision-making.

With these updates, the CPRA strengthens privacy protections, giving consumers greater oversight and trust in how their data is handled.

How CCPA compares to other U.S. data privacy laws

While CCPA is California-specific, it shares similarities with and differences from other U.S. data privacy laws:

• Virginia Consumer Data Protection Act (VCDPA): Includes similar rights but places greater emphasis on data controllers and processors. It requires data protection assessments for high-risk processing activities.
• Colorado Privacy Act (CPA): Aligns closely with CCPA but includes additional provisions for consumer consent and sensitive data handling.

CCPA vs other state privacy laws

‍

‍

What makes CCPA stand out?

The CCPA is broader and more consumer-focused than most U.S. data privacy laws, granting Californians rights to access, delete, and opt out of data sales. Unlike sector-specific laws like HIPAA or GLBA, the CCPA applies to a wide range of businesses. It has inspired similar state laws, such as Virginia's and Colorado's, though with varying scopes and enforcement mechanisms.

Achieve CCPA compliance

Not taking the appropriate steps to ensure compliance is a significant risk that can ultimately mean the difference between business success or business failure. Now is the time to become CCPA/CPRA compliant—and it all starts by following these simple steps.

‍

‍

What is CCPA compliance?

CCPA compliance means adhering to the California Consumer Privacy Act, which grants California residents rights over their personal data. Businesses must provide transparency, allow data access or deletion requests, and avoid selling data without consent. Compliance involves updating privacy policies, handling consumer requests, and ensuring data security.

How to comply with CCPA / CPRA

To comply with CCPA/CPRA, you must:

• Determine if your business needs to comply (using this guide)
• Understand how it can affect your business
• Map and discover consumer data across all systems, including third-party
• Update your software, systems and subsystems for compliance and opt-out options
• Streamline your policies and procedures for effective response and protection

‍Read further: Your CCPA compliance checklist

How Ketch can simplify CCPA compliance

Complying with CCPA and other state privacy laws can be simpler than you think. The Ketch data permissioning platform helps businesses stay compliant by:

• Automated consumer rights management: Streamline the process of handling data subject requests for access, deletion, and opt-out.
• Dynamic privacy policies: Automatically update privacy notices to reflect current practices.
• Consent management tools: Easily manage opt-out requests and integrate "Do Not Sell My Personal Information" links.
• Compliance monitoring: Built-in tools to monitor and report on compliance status, reducing the risk of violations.
• Data mapping and classification: Identify and organize personal information to simplify compliance and minimize risk.

Read more: Top Tips for CCPA Compliance Software in 2025

‍

Examples of successful CCPA compliance

Francesca’s

Francesca’s successfully achieved CCPA compliance by partnering with Ketch to implement automated privacy solutions. Their strategy focused on quick consent banner deployment, using legal policy templates, and streamlining data subject requests. 

This enabled them to meet compliance deadlines efficiently while maintaining their focus on growth. The collaboration resulted in an agile, scalable approach to privacy compliance across multiple states.

“The privacy of our customers' data is very important to us, and we want to make sure we are acting in accordance with their wishes as well as complying with all state laws. Ketch helps us do this without a lot of overhead so we can focus our internal resources on growing our technology capabilities and supporting our aggressive omni-channel growth plans.”

– Mike Early, Chief Technology Officer, Francesca's

Good Smile Company

Good Smile Company achieved CCPA/CPRA compliance by transitioning from a manual, homegrown solution to an automated privacy management system with Ketch. The company implemented consent management, data discovery, and classification tools to handle consumer data requests efficiently and ensure compliance across their operations. This approach allowed them to scale their privacy practices while minimizing manual effort.

“We needed to move from homegrown compliance to scalable, futureproof privacy tech. Ketch is a great solution for us. Today we’re complying with privacy regulations and respecting people’s privacy choices in every data system.” 

- Taylor Locke, Director of IT, Good Smile Company

Final thoughts: Preparing your business for CCPA

Compliance with the CCPA is essential for businesses operating in California. To ensure readiness:

1. Conduct a thorough data audit to understand the flow of personal information.
2. Invest in privacy-enhancing technologies such as Ketch for automation and scalability.
3. Train employees on consumer rights and the proper handling of privacy inquiries.
4. Monitor changes in California privacy laws, including updates introduced by the California Privacy Rights Act (CPRA).

Taking proactive steps today can minimize risks, build consumer trust, and position your business as a privacy leader.

‍Contact Ketch today to streamline your compliance and future-proof your privacy strategy. 

‍Read further: 2025 U.S. State Privacy Laws: what you need to know

FAQs