CCPA / CPRA — California Consumer Privacy Compliance

Quick Reference Box

Introduction

California has been the de facto privacy regulator for the United States since the California Consumer Privacy Act (CCPA) took effect in 2020. With the California Privacy Rights Act (CPRA) amendments now fully enforced and the California Privacy Protection Agency (CPPA) issuing final regulations on automated decision-making, risk assessments, and cybersecurity audits, the bar for compliance has risen significantly in 2026.

For privacy officers, CCPA/CPRA is no longer a "notice and request portal" exercise. It is a comprehensive program covering data minimization, vendor contracts, sensitive data handling, opt-out preference signals, and forthcoming risk-assessment and cyber-audit requirements. Enforcement actions by the CPPA and Attorney General, including the 2022 Sephora settlement and subsequent sweeps targeting connected vehicles, mobile apps, and ad-tech, demonstrate that California regulators are willing to pursue both substance and form failures.

This guide gives privacy and compliance teams a practical implementation roadmap, real-world enforcement context, and the artifacts needed to operate a defensible California privacy program.

Scope & Application

CCPA/CPRA applies to any for-profit business that does business in California and meets at least one of these thresholds:

• Annual gross revenue over $25 million (adjusted periodically); or
• Buys, sells, or shares personal information of 100,000 or more California consumers or households annually; or
• Derives 50% or more of annual revenue from selling or sharing personal information.

Importantly, the law also reaches service providers, contractors, and third parties through downstream contractual obligations, similar to processor obligations under GDPR.

The law protects three categories of California residents:

• Consumers (individuals)
• Employees and job applicants (since 2023)
• B2B contacts (since 2023)

⚠️ Warning: Many companies that were exempt under the original CCPA's HR and B2B carve-outs are now in scope under the CPRA. Re-scope your program if you have not done so since January 2023.

The CPRA also introduces a new category, Sensitive Personal Information (SPI), including precise geolocation, race/ethnicity, religion, union membership, communications contents, biometric identifiers, health, and sexual orientation/sex life data. Consumers may direct businesses to limit the use and disclosure of SPI to specified purposes.

Key Requirements & Core Concepts

Consumer Rights

The CCPA/CPRA grants California residents seven core rights:

1. Right to Know — categories and specific pieces of personal information collected.
2. Right to Delete — request deletion of personal information.
3. Right to Correct — request correction of inaccurate information (CPRA addition).
4. Right to Opt Out of Sale or Sharing — including cross-context behavioral advertising.
5. Right to Limit Use of Sensitive Personal Information — to specified business purposes.
6. Right to Non-Discrimination — for exercising rights.
7. Right to Data Portability — receive data in a portable format.

Businesses must respond to verifiable consumer requests within 45 days, extendable by 45 days with notice.

Notices and Disclosures

CPRA requires multiple notices:

• Notice at Collection (at or before the point of collection)
• Privacy Policy (comprehensive, updated annually)
• Notice of Right to Opt-Out (with "Do Not Sell or Share My Personal Information" link)
• Notice of Right to Limit (with "Limit the Use of My Sensitive Personal Information" link)
• Notice of Financial Incentives (where applicable)

Opt-Out Preference Signals (OOPS)

Businesses must honor Global Privacy Control (GPC) and similar browser-based opt-out signals as a valid opt-out from sale/sharing. The Sephora settlement made clear: ignoring GPC is itself a violation.

Data Minimization & Purpose Limitation

CPRA introduces GDPR-style principles: collect, use, retain, and share personal information only as reasonably necessary and proportionate to disclosed purposes.

Vendor Contracts

Contracts with service providers, contractors, and third parties must contain CPRA-mandated terms, including purpose limitation, no-combination restrictions, audit rights, and assistance with consumer requests.

💡 Pro Tip: Build a single CPRA addendum that maps to GDPR Article 28 obligations. Most U.S. multinationals can use a unified contracting approach instead of negotiating bespoke clauses with every vendor.

💡 Pro Tip: Map all "sales" and "sharing" through the lens of cross-context behavioral advertising. Most companies that disclaimed selling data in 2020 are now technically "sharing" it under CPRA's broader definition.

Forthcoming CPPA Regulations

Final and proposed regulations cover:

• Cybersecurity audits for high-risk processors.
• Risk assessments before high-risk processing (similar to DPIAs).
• Automated Decision-making Technology (ADMT) notices, opt-outs, and access rights.

💡 Pro Tip: Begin preparing an ADMT inventory now. Even pre-finalization, the inventory itself becomes the foundation of risk assessments under any final rule.

Approach: Implementation Roadmap

✅ Checklist: Pre-Launch - Privacy Policy refreshed within last 12 months - "Do Not Sell or Share" and "Limit Use of SPI" links live on homepage - GPC signal tested and honored - DSAR portal verified end-to-end - All in-scope vendors under CPRA-compliant contracts - Employee/HR notice delivered

📥 Downloadable Checklist: CCPA/CPRA Compliance Implementation Checklist available from the ISO Xpert resource library.

Certification & Completion Process

CCPA/CPRA is statutory law, not a certification scheme. However, organizations demonstrate maturity and reduce regulatory risk through:

• CPPA Certification of Compliance Programs (where formal programs emerge under final rules).
• Independent privacy program assessments mapped to CPRA, GDPR, and ISO/IEC 27701.
• ISO/IEC 27701 Certification — a recognized privacy information management standard.
• Professional staff certifications: CIPP/US, CIPM, CIPT (IAPP); ISO Xpert Certified Privacy Practitioner.

A typical assessment cycle includes scoping, gap analysis, remediation, and an attestation report. Annual refresh is standard practice.

5 Common Challenges (Problem → Solution → Outcome)

Challenge 1: Misclassifying "Sale" and "Sharing"

• Problem: Many companies still believe they do not sell data because no money changes hands. Under CPRA, "sharing" for cross-context behavioral advertising triggers opt-out rights, even without payment.
• Solution: Map every data outflow to ad-tech, analytics, and marketing partners. Treat each as a presumed share unless contractually restricted as a service-provider activity.
• Outcome: Accurate opt-out implementation; reduced enforcement risk.

Challenge 2: Failing to Honor Global Privacy Control

• Problem: Sites accept cookie banners but ignore GPC headers, the exact failure cited in CPPA enforcement.
• Solution: Configure consent management platform to detect GPC and treat as a verified opt-out from sale/sharing for unauthenticated users; persist signal for authenticated users.
• Outcome: Verifiable opt-out logs and defensible technical compliance.

Challenge 3: Incomplete Data Inventory

• Problem: SaaS sprawl, shadow analytics, and mobile SDKs create undiscovered PI flows.
• Solution: Combine network discovery, tag-management audits, vendor reviews, and surveys into a continuously updated PI/SPI inventory.
• Outcome: Defensible data map underpinning notices, DSARs, and risk assessments.

Challenge 4: Slow or Unverifiable DSAR Responses

• Problem: Manual DSAR processes miss the 45-day deadline and produce inconsistent results.
• Solution: Deploy a centralized DSAR platform with identity verification, system connectors, and auditable workflow.
• Outcome: Timely, defensible responses with metrics for regulator inquiries.

Challenge 5: Vendor Contract Gaps

• Problem: Pre-CPRA contracts lack required service-provider language; vendors are de facto third parties triggering opt-out obligations.
• Solution: Roll out a uniform CPRA addendum and prioritize remediation based on data sensitivity and volume.
• Outcome: Reduced inadvertent "sales" and clearer downstream accountability.

Benefits Matrix

Key Takeaway Infographic

+-------------------------------------------------------------+
|              CCPA / CPRA: SEVEN CONSUMER RIGHTS             |
+-------------------------------------------------------------+
|                                                             |
|   1. Right to Know            5. Right to Limit SPI Use     |
|   2. Right to Delete          6. Right to Non-Discrimination|
|   3. Right to Correct         7. Right to Data Portability  |
|   4. Right to Opt-Out                                       |
|      (Sale / Sharing)                                       |
|                                                             |
|   ----- BUSINESS OBLIGATIONS -----                          |
|   Notices | Contracts | DSARs | GPC Signal | Risk Assess.   |
+-------------------------------------------------------------+

Tools & Resources

• CPPA Regulations Repository — official text, rule-making history, advisories.
• California Attorney General Privacy Resources — enforcement updates and consumer guidance.
• OneTrust, TrustArc, Securiti, Transcend — DSAR and consent management platforms.
• Global Privacy Control (globalprivacycontrol.org) — technical documentation.
• IAPP CCPA/CPRA Resource Center — practitioner toolkits.
• ISO/IEC 27701 standard — privacy information management system framework.
• ISO Xpert Certified Privacy Practitioner Course — role-based training.

Case Study: Before / After

Organization: A direct-to-consumer e-commerce retailer with 2.4 million California customers, mobile app, and ad-supported website.

Before

• 2020-era privacy policy; no GPC handling.
• "Do Not Sell" link present, but third-party trackers remained active after opt-out.
• DSAR responses averaged 62 days.
• Service-provider contracts dating to 2019 with no CPRA addendum.
• Marketing teams routinely uploaded customer lists to ad platforms without classification.

Implementation

Over 7 months, working with ISO Xpert:

• Refreshed all notices, including Notice at Collection on every form.
• Implemented enterprise CMP honoring GPC; remapped tags to a server-side container with consent gating.
• Deployed a DSAR platform with identity verification and 12 system connectors.
• Rolled out CPRA addendum to 184 vendors; reclassified ad-tech partners and shut down four unused integrations.
• Built ADMT inventory anticipating CPPA's automated decision-making rules.
• Conducted privacy training and product-team office hours.

After

• Average DSAR response time: 11 days.
• 100% of in-scope vendors under CPRA-compliant contracts.
• GPC honored and logged across web and mobile.
• Audited tag manager confirms zero "sharing" without consent for opted-out users.
• Internal CCPA audit completed with no critical findings.

Conclusion & Call to Action

CCPA/CPRA compliance has matured from a 2020 "links and policies" exercise into a comprehensive privacy program that touches data inventories, vendor contracts, ad-tech, security, and automated decision-making. With CPPA enforcement underway and additional rules on the horizon, organizations that build a durable program now will be ready not only for California but for every U.S. state privacy law to follow.

ISO Xpert helps privacy officers and compliance teams design, implement, and certify privacy programs aligned with CCPA/CPRA, GDPR, and ISO/IEC 27701.

Take the next step: Enroll in the ISO Xpert Certified Privacy Practitioner program or request a complimentary CCPA/CPRA readiness assessment at iso-xpert.com.

Frequently Asked Questions

1. Does CCPA/CPRA apply to non-California companies? Yes, if they do business in California and meet a threshold. Geographic location of the business does not matter; residency of the consumer does.

2. Are nonprofits exempt? Generally yes, the law applies to for-profit businesses, but exemptions can be lost where nonprofits are part of a broader for-profit ecosystem.

3. What is the difference between "selling" and "sharing"? "Selling" generally requires monetary or other valuable consideration. "Sharing" applies to cross-context behavioral advertising regardless of consideration.

4. Must we honor Global Privacy Control? Yes. The CPPA and Attorney General have made clear that GPC is a required opt-out signal.

5. Are HR and B2B data still exempt? No. The temporary exemptions expired on January 1, 2023. Employee and B2B contact data are now fully in scope.

6. What is Sensitive Personal Information? A defined CPRA category including precise geolocation, race, religion, union membership, communications contents, biometrics, health, and sex/sexual orientation.

7. How long do we have to respond to a consumer request? 45 days, extendable by an additional 45 days with notice.

8. Do we need risk assessments and cybersecurity audits? The CPPA has finalized and proposed rules requiring both for high-risk processing. Begin preparing now.

9. What are typical penalties? $2,500 per violation; $7,500 for intentional violations or violations involving minors. Statutory damages of $100–$750 per consumer per incident apply for certain breaches.

10. How does CCPA/CPRA compare to GDPR? Conceptually similar but with key differences: opt-out (vs. opt-in) for most processing, narrower lawful-basis framework, distinct definitions of sale/share, and statutory damages for breaches.

Glossary

• CCPA: California Consumer Privacy Act of 2018.
• CPRA: California Privacy Rights Act, amending the CCPA.
• CPPA: California Privacy Protection Agency.
• PI (Personal Information): Information that identifies, relates to, or could reasonably be linked to a California consumer or household.
• SPI (Sensitive Personal Information): Special category of PI requiring additional protections.
• Sale: Disclosing PI for monetary or other valuable consideration.
• Sharing: Disclosing PI for cross-context behavioral advertising.
• Service Provider: Vendor processing PI on behalf of a business under contract.
• Contractor: Similar to service provider, with specific contractual provisions.
• Third Party: Recipient that is neither a service provider nor a contractor.
• GPC (Global Privacy Control): Browser-based opt-out signal.
• ADMT: Automated Decision-Making Technology.
• DSAR: Data Subject Access Request.
• Notice at Collection: Required disclosure at or before data collection.
• Verifiable Consumer Request: Authenticated request from a California consumer.

References

External:

1. California Privacy Protection Agency — Final and Proposed Regulations: https://cppa.ca.gov
2. California Attorney General — CCPA Resources and Enforcement Actions: https://oag.ca.gov/privacy/ccpa
3. CPPA — Sephora Settlement and Subsequent Enforcement Sweeps (2022–2024).
4. Global Privacy Control — Technical Specification: https://globalprivacycontrol.org
5. IAPP — CCPA/CPRA Practitioner Resources.

ISO Xpert Internal:

1. State Privacy Laws: A Comparative Implementation Guide — iso-xpert.com/articles/state-privacy-laws-comparative-guide
2. ISO/IEC 27701: Building a Privacy Information Management System — iso-xpert.com/articles/iso-27701-pims
3. Vendor Contracting for Privacy Programs — iso-xpert.com/articles/vendor-contracting-privacy

Author Bio

Written by ISO Xpert Consultants — privacy and data-protection professionals advising businesses on CCPA/CPRA, GDPR, LGPD, PIPL, and ISO/IEC 27701 implementations. ISO Xpert delivers training, certification, and advisory services trusted globally.

Related Articles

1. State Privacy Laws Roundup: Colorado, Virginia, Texas, and Beyond
2. Building a Global DSAR Operating Model
3. Honoring Global Privacy Control: Technical Implementation Patterns
4. Conducting Privacy Risk Assessments Under CPRA
5. ISO/IEC 27701 vs. CPRA: Aligning Frameworks

Share This Article

Found this useful? Share it with your network: