CCPA and CPRA Compliance for Consumer-Facing Businesses
California's consumer privacy law - significantly expanded by CPRA - creates enforceable rights for 40 million California residents and compliance obligations that reach far beyond California's borders.
Understanding CCPA, CPRA, and California Privacy Obligations
The California Consumer Privacy Act (CCPA), effective January 2020 and significantly expanded by the California Privacy Rights Act (CPRA) effective January 2023, is the most comprehensive US state privacy law. It grants California residents the right to know what personal information businesses collect, the right to delete it, the right to opt out of its sale or sharing, and the right to non-discrimination for exercising their rights.
CPRA strengthened CCPA substantially: it added the right to correct inaccurate personal information, created a new category of 'sensitive personal information' with heightened protections (including Social Security numbers, financial account credentials, precise geolocation, health information, and biometric data), established the California Privacy Protection Agency (CPPA) as an independent enforcement body, and imposed limits on data retention. It also created business-to-business and employee data rights that CCPA had temporarily exempted.
CCPA/CPRA applies to for-profit businesses that meet any one of three thresholds: annual gross revenue over $25 million, buying/selling/receiving/sharing the personal information of 100,000+ California consumers or households annually, or deriving 50%+ of annual revenue from selling or sharing consumers' personal information. If you meet any threshold and collect California residents' data, you must comply - regardless of where your business is located.
Our Approach
Data Inventory & Threshold Analysis
We determine whether CCPA/CPRA applies to your business, map personal information categories collected, identify data sales and shares, and document third-party data relationships. The inventory drives your privacy notice requirements and consumer rights workflows.
Privacy Program Gap Assessment
We assess your current privacy practices against CCPA/CPRA requirements: privacy notice completeness, opt-out mechanisms (including the required opt-out preference signals like Global Privacy Control), consumer rights request procedures, contract requirements with service providers, and data minimization and retention practices.
Program Implementation
We implement the required program elements: updated privacy policy and notice at collection, consumer rights request intake and fulfillment workflows, opt-out preference signal implementation, service provider contract updates, sensitive personal information disclosure and limitation notices, and data retention schedules.
Ongoing Compliance
CCPA/CPRA requires annual privacy policy reviews, documented consumer rights request handling, and ongoing monitoring of data sharing relationships. We establish governance cadences, training programs, and audit processes to maintain compliance as CPPA regulations evolve.
What You Get
- CCPA/CPRA applicability analysis and threshold determination
- Personal information inventory and data flow mapping
- Privacy policy and notice at collection review and update
- Consumer rights request intake portal and fulfillment procedures
- Opt-out mechanism implementation (Do Not Sell or Share, Limit Sensitive PI)
- Service provider and third-party contract review and Data Processing Agreement updates
- Sensitive personal information disclosure and limitation procedures
- Data retention schedule and deletion program
- Global Privacy Control (GPC) honor mechanism implementation
$7,500
Per intentional violation - the maximum civil penalty CPPA can impose, with no cap on total penalties for systematic non-compliance.
