Skip to main content
> CCPA/CPRA

California Consumer Privacy Act / California Privacy Rights Act

California's landmark consumer privacy law with nationwide implications

Established: 2018 (CCPA); 2020 (CPRA effective 2023) Last Updated: 2025 (CPPA regulations, effective January 2026) Scope: California / US National Impact
$7,500
Per Violation

What does CCPA/CPRA require in 2026?

CCPA and CPRA give California residents rights to know, delete, correct, and opt out of the sale of their personal information. Businesses meeting the revenue or data-volume thresholds must honor consumer requests within 45 days, post opt-out links, and limit collection to what they actually need. A 2025 CPPA regulatory package (OAL-approved September 22, 2025; effective January 1, 2026) added three layers: mandatory cybersecurity audits for high-risk processing, formal risk assessments due from January 2026, and new consumer rights over automated decision-making technology (ADMT) with full compliance required by January 1, 2027. Intentional violations carry fines up to $7,500 per incident. Sources: cppa.ca.gov/announcements/2025/20250923.html; cppa.ca.gov/regulations/ccpa_updates.html.

// What is CCPA/CPRA?

CCPA, significantly expanded by CPRA in 2023, gives California residents unprecedented control over their personal information. The law applies to businesses meeting revenue, data volume, or data sales thresholds, regardless of where they're headquartered, making it effectively a national privacy standard.

CPRA strengthened CCPA by creating a dedicated enforcement agency, adding new consumer rights, establishing requirements for sensitive personal information, and introducing data minimization obligations. The California Privacy Protection Agency now handles rulemaking and enforcement.

In 2025, the CPPA adopted a new regulatory package (OAL-approved September 22, 2025; effective January 1, 2026) adding three significant obligations: mandatory cybersecurity audits for high-risk processing, formal risk assessments (required from January 1, 2026), and new consumer rights over automated decision-making technology (ADMT), with full ADMT compliance required by January 1, 2027. Sources: cppa.ca.gov/announcements/2025/20250923.html; cppa.ca.gov/regulations/ccpa_updates.html.

As the broadest state privacy law in the US, CCPA/CPRA has influenced similar legislation in Virginia, Colorado, Connecticut, and other states, creating a patchwork of compliance requirements for businesses operating nationally.

// Inside the Regulation

CCPA/CPRA grants California residents specific rights regarding their personal information and imposes obligations on businesses that collect, sell, or share that information.

1

Consumer Rights

Civil Code §1798.100-125

California residents have extensive rights over their personal information that businesses must honor within specific timeframes.

Right to Know

Consumers can request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties receiving data.

Right to Delete

Consumers can request deletion of personal information, with certain exceptions for legal compliance and transactions.

Right to Correct

Added by CPRA: consumers can request correction of inaccurate personal information.

Right to Opt-Out of Sale/Sharing

Consumers can direct businesses not to sell or share their personal information. Businesses must provide 'Do Not Sell or Share' links.

Right to Limit Sensitive PI Use

CPRA addition: consumers can limit use of sensitive personal information to what's necessary for services requested.

Right to Non-Discrimination

Businesses cannot discriminate against consumers exercising privacy rights (pricing, quality, service levels).

2

Business Obligations

Businesses meeting thresholds must implement specific practices and provide required disclosures.

Privacy Notice

Provide notice at or before collection describing categories collected, purposes, retention periods, and consumer rights.

Opt-Out Mechanisms

Provide clear, conspicuous link titled 'Do Not Sell or Share My Personal Information' on homepage.

Request Handling

Respond to verifiable consumer requests within 45 days (extendable to 90 days with notice).

Service Provider Contracts

Written contracts with service providers restricting their use of personal information.

Data Minimization

CPRA requires collection limited to what's reasonably necessary for disclosed purposes.

3

Sensitive Personal Information

CPRA Addition

CPRA created a new category with enhanced protections and consumer rights.

Categories

Social Security numbers, financial account information, precise geolocation, race/ethnicity, religious beliefs, health information, sex life/orientation, biometric/genetic data.

Right to Limit Use

Consumers can limit sensitive PI use to what's necessary to perform services or provide goods requested.

Enhanced Notice

Businesses must disclose sensitive PI categories collected and purposes, plus provide 'Limit the Use of My Sensitive Personal Information' link.

4

Security Requirements

While not prescriptive, CCPA creates liability for security failures.

Reasonable Security

Businesses must implement and maintain reasonable security procedures appropriate to the nature of the information.

Private Right of Action

Consumers can sue directly for data breaches resulting from failure to implement reasonable security, with statutory damages of $100-$750 per consumer per incident.

Risk Assessments

CPRA regulations require cybersecurity audits for high-risk processing activities.

Note: CCPA applies to for-profit businesses doing business in California that meet ANY of: $25M+ annual revenue, buy/sell/share 100,000+ consumers' or households' personal information annually, or derive 50%+ of revenue from selling/sharing personal information.

// Who Must Comply

  • 1 For-profit businesses with $25M+ annual gross revenue
  • 2 Businesses buying, selling, or sharing personal information of 100,000+ California consumers/households annually
  • 3 Businesses deriving 50%+ of annual revenue from selling/sharing California consumer personal information
  • 4 Joint ventures or partnerships where any member meets thresholds
  • 5 Entities controlling or controlled by covered businesses sharing common branding

// Key Requirements

Privacy Notice

Provide full notice at collection describing categories, purposes, retention, and rights

Opt-Out Links

Display 'Do Not Sell or Share My Personal Information' link prominently on website

Request Response

Respond to verified consumer requests within 45 days with ability to extend to 90

Reasonable Security

Implement and maintain reasonable security procedures and practices

Service Provider Contracts

Execute compliant contracts with service providers handling personal information

Data Minimization

Limit collection to what's reasonably necessary for disclosed purposes

Cybersecurity Audits

Mandatory cybersecurity audits for high-risk processing activities; staggered submission deadlines 2028-2030

Risk Assessments

Formal risk assessments required for high-risk processing; compliance required from January 1, 2026 (CPPA regulations)

ADMT Consumer Rights

Consumers gain rights to opt out of automated decision-making technology affecting significant decisions; full compliance required January 1, 2027

// Enforcement & Penalties

CCPA/CPRA enforcement includes administrative fines from the CPPA and California Attorney General, plus a private right of action for data breaches. Intentional violations carry higher penalties than unintentional ones.

Maximum Penalty

$7,500 per intentional violation; $2,500 per unintentional violation

Examples:

  • Sephora - $1.2 million settlement for sale of personal information without opt-out (2022)
  • DoorDash - Investigation for sale of customer data to marketing companies
  • Private lawsuits: $100-$750 per consumer per incident for data breaches
  • No cure period for CPPA enforcement actions (businesses cannot fix violations to avoid fines)

// Cyber Insurance Impact

Cyber insurers increasingly require CCPA/CPRA compliance documentation for California-exposed businesses. The private right of action for data breaches creates direct liability exposure. Policies should cover regulatory defense, consumer claims, and breach response. Some insurers exclude or sublimit CCPA-specific claims.

// How Breach Craft Helps

We help organizations achieve CCPA/CPRA compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of CCPA/CPRA.

// Common Questions

What did the 2025 CPPA regulatory package add to CCPA/CPRA?

The California Privacy Protection Agency adopted a regulatory package in July 2025 (OAL-approved September 22, 2025; effective January 1, 2026) that significantly extends CPRA's scope. It adds mandatory cybersecurity audits for businesses conducting high-risk processing, formal privacy risk assessments required from January 1, 2026, and consumer rights over automated decision-making technology. ADMT rights require full compliance by January 1, 2027. See CPPA announcements for details.

What is a CCPA cybersecurity audit and who must conduct one?

The 2025 CPPA regulations require businesses that conduct high-risk processing activities to complete periodic cybersecurity audits and submit results to the CPPA on a staggered schedule between 2028 and 2030. The audit must evaluate the business's security practices against the nature and volume of personal information processed. Audit scope and submission timelines depend on business size and processing type. This is separate from the existing reasonable security obligation under CCPA's private right of action.

Does CCPA require a risk assessment?

Yes, as of January 1, 2026. The CPPA's 2025 regulatory package requires formal privacy risk assessments before conducting processing activities that present significant risk to consumers. Covered activities include certain uses of sensitive personal information, large-scale profiling, and processing involving minors. Assessments must weigh benefits against risks and document how risks are mitigated. The CPPA can request copies during enforcement investigations.

What are CCPA's automated decision-making rights?

Starting January 1, 2027, consumers in California gain the right to opt out of automated decision-making technology (ADMT) used to make or be a substantial factor in significant decisions about them, including employment, housing, credit, and education. They also gain a right to access information about how ADMT is used in decisions affecting them. Businesses must disclose ADMT use in their privacy notice and provide a clear opt-out mechanism before the 2027 deadline.

// Related Frameworks

// Industries That Need CCPA/CPRA

These industries commonly require CCPA/CPRA compliance as part of their regulatory obligations.

Guide last reviewed: June 15, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873