California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

California Civil Code Title 1.81.5 (Sections 1798.100 et seq.)

CCPA Effective Date: January 1, 2020
CPRA Amendments Effective: January 1, 2023
CPPA Enforcement Start: July 1, 2023

Official Sources

• California Attorney General: https://oag.ca.gov/privacy/ccpa


• California Privacy Protection Agency: https://cppa.ca.gov


• California Legislative Information: https://leginfo.legislature.ca.gov


• CCPA Statute PDF: https://cppa.ca.gov/regulations/pdf/ccpa_statute.pdf

Overview

CCPA is California's comprehensive privacy law establishing consumer rights and business obligations. CPRA (Proposition 24, approved November 2020) significantly amended and enhanced CCPA without creating a separate law. Often cited as "CCPA, as amended" or "CCPA/CPRA."

Key Distinction: CPRA is NOT a separate law - it amended the existing CCPA statute.

Who Must Comply - Business Thresholds

A "business" subject to CCPA/CPRA must meet ONE of THREE thresholds:

1. Revenue Threshold

• Annual gross revenues exceeding $25 million (originally)


• Adjusted to $26,625,000 effective January 1, 2025 (CPI adjustment)


• Applies to for-profit businesses

2. Data Volume Threshold

• Buys, receives, or sells personal information of 50,000 or more California residents, households, or devices


• Annual threshold

3. Revenue Source Threshold

• Derives 50% or more of annual revenue from selling California residents' personal information

Definition of "Doing Business in California"

• Broad interpretation includes:

- Selling products/services to CA residents online
- Operating websites accessible to CA residents
- Serving CA customers (SaaS, digital services, apps)
- Collecting personal information from CA residents
- Targeting CA residents with advertising
- Shipping products to CA addresses

Geographic Location Irrelevant: Massachusetts companies and all out-of-state entities are subject if they meet thresholds and do business in California.

Consumer Rights

Core Rights Under CCPA (Effective January 1, 2020)

1. Right to Know (Request & Access) - Sec. 1798.100

• Request disclosure of:

- Categories of personal information collected
- Specific pieces of personal information collected
- Sources of collection
- Purposes for collection, use, and sharing
- Categories of third parties with whom data is shared

2. Right to Delete - Sec. 1798.105

• Request deletion of personal information collected


• Business must delete and direct service providers/contractors to delete


• Exceptions: necessary for transactions, security, legal compliance, research

3. Right to Opt-Out (of Sale) - Sec. 1798.120

• Direct businesses to stop selling personal information


• "Sale" definition: selling, renting, releasing, disclosing, disseminating, making available, transferring personal information

4. Right to Non-Discrimination

• Cannot deny goods/services, charge different prices, or offer different terms


• Exception: financial incentives for data collection/sharing allowed

Additional Rights Under CPRA (Effective January 1, 2023)

5. Right to Correct - Amendment to Sec. 1798.100

• Request correction of inaccurate personal information


• Business must take reasonable steps to correct

6. Right to Limit Use of Sensitive Personal Information

• Limit business use/disclosure of sensitive data to:

- Providing services/goods explicitly requested
- Activities reasonably expected
- Business operational purposes

• Cannot use for profiling, personalized advertising, or automated decision-making without consent

7. Right to Opt-Out of Sharing

• Opt-out of "sharing" personal information for cross-context behavioral advertising


• Distinct from sale opt-out

8. Right Regarding Automated Decision-Making Technology (ADMT)

• Access meaningful information about ADMT used


• Opt-out of ADMT for significant decisions


• Compliance Required: January 1, 2027 (for certain decisions)

Sensitive Personal Information (Sec. 1798.140(ae))

CPRA significantly expanded sensitive data definition:

1. Social Security, driver's license, passport numbers


2. Financial account credentials with access capability


3. Precise geolocation (within 1,850 feet radius)


4. Racial or ethnic origin


5. Religious beliefs


6. Union membership


7. Genetic data


8. Biometric data for identification


9. Sexual orientation or gender identity


10. Citizenship or immigration status


11. Health information


12. Financial information


13. Messages and private communications


14. Neural data (added by SB 1223, effective 2024) - data derived from brain activity

Protection Standard

• Heightened security required


• Use limited to providing requested services


• Cannot use for profiling or personalized advertising (with exceptions)


• Consumers can limit use/disclosure via right to limit

CPRA Enhancements Over CCPA

Enhancement	CCPA	CPRA Addition
-------------	------	---------------
Right to Correct	Not included	Added
Right to Limit	Not included	Added for sensitive data
ADMT Rights	Not included	Full framework (effective 2026)
Cross-Context Ads	Not addressed	Opt-out right added
Sensitive Data	Basic	Expanded significantly
Enforcement	CA AG only	CPPA created (primary as of 7/1/23)
Data Broker	Minimal	Delete Act: registration required
Security Audits	Not required	Mandatory for high-risk
Risk Assessments	Not required	Required for certain uses
Employment Data	Exempted until 12/31/22	Fully covered starting 1/1/23

Business Obligations

Data Collection & Use

• Disclose at/before collection: categories and purposes


• Cannot collect/use/share beyond disclosed purposes without consent


• Data retention: only as long as reasonably necessary


• Proportionality: collection must be reasonably necessary

Third-Party Requirements

• Written contracts with service providers/contractors required


• Contracts must limit third-party use to specific purposes


• Businesses liable for contractor violations

Data Security

• Maintain reasonable security procedures and practices


• Protect against unauthorized access/misuse


• Standards appropriate to sensitivity


• Subject to private right of action for data breaches

Consumer Request Handling

• Response Time: 45 days (extendable 45 days if complex)


• May request reasonable proof of identity


• Some requests (opt-out) require compliance within 15 days

Accessibility Requirements

• Clear links on homepage:

- "Your California Privacy Choices" or "Your Privacy Choices"
- "Limit the Use of My Sensitive Personal Information"

• Multiple submission methods (online, email, phone)


• Honor Global Privacy Control (GPC) signals

CPRA-Specific Obligations (Effective 2023-2025)

• Cybersecurity Audits: High-risk businesses must conduct annual audits


• Risk Assessments: Conduct privacy risk assessments for high-risk uses


• ADMT Compliance: Provide notice, implement opt-out (compliance required 1/1/2027)

Enforcement

California Privacy Protection Agency (CPPA)

• Created by CPRA (Proposition 24, 2020)


• Primary Enforcer: Since July 1, 2023


• Website: https://cppa.ca.gov

CPPA Authority:

• Investigate violations


• Conduct compliance audits


• Issue administrative findings


• Impose civil penalties


• Adopt and enforce implementing regulations


• Maintain data broker registry


• Handle consumer complaints

California Attorney General

• Retains concurrent enforcement authority


• Continues to enforce CCPA/CPRA violations


• No longer primary enforcer (shared with CPPA)

Penalties and Enforcement Actions

Civil Penalties (Administrative Fines)

2025 Adjusted Amounts (Effective January 1, 2025):

• Unintentional Violations: Up to $2,663 per violation (previously $2,500)


• Intentional Violations: Up to $7,988 per violation (previously $7,500)


• Minor-Related Violations: Use 2x multiplier

Basis: Penalties adjusted annually on odd-numbered years per Consumer Price Index (CPI)

Assessment Factors:

• Nature and seriousness of misconduct


• Number of violations


• Persistence of misconduct


• Willfulness/intent


• Violator's financial situation

Private Right of Action (Data Breach Only) - Sec. 1798.150

Applicable To: Unauthorized access, exfiltration, theft, or disclosure due to failure to maintain reasonable security

Damages Available:

• Statutory Damages: $100-$750 per consumer per incident


• Alternative: Actual damages (if greater)

Requirement:

• Must provide 30-day written notice to business before filing suit


• Business can cure violation within 30 days to avoid statutory damages

Scope Limitation: Private right of action applies ONLY to data breach violations - NOT to other CCPA/CPRA violations. All other violations enforced exclusively by CPPA or California AG.

Recent CPPA Enforcement Examples (2024-2025)

• Tractor Supply Company: $1,350,000 fine (largest in CPPA history)


• Honda: $632,500 fine


• Todd Snyder: $345,178 fine

Massachusetts/Out-of-State Companies - CCPA/CPRA Applicability

CCPA/CPRA applies to Massachusetts entities if they:

1. "Do business in the State of California" (broad interpretation)


2. Meet one or more business thresholds

Specific Examples of "Doing Business":

• Selling products/services to CA residents online


• Operating website accessible to CA residents


• Serving CA customers (SaaS, digital services, apps)


• Collecting personal information from CA residents


• Targeting CA residents with advertising


• Shipping to CA addresses

Full Compliance Required:

• All consumer rights (know, access, delete, opt-out, correct, limit)


• All data security requirements


• Privacy notice requirements


• All CPRA amendments


• CPPA regulations compliance

Data Scope:

• Any personal information collected from California residents


• Applies even if primary customer base outside California


• Data collected through CA IP addresses, shipping addresses, or explicit CA identification

No Safe Harbor:

• Federal preemption not applicable


• No state residence exemptions


• No multistate business exemptions

Compliance Summary

Element	Details
---------	---------
CCPA Effective	January 1, 2020
CPRA Amendments	January 1, 2023
CPPA Enforcement	July 1, 2023
Business Thresholds	$26.6M+ revenue OR 50K+ CA data OR 50%+ data sales revenue
Consumer Rights	Know, Delete, Opt-Out, Correct, Limit, ADMT Opt-Out
Sensitive Data	14 categories including neural data
Response Time	45 days (extendable 45 days)
Enforcement	CPPA (primary) + CA Attorney General (concurrent)
Civil Penalties	$2,663-$7,988 per violation (2025 amounts)
Private Right	Data breaches only ($100-$750 statutory damages)
Geographic Scope	All businesses "doing business in California"
Cure Period	30 days for private actions only
ADMT Compliance	January 1, 2027

Official Resources

California Privacy Protection Agency:

• Main Site: https://cppa.ca.gov


• Regulations: https://cppa.ca.gov/regulations/


• Consumer FAQs: https://cppa.ca.gov/faq.html


• File Complaint: https://cppa.ca.gov/webapplications/complaint


• Data Broker Registry: https://cppa.ca.gov/data_broker_registry/

California Attorney General:

• CCPA Page: https://oag.ca.gov/privacy/ccpa


• Enforcement Actions: https://oag.ca.gov/privacy/ccpa/enforcement

California Legislative Information:

• Civil Code Sec. 1798.100: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.100


• Civil Code Sec. 1798.140 (Definitions): https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.140