CCPA and CPRA: California Privacy Compliance

California maintains the strongest privacy laws in the United States, establishing requirements that many organizations use as the baseline for their overall US privacy programs. Understanding CCPA and CPRA is essential for any organization serving California consumers.

Evolution from CCPA to CPRA

The California Consumer Privacy Act (CCPA) took effect in 2020, establishing foundational privacy rights for California residents. The California Privacy Rights Act (CPRA) amended and expanded CCPA beginning in 2023, adding new rights, strengthening requirements, and creating a dedicated enforcement agency.

Applicability Thresholds

Organizations become subject to California privacy law when serving California consumers and meeting any of three thresholds. Annual gross revenue exceeding 25 million dollars triggers applicability regardless of data processing volume. Alternatively, buying, selling, or sharing personal information of 100,000 or more California consumers or households creates compliance obligations. Organizations deriving 50 percent or more of annual revenue from selling or sharing personal information also fall within scope.

Consumer Rights Under CPRA

California consumers possess extensive rights regarding their personal information. The right to know enables consumers to understand what personal information organizations collect and how they use it. The right to delete allows consumers to request removal of their personal information from organizational systems.

The right to opt-out allows consumers to prevent sale or sharing of their personal information. CPRA added the right to correct inaccurate personal information. The right to limit use of sensitive personal information restricts processing of the most sensitive data categories. Data portability rights enable consumers to receive their information in portable formats. Non-discrimination rights prevent organizations from penalizing consumers who exercise their privacy rights.

Sensitive Personal Information

CPRA establishes enhanced protections for sensitive personal information categories. Social Security numbers, driver's license numbers, and government identifiers receive heightened protection. Financial account information including account numbers with access credentials requires special handling. Precise geolocation data, genetic data, and biometric information all qualify as sensitive. Health information, racial or ethnic origin, and religious beliefs also receive enhanced protection.

Compliance Implementation

Organizations must update privacy policies to reflect California requirements accurately. Conspicuous links reading "Do Not Sell or Share My Personal Information" must appear on websites. Opt-out mechanisms must function reliably and be easily accessible. Contracts with service providers and data processors must address California requirements. Employee training programs must ensure staff understand California compliance obligations.