Table of Contents
If you’ve ever wondered why more websites now ask about data preferences or offer “Do Not Sell or Share” options, CCPA and CPRA are a big reason. These laws were introduced to give people more visibility into how their personal information is collected and used, and they’ve quickly become part of the broader conversation around digital trust.
For businesses, they outline how customer data should be handled when California residents are involved. In this guide, we’ll look at what CCPA and CPRA are, how they fit together, why they matter, and what you should know to prepare for compliance.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a privacy law that took effect in 2020. It gives people more visibility and control over how businesses collect and use their personal information. The law applies to certain companies that handle data linked to California residents, even if those companies are based elsewhere.
Often compared to the GDPR, CCPA requires businesses to be transparent about the data they collect and gives consumers the ability to access their information, request deletion in many cases, and opt out of the sale of their data. That means having clear disclosures and processes in place to handle these requests.
What is the CPRA?
The California Privacy Rights Act (CPRA) builds on the CCPA and expands the privacy protections it introduced. It came into effect in 2023 and updated the law to give consumers additional rights, including more control over how certain types of personal information are used, while setting clearer expectations for how businesses collect, use, and share data.
CPRA introduces rules around sensitive personal information, establishes oversight through the California Privacy Protection Agency (CPPA), and clarifies how businesses should approach data use and retention. In practice, it means organizations need to pay closer attention to how they handle personal data tied to California residents.
Are the CCPA and CPRA one framework?
CCPA and CPRA are closely connected, which is why they’re often discussed together. CPRA didn’t replace the CCPA but updated it by adding new consumer rights, introducing additional rules around certain types of personal information, and clarifying expectations for how businesses handle data.
In practical terms, organizations aren’t choosing between two separate laws. They’re working under the CCPA as it exists today, with the updates brought in by CPRA. This is why you’ll often see references to “CCPA as amended,” reflecting that the original law remains in place but includes the changes introduced later.
Why the CCPA and CPRA matter for businesses
Privacy expectations have shifted dramatically, and laws such as CCPA and CPRA reflect that change. They influence how organizations think about collecting, using, and sharing personal information, especially as customers and partners expect greater transparency around data practices.
Even for companies outside California, these laws often come up in conversations around product design, vendor relationships, and internal processes. They shape how teams approach data handling decisions and reflect a broader move toward clearer accountability, making them relevant beyond just regulatory compliance.
Who must comply with the CCPA and CPRA?
Whether or not a business is covered by these laws depends on a few factors:
Revenue thresholds
For-profit businesses that do business in California and exceed certain thresholds, such as annual gross revenue above $25 million, generally fall within scope. Many mid-sized and larger operations are covered even when California isn’t their primary market.
Volume of personal information handled
Collecting, sharing, or selling personal information at scale can also bring an organization within scope. Online platforms, ecommerce services, and data-driven products often fall into this category because of the number of users they interact with over time.
Revenue tied to data sharing or sales
A business that derives a portion of its revenue from selling or sharing personal information may be covered regardless of overall size. Applicability in these cases depends on how personal information factors into revenue generation, not just total revenue.
Connection to California residents
Physical location isn’t the deciding factor. Businesses based outside California, whether in other states or abroad, can still be subject to the law when they collect or process personal information tied to California residents while offering products or services.
Key consumer rights under the CCPA and CPRA
CCPA and CPRA set out a number of rights related to personal information, including:
- Right to know: Individuals can request details about the personal information a business collects about them, including how it’s used, shared, or sold.
- Right to delete: In many cases, individuals can ask for their personal information to be deleted, subject to certain legal or operational exceptions.
- Right to correct: Individuals can request corrections if their personal information is inaccurate or incomplete.
- Right to opt out of sale or sharing: Individuals can direct a business not to sell their personal information or share it for cross-context behavioral advertising.
- Right to limit use of sensitive personal information: Individuals can limit how certain sensitive data, such as precise location or financial details, is used.
- Right to data portability: When responding to requests, businesses are expected to provide personal information in a format that allows individuals to access or transfer it.
- Right to non-discrimination: Exercising privacy rights shouldn’t result in unfair treatment, such as denial of services or different pricing, except where permitted by law.
- Right to notice and transparency: Individuals have the right to clear information about what data is collected and how it’s handled.
What is personal information under the CCPA and CPRA?
Under CCPA and CPRA, personal information is defined broadly to include any information that identifies, relates to, describes, or could reasonably be linked to an individual or household. The definition goes beyond obvious identifiers and covers a wide range of data organizations may collect through digital services and everyday interactions.
Examples include names, email addresses, phone numbers, IP addresses, online activity, device identifiers, and other information connected to how someone uses a service. The laws also recognize a category of sensitive personal information, such as precise geolocation, financial details, and government identifiers, which are subject to additional protections.
Differences between the CCPA and CPRA
While CPRA builds on the CCPA, there are a few areas where they differ. The table below highlights the main distinctions.
| Aspect | CCPA | CPRA |
| Overall approach | Introduced baseline privacy rights and obligations around personal information. | Expands and refines the existing framework with additional protections and clearer expectations. |
| Consumer rights | Focuses on rights such as access, deletion, and opting out of the sale of personal information. | Adds rights like correction and the ability to limit the use of sensitive personal information. |
| Treatment of sensitive personal information | Does not establish a separate category with specific controls. | Introduces a defined category with additional protections and restrictions on use. |
| Opt-out scope | Provides the right to opt out of the sale of personal information. | Expands opt-out to include sharing for cross-context behavioral advertising. |
| Enforcement | Enforced primarily by the California Attorney General. | Establishes the California Privacy Protection Agency alongside Attorney General enforcement. |
| Compliance expectations | Sets foundational expectations around notice and handling of personal information. | Adds clearer expectations around data use, retention, and accountability. |
Penalties for non-compliance with the CCPA and CPRA
Failure to comply can lead to enforcement by the California Attorney General or the California Privacy Protection Agency, particularly where organizations don’t meet requirements around notices, consumer rights, or data handling practices.
Civil penalties may apply depending on the nature of the violation, with higher penalties possible for intentional violations or cases involving minors. Enforcement actions can also require organizations to address gaps by updating processes, disclosures, or internal practices.
How to prepare for CCPA and CPRA compliance
Here’s how preparation for CCPA and CPRA is commonly approached:
Understand what personal information is collected
A clear view of the types of personal information held across systems shows where data comes from, how it’s used, and how it moves between tools or teams across digital services, customer interactions, and internal processes.
Review notices and disclosures
Privacy notices describe how personal information is collected, used, and shared. When aligned with real operations, privacy notices reflect current practices, especially as products change, new tools are introduced, or data uses shift over time.
Handle consumer requests
Requests related to access, deletion, or correction are part of normal operations under these laws. Visibility into how requests are received and addressed across systems supports consistent handling without confusion.
Consider sensitive personal information
Certain types of data fall into a more sensitive category, which carries additional expectations around use. Understanding where this information appears and the contexts in which it’s used provides clarity around how it is handled day to day.
Look at vendor and partner relationships
Personal information is often shared with service providers or partners as part of regular business activity. Understanding how data flows outside the organization clarifies roles, responsibilities, and how those relationships fit into overall data handling practices.
Keep practices aligned with policies
Documented policies and everyday workflows should reflect the same approach to handling personal information. Regular reviews keep external commitments and internal practices moving in the same direction as systems evolve.
Final word
CCPA and CPRA come up whenever personal information tied to California residents is part of the conversation, whether that’s in policies, product decisions, or day-to-day operations. Having a straightforward understanding of what they cover makes it easier to recognize where they apply without overcomplicating things.
