CCPA/CPRA-Specific Privacy Requirements

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) govern personal information of California residents. CCPA took effect in 2020; CPRA amendments took effect in 2023, creating what's often called "CCPA 2.0" or simply "CPRA." CCPA/CPRA applies to businesses that collect California residents' personal information and meet revenue, data volume, or data sale thresholds. This primer covers CCPA/CPRA-specific implementation details; see Privacy Primer for universal privacy principles.

Covered Businesses

CCPA/CPRA applies to for-profit businesses that do business in California and meet at least one threshold: (1) annual gross revenue exceeding $25 million, (2) annually buying, selling, or sharing personal information of 100,000 or more California residents or households, or (3) deriving 50% or more annual revenue from selling or sharing California residents' personal information. The thresholds apply to gross revenue and data volumes regardless of profit margins.

Doing business in California means intentionally directing business toward California, not merely having a website accessible in California. Factors include offering goods or services to California residents, targeting California advertising, having California customers, or having operations in California. The determination is similar to GDPR's territorial scope but with specific numerical thresholds.

Small business exception applies to businesses below all thresholds. However, businesses must monitor their status annually—crossing thresholds triggers compliance obligations. Small businesses may choose to comply voluntarily, particularly if planning growth or partnering with covered businesses.

Nonprofit organizations are generally exempt from CCPA/CPRA unless they meet the thresholds and are engaged in commercial activities. Pure nonprofit activities are exempt, but nonprofits operating businesses may be covered.

Affiliated businesses are evaluated separately unless they share common branding and one exercises control over the other. Affiliated businesses can't aggregate revenues or data volumes to avoid thresholds unless they're truly separate entities.

Personal Information Definition

Personal information under CCPA/CPRA is broadly defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household. This includes direct identifiers (name, email, phone, address, government ID), indirect identifiers (IP address, device ID, unique personal identifier, cookies), and inferences (profiles, preferences, characteristics, behavior).

Household information is personal information related to a group of consumers living together at the same address. CCPA/CPRA recognizes household as a distinct unit, separate from individual consumers. Household information is protected even when it doesn't directly identify individuals.

Publicly available information is information lawfully made available from government records and is excluded from CCPA/CPRA's definition of personal information. However, information that is merely accessible online doesn't qualify as publicly available—it must come from government records.

Deidentified information is information that cannot reasonably be used to infer information about or be linked to a consumer, provided the business commits to maintaining deidentification and contractually prohibits reidentification. Deidentified information is excluded from CCPA/CPRA, but true deidentification is difficult—most "deidentified" data is actually pseudonymized.

Aggregate consumer information is information relating to a group of consumers that doesn't identify individuals. Aggregate information is excluded from CCPA/CPRA.

Sensitive Personal Information

Sensitive personal information under CPRA includes government IDs (SSN, driver's license, passport), account credentials (logins, passwords), precise geolocation, racial/ethnic origin, religious beliefs, union membership, contents of mail/email/text (unless business is intended recipient), genetic data, biometric data for identification, health/sex life data, and sexual orientation.

Limits on use and disclosure of sensitive personal information require businesses to use it only for purposes disclosed to consumers or necessary for providing goods or services. Businesses cannot use sensitive personal information for internal operations beyond what's reasonably expected, nor can they disclose it to third parties without consent. This is CPRA's most significant addition to CCPA.

Opt-out right for sensitive personal information allows consumers to limit use and disclosure beyond what's necessary for providing goods or services. This differs from sale/sharing opt-out—sensitive personal information opt-out restricts use even within the business.

Inferring sensitive categories from other data can trigger sensitive personal information protections. For example, precise geolocation at a religious site might infer religious beliefs, and purchase history might infer health conditions.

Consumer Rights

Right to know entitles consumers to know what personal information businesses collect, sell, or share about them. This includes categories of personal information, sources, purposes, third parties, and specific pieces of information. Requests must be fulfilled within 45 days (extendable by 45 days for complex requests). Responses must cover the 12-month period preceding the request.

Right to delete requires businesses to delete personal information upon consumer request, with specific exceptions. Exceptions include completing transactions, providing goods or services, detecting security incidents, exercising free speech, complying with legal obligations, internal uses aligned with expectations, and research. Businesses must delete information from their own systems and direct service providers to delete as well.

Right to correct requires businesses to correct inaccurate personal information upon consumer request. This is a CPRA addition. Businesses must use commercially reasonable efforts to correct inaccurate information and, if corrected information was shared, notify third parties unless this requires disproportionate effort.

Right to opt out of sale or sharing allows consumers to opt out of businesses selling or sharing their personal information. Opt-out must be easy (no account creation required) and prominent. Businesses must honor opt-out requests and notify consumers of their rights. Opt-out applies to all sales and sharing, not selective opt-out for specific third parties.

Right to opt out of automated decision-making allows consumers to opt out of automated processing that produces legal or similarly significant effects. This includes profiling for purposes of evaluating work performance, economic situation, health, preferences, interests, reliability, behavior, location, or movements. This is a CPRA addition.

Right to limit use and disclosure of sensitive personal information allows consumers to restrict use of sensitive personal information beyond what's necessary for providing goods or services. This is a CPRA addition and provides broader opt-out rights for sensitive categories.

Right to non-discrimination prohibits businesses from discriminating against consumers who exercise their CCPA/CPRA rights. Businesses cannot deny goods or services, charge different prices, provide different quality, or suggest that price or service differences result from exercising rights. Businesses can offer financial incentives for data collection, provided they're reasonably related to data value and consumers can opt in.

Sale and Sharing Definitions

Sale of personal information means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information for monetary or other valuable consideration. The definition is intentionally broad and includes many arrangements that businesses might not consider "sales," including data for advertising revenue, data sharing for analytics, and data exchanges between partners.

Sharing of personal information means sharing personal information with third parties for cross-context behavioral advertising, whether for monetary or other valuable consideration. This CPRA addition clarifies that sharing for advertising purposes requires opt-out, even without monetary payment. Sharing is defined specifically for advertising, not all third-party disclosures.

Third parties are entities separate from the business collecting the data. Third parties include analytics providers, advertising networks, social media platforms, data brokers, and affiliates operating separately. Third parties don't include service providers processing data on behalf of the business under a written contract.

Service provider exception applies when businesses share personal information with service providers under a written contract that prohibits the service provider from retaining, using, or disclosing personal information except as necessary to perform services or comply with legal obligations. Service providers can't use personal information for their own purposes, resell it, or combine it with other data they collect.

Business purpose exception allows businesses to share personal information with service providers for business purposes without triggering sale/sharing opt-out requirements. Business purposes include auditing, security, debugging, short-term transient use, performing services, internal research, quality control, and activities to verify or maintain quality of services.

Opt-Out Mechanisms

Opt-out requests must be easy for consumers to submit, without creating accounts, providing unnecessary information, or facing barriers. Businesses must provide at least two methods for submitting opt-out requests, including a toll-free telephone number and an interactive web form. Email and postal mail can also be provided.

Do Not Sell My Personal Information link must appear on business homepages and other prominent locations. The link must be easy to find and clearly worded. Clicking the link should immediately process the opt-out or provide a clear opt-out interface. After CPRA, this becomes "Do Not Sell or Share My Personal Information."

Opt-out preference signals are global privacy controls (like browser settings or extensions) that communicate consumer privacy preferences. Businesses must honor opt-out preference signals that comply with technical specifications, treating them as valid opt-out requests. This is a CPRA requirement that increases ease of opt-out.

Universal opt-out allows consumers to set one preference that applies across websites, rather than opting out site-by-site. Browser extensions and privacy tools can communicate opt-out preferences automatically. Businesses must honor these signals if they're properly formatted and recognizable.

Opt-out confirmation should be provided to consumers after they submit opt-out requests. Businesses must confirm receipt and honor opt-outs within 15 business days. Opt-outs remain in effect unless consumers opt back in.

Opt-back-in requires businesses to obtain opt-in consent before resuming sale/sharing after an opt-out. Consumers cannot be required to opt back in as a condition of receiving goods or services. Opt-back-in must be as easy as opt-out.

Enforcement and Penalties

California Attorney General enforces CCPA/CPRA and can bring civil actions for violations. The Attorney General can seek injunctive relief, civil penalties, and other remedies. Before filing suit, the Attorney General must provide 30 days' notice and opportunity to cure violations (this cure period may be limited under CPRA).

Civil penalties are $2,500 per violation (or $7,500 per intentional violation or violation involving minors' personal information). Penalties are calculated per consumer affected, not per business, so violations affecting many consumers can result in substantial fines. Penalties are separate from private right of action damages.

Private right of action allows consumers to sue businesses for security breaches that expose certain personal information types: unencrypted/unredacted Social Security numbers, driver's license numbers, California ID card numbers, account numbers with passwords/security codes, medical information, health insurance information, and biometric data. This is a limited right of action—it doesn't apply to all CCPA/CPRA violations.

Damages in private actions are $100-$750 per consumer per incident, or actual damages if greater. Consumers must prove the breach resulted from failure to maintain reasonable security procedures. Businesses can avoid liability by curing violations within 30 days, but this applies only to certain violations and may be limited under CPRA.

California Privacy Protection Agency (CPPA) is the new enforcement agency created by CPRA. CPPA has authority to enforce CPRA and can issue regulations, conduct investigations, and impose fines. CPPA operates alongside the Attorney General for enforcement.

Regulatory enforcement by CPPA can result in administrative fines and orders. CPPA has authority to audit businesses, issue subpoenas, and take enforcement actions. CPPA enforcement is separate from Attorney General enforcement and private actions.

Key Numbers

CCPA/CPRA covered business threshold: $25 million revenue, 100,000 California residents' personal information, or 50% revenue from sale/sharing. Request response time: 45 days (extendable by 45 days). Opt-out processing: 15 business days. Penalty: $2,500 per violation ($7,500 for intentional or involving minors). Private right of action damages: $100-$750 per consumer per incident. Cure period: 30 days (may be limited for certain violations).

Common Misconceptions

"CCPA only applies to large businesses." While thresholds exist, many businesses meet them. Revenue threshold includes all revenue, not just California revenue. Data volume threshold includes buying, selling, or sharing—not just collecting.

"Service providers are exempt." Service providers have their own obligations under CCPA/CPRA. While service providers processing under contracts have exceptions, they're not exempt from all requirements and can become covered businesses themselves.

"Selling data requires explicit payment." Sale definition is broad—sharing data for advertising revenue, analytics, or other valuable consideration qualifies as sale. Many arrangements businesses don't consider "sales" trigger CCPA/CPRA obligations.

"Opt-out means deleting data." Opt-out of sale/sharing stops selling/sharing but doesn't require deleting data from business systems. Consumers must separately request deletion if they want data removed.

"CCPA and CPRA are different laws." CPRA amends and expands CCPA, creating what's effectively "CCPA 2.0." Most CCPA requirements remain, but CPRA adds new obligations around sensitive personal information, automated decision-making, and opt-out mechanisms. Organizations comply with "CCPA as amended by CPRA."