Overview
California set the bar for U.S. privacy regulation with the CCPA in 2020, and CPRA raised it higher in 2023. Together, they grant California residents broad rights over their personal information and impose significant obligations on businesses. If you collect data from California residents and meet the applicability thresholds, compliance is mandatory. This checklist covers both laws in a unified approach, focusing on practical implementation steps.
Applicability Criteria
- Your organization must comply if it does business in California AND meets any of the following thresholds:
- Annual gross revenue exceeds $25 million
- Buys, sells, or shares personal information of 100,000 or more California residents or households
- Derives 50% or more of annual revenue from selling or sharing personal information
- Note: CPRA also applies to joint ventures and partnerships meeting these thresholds
Consumer Rights Under CCPA/CPRA
| Right | Description | Response timeline |
|---|---|---|
| Right to Know | Consumers can request what personal information is collected and how it is used | 45 days |
| Right to Delete | Consumers can request deletion of their personal information | 45 days |
| Right to Opt-Out | Consumers can opt out of the sale or sharing of personal information | 15 business days |
| Right to Correct | Consumers can request correction of inaccurate personal information | 45 days |
| Right to Limit Use of Sensitive PI | Consumers can limit the use of sensitive personal information | 15 business days |
| Right to Non-Discrimination | Consumers cannot be penalized for exercising their rights | Immediate |
Data Inventory and Mapping
Start with a comprehensive data inventory. Document every category of personal information your organization collects, the business purpose for collection, the source of the data, who it is shared with, and how long it is retained. This is the foundation for responding to consumer requests and updating your privacy notice. Pay special attention to "selling" and "sharing" as defined by CPRA, which includes transferring data for cross-context behavioral advertising even if no money changes hands.
Implementation Checklist
- Update privacy notices to include all CPRA-required disclosures
- Implement "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" links on your website
- Build or deploy a system to handle consumer rights requests within response deadlines
- Conduct data protection assessments for processing activities that present significant risk
- Establish contracts with service providers and contractors that include CPRA-required terms
- Implement reasonable security measures proportionate to the sensitivity of data collected
- Train employees who handle consumer inquiries on CPRA requirements and response procedures
Enforcement and Penalties
The California Privacy Protection Agency (CPPA) is the primary enforcement body, with the California Attorney General retaining enforcement authority as well. Administrative fines reach $2,500 per unintentional violation and $7,500 per intentional violation, with no cap on the total. Additionally, the private right of action for data breaches allows consumers to seek statutory damages of $100 to $750 per consumer per incident. A breach affecting one million California residents could expose your organization to $750 million in potential damages.
Frequently Asked Questions
What is the difference between CCPA and CPRA?
CPRA (effective January 2023) amends and expands CCPA. Key additions include the right to correct data, the right to limit use of sensitive personal information, requirements for data protection assessments, and the creation of the California Privacy Protection Agency as the dedicated enforcement body.
Does CCPA/CPRA apply to employee data?
Yes. The CPRA employee data exemption expired on January 1, 2023. Employee personal information is now fully covered, meaning employers must provide privacy notices, respond to employee data requests, and apply all CPRA protections to HR data.
What counts as "selling" personal information?
Selling includes any disclosure of personal information for monetary or other valuable consideration. Under CPRA, "sharing" also includes transferring data for cross-context behavioral advertising, even without monetary exchange. This captures many common ad-tech practices.
Do we need to verify consumer identities before fulfilling requests?
Yes. You must verify the identity of consumers making requests using a reasonable method proportionate to the sensitivity of the data. For account holders, matching existing account credentials is acceptable. For non-account holders, multiple data points may be needed.
How does CCPA/CPRA interact with GDPR?
While both are privacy laws, they have different scopes, definitions, and requirements. GDPR compliance does not automatically mean CCPA/CPRA compliance and vice versa. However, organizations subject to both can build a unified privacy program that satisfies both frameworks.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.