CCPA and CPRA: What California Privacy Laws Mean for Your Business
California's consumer privacy framework—the CCPA as amended by the CPRA—is the most comprehensive US state privacy law in effect. Its reach extends far beyond California-based companies, and the California Privacy Protection Agency now brings dedicated enforcement authority.
TL;DR
The CCPA (as amended by CPRA) gives California consumers rights over their personal data and places obligations on businesses above defined revenue or data-volume thresholds. The California Privacy Protection Agency leads enforcement as of 2023.
California's Privacy Framework: From CCPA to CPRA
The California Consumer Privacy Act (CCPA), which took effect in January 2020, established a landmark framework for consumer privacy rights in the United States. In November 2020, California voters passed Proposition 24, the California Privacy Rights Act (CPRA), which significantly amended and expanded the CCPA. The CPRA's substantive provisions became operative on January 1, 2023, and created a new dedicated enforcement agency—the California Privacy Protection Agency (CPPA)—marking a pivotal shift in how the law is administered.
Today, the operative framework is best understood as the CCPA as amended by the CPRA. References to “CCPA” in a 2025 compliance context typically encompass both the original law and its CPRA modifications. For businesses operating anywhere in the United States that collect personal information from California residents, this framework imposes direct legal obligations.
Who Must Comply: Applicability Thresholds
The CCPA/CPRA applies to for-profit businesses that do business in California and meet at least one of three thresholds:
- Annual gross revenues exceeding $25 million (as of the prior calendar year)
- Annually buying, selling, or sharing the personal information of 100,000 or more consumers or households (the original CCPA threshold was 50,000; the CPRA raised it)
- Deriving 50% or more of annual revenues from selling or sharing consumers' personal information
A critical point for US businesses outside California: the law does not require a physical California presence. If your company crosses any of these thresholds and collects personal information from California residents—including through a website, app, or any remote commercial interaction—you are a covered business. California residents constitute roughly 12% of the US population, meaning most sizable US commercial enterprises encounter CCPA/CPRA obligations.
Core Consumer Rights
The CCPA/CPRA establishes a suite of rights for California consumers with respect to their personal information. Covered businesses must have the operational infrastructure to honor these rights within defined timeframes (generally 45 days, extendable by an additional 45 days with notice).
- Right to Know: Consumers can request disclosure of the categories and specific pieces of personal information a business has collected, the purposes for which it is used, and the categories of third parties with whom it is shared.
- Right to Delete: Consumers can request deletion of their personal information, subject to enumerated exceptions (legal obligations, security purposes, internal operational uses, etc.).
- Right to Correct: Added by the CPRA. Consumers can request correction of inaccurate personal information a business holds about them.
- Right to Opt-Out of Sale or Sharing: Consumers can direct a business not to sell or share their personal information. “Sharing” was added by the CPRA to specifically capture cross-context behavioral advertising, closing a gap that advertisers had exploited under the original CCPA.
- Right to Limit Use of Sensitive Personal Information: A CPRA addition. Consumers can restrict a business's use of certain sensitive personal information to enumerated purposes.
- Right of Non-Discrimination: Businesses cannot penalize consumers for exercising any of the above rights by denying goods or services, charging different prices, or providing a degraded service level.
Sensitive Personal Information: A New Category
One of the CPRA's most consequential additions is the defined category of “sensitive personal information,” which receives heightened treatment. This category includes Social Security and government ID numbers, precise geolocation, racial or ethnic origin, religious beliefs, union membership status, the contents of mail/email/texts (where the business is not the intended recipient), genetic and biometric data, health information, and data concerning sexual orientation or sex life.
Businesses that use sensitive personal information for purposes beyond providing a requested service or product must provide consumers with the ability to limit that use—distinct from the opt-out right applicable to general personal information sales and sharing. This distinction requires careful data mapping and inventory work to implement correctly.
The California Privacy Protection Agency and Enforcement
Prior to the CPRA, CCPA enforcement was vested solely in the California Attorney General. The CPRA created the California Privacy Protection Agency as an independent administrative body with rulemaking authority and enforcement jurisdiction. The CPPA began enforcement activity in 2023 and has been actively issuing formal enforcement actions, investigative inquiries, and regulatory guidance.
The statutory penalties are:
- Up to $2,500 per unintentional violation
- Up to $7,500 per intentional violation
- Up to $7,500 per violation involving a minor's data (regardless of intent)
In an enforcement context involving systematic non-compliance across thousands of consumers, per-violation penalties aggregate quickly. The CPPA has also indicated willingness to address violations without requiring a cure period in cases of intentional conduct—a departure from the original CCPA's 30-day cure window.
Additionally, the CCPA retains a private right of action for data breaches resulting from a business's failure to implement reasonable security measures. Statutory damages range from $100 to $750 per consumer per incident, enabling class actions even where individual harm is difficult to quantify.
CCPA/CPRA vs. GDPR: Key Differences
| Dimension | CCPA/CPRA | GDPR |
|---|---|---|
| Legal basis for processing | Opt-out model (process first, honor opt-out) | Lawful basis required before processing (often opt-in) |
| Scope | California residents; threshold-based | EU/EEA residents; broad applicability |
| Right to correct | Yes (added by CPRA) | Yes (original right) |
| Data Protection Officer | Not required | Required in certain circumstances |
| Maximum penalty | $7,500 per intentional violation | Up to 4% of global annual turnover |
The Expanding US State Privacy Landscape
California pioneered comprehensive US consumer privacy law, but it is no longer alone. As of 2025, more than a dozen US states have enacted their own comprehensive privacy statutes, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and others. While these laws share conceptual similarities with CCPA/CPRA, they differ in thresholds, covered entities, and specific rights and obligations. US businesses of meaningful scale increasingly need a multi-state privacy compliance architecture rather than a California-only program.
GR IT Services supports US businesses in building privacy compliance programs that address CCPA/CPRA and the broader state privacy law landscape. For a conversation about your organization's data protection posture, reach out at inquiry@gritservices.io.
Frequently Asked Questions
Does CCPA/CPRA apply to my company if we are not based in California?
Yes, if your company meets any of the applicability thresholds and collects personal information from California residents—including through a website or online service—the law applies regardless of where your business is physically located.
What is the difference between selling and sharing personal information under CCPA/CPRA?
Selling involves disclosing personal information for monetary consideration. Sharing, added by the CPRA, covers disclosing personal information for cross-context behavioral advertising purposes, even without direct monetary exchange. Both trigger the consumer opt-out right and the “Do Not Sell or Share My Personal Information” notice obligation.
Does the CCPA/CPRA create an obligation to respond to requests from non-California residents?
No. The law applies to California consumers specifically. However, businesses that build compliant consumer rights request processes for California residents often find it practical to extend similar capabilities to all US consumers, and several other state privacy laws are creating parallel obligations for their own residents.
Authoritative sources
About the author
Lisa Nguyen, Data Protection Specialist. Lisa Nguyen is a Certified Information Privacy Professional (CIPP/US) who advises US companies on state and federal privacy law compliance, data governance program design, and regulatory response strategy.
Related Articles
HIPAA Compliance in Healthcare IT: A Complete Guide for USA Healthcare Providers
Master HIPAA compliance for your healthcare organization with our comprehensive guide covering technical safeguards, administrative requirements, and implementation strategies for USA healthcare providers.
CMMC 2.0 Compliance: What US Defense Contractors Need to Know in 2025
CMMC 2.0 reshapes cybersecurity requirements for every company in the Defense Industrial Base. Here is what the three-level model means for your contracts and your readiness posture.
FedRAMP Authorization Explained for Cloud Vendors Selling to Government
FedRAMP is the federal gateway for cloud products entering the US government market. Understanding its authorization paths, impact levels, and timelines is essential before your organization commits to the journey.