The Expert's Guide to California Data Privacy Law | California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)

For a long time, California has been a leader in making sure its citizens’ privacy is protected. In the early days of the modern internet, California’s privacy policy law led the charge in making sure websites didn’t deceive visitors or otherwise use deceptive practices by collecting data without a privacy notice. Today, it is California again—with the California Privacy Rights Act (CPRA) building on the California Consumer Privacy Act (CCPA)—that is leading the way in making sure consumers have control over how businesses collect and share their personal data.  

As more states—like Virginia, Colorado, Iowa, and more—join California in implementing comprehensive privacy legislation, it is vital to understand the requirements of California data privacy law. Not only will it allow you to continue to access what amounts to the world’s fifth largest economy, but it will also put you in good standing with the rest of the U.S. state privacy laws and prepare you for compliance with stricter global privacy laws, like the EU’s GDPR or China’s PIPL. 

In this blog, we’ll take a look at: 

• Where California privacy law stands right now. 
• How CPRA builds on CCPA to enhance consumer privacy rights and responds to consumer needs effectively.
• What steps to take to comply and avoid penalties and reputational harm. 
• What to look for in the future to remain in compliance. 
• Frequently asked questions about the CCPA. 

Let’s get started.

CCPA vs. CPRA: How Are the Two Privacy Laws Different?

It’s best to think of the CCPA and the CPRA as essentially the same thing. The CCPA went into effect in 2018 to regulate the privacy practices around the information businesses collected from consumers in California. CCPA rights were updated after California voters agreed that the law required certain tweaks to better protect sensitive consumer information.

What Is the California Consumer Privacy Act (CCPA)? 

The CCPA passed through the California legislature and was signed by the governor in 2018, with an effective date of January 1, 2020. However, the Californians for Consumer Privacy (the group that pushed hardest for the CCPA) almost immediately felt it wasn’t strong enough. They started a campaign to make it stronger and more protective of consumer rights to control the collection and use of personal information.  

What Is the California Privacy Rights Act (CPRA)? 

The California Consumer Privacy Act of 2018 was already in force when it was updated by the California Privacy Rights Act.

Because of the Californians for Consumer Privacy push, the California legislature added a citizen’s initiative ballot question in 2020 on whether or not an amendment to the CCPA should be created. The amendment built upon the CCPA text, changing some items, adding others, and clarifying some questions around enforcement and who’s actually covered by the law.  

At this point, for all intents and purposes, the CCPA is the only law you need to worry about. What might be of interest to you is how the amendment changed data protection for California residents.

CPRA Enforcement Date 

The initial enforcement date was July 1, 2023, but a challenge from the California Chamber of Commerce argued that since the CPPA didn't finalize the CPRA's requirements until March of 2023, enforcement should be delayed to a year from that date. As a result, the date was pushed to March 29, 2024. However, on February 9, 2024, the CPPA won its appeal, immediately allowing enforcement of the initial regulations and retroactively setting the enforcement effective date to July 1, 2023.

CCPA Compliance: How Do You Know if You Have to Comply With the California Data Privacy Law?  

The CPRA changed the rules for who has to comply only slightly. As of January 1, 2023, the CCPA applies if you are a for-profit organization that “does business” in the state of California, collects the personal data of Californians or has it collected for you, and fits one or more of these criteria: 

• Buys, sells, or shares the personal information of 100,000 people or households. The “shares” part was added with the CPRA, and the number of people was doubled. 
• Creates 50% or more of your revenue through the sale or sharing of personal information. 
• Had $25 million in gross revenue in the preceding calendar year. The “preceding calendar year” part was added with the CPRA to make it clear what they meant by $25 million in annual gross revenues.  

In theory, you could have to comply with CCPA one year and not the next, depending on your revenue mix and business initiatives. However, CCPA regulations are in line with many laws around the country and the world, and most of what it requires is considered general best practice, so it doesn’t make a lot of sense to try to figure out whether you can get out of compliance each year.

What Happens if You Don’t Comply With the CCPA? 

The penalties for not complying with the law haven’t changed much from the CCPA to the CPRA. However, the amendment empowers the California Attorney General, California’s 62 different district attorneys, and the California Privacy Protection Agency (CPPA) to enforce it. The CPPA’s ability to enforce the CCPA began on July 1, 2023.  

That means there are a lot more “cops on the beat,” so to speak, with the ability to investigate business practices and bring actions to penalize those organizations that are not in compliance.

Penalties for CCPA Violations Include: 

• $2500 per offense for negligent mistakes.  
• $7500 per offense for willful offenses.  

Each person affected by a violation constitutes an offense, so the fines can add up quickly, especially if you are willfully negligent. And the bad news: If you’re reading this and then decide not to bother with compliance, you’re being willfully negligent. Oops. 

Is it likely that enforcers of California privacy law will look kindly on businesses that make small mistakes or have small oversights in their compliance plans, especially in the first few years? Absolutely.  

Is it likely that “I had no idea I had to comply with this law,” will work as an excuse when a regulator comes calling? Absolutely not.  

How serious is California? Under the CCPA, there was a 30-day grace period where you were offered a chance to fix your violations. There is no such grace period after the amendment.

CCPA Requirements: What’s Really Changed?

First and most importantly, you need to make sure consumers can exercise their new rights to control the collection and use of their personal data, many of which have been augmented in some way. Note that the CPRA broadened the definition of “consumers” to include your employees, who, along with other commercial partners, were previously exempt from California privacy law protection. 

Remember: “Personal data” or “personal information” is defined broadly in both the regulations as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Unless you take steps to de-identify data after you collect it, much of the data you collect from customers and employees is personal data according to the law. 

The CPRA amendments to the CCPA also now put the onus on you to make sure consumers (and employees) know their privacy rights. That means you’ll need to explain their rights at the point of collection as part of the notice you provide. 

The Updated Definition of Consumer Rights Under the CCPA, as Amended by the CPRA: 

• Right to Access, Deletion, and Correction: Consumers must be able to obtain and delete their own personal information at any time and have it corrected if it is incorrect. If they ask you to delete it, you have to make anyone you’ve shared it with or sold it to delete it as well.
  As part of sharing their personal data with them and in addition to the actual data you possess, you must provide consumers with a list of the categories of personal information you have collected, the categories of sources from which you collected their personal information, the business purpose for which you collected their data, and the categories of third parties to which you sell or share their data. Previously, the CCPA lacked language around the sharing of data and only regulated the sale of data. 
• Right to Object to Sale or Share: Consumers can prevent the sale or sharing of their information, and you need a “do not share” button on your website to make this easy, in compliance with the CCPA enforcement guidelines.
• Right to Opt-Out of Behavioral Profiling and Automated Decision-Making: Consumers can now ask you to stop profiling and serving ads based on behavior and respond to consumer requests regarding automated decision-making to provide them with offers, products, services, etc.
• Right to Object to the Use of Sensitive Personal Information: Consumers can stop you from using certain data at all, including data surrounding race, precise geolocation, religion, union membership, genetics, biometrics, sexual orientation, and the contents of communications. This new addition also requires you to have a prominent button or link people can use to “limit the use of my sensitive personal information.”
• Right to Data Portability: If asked, you must transfer any personal data you hold about a person to another organization, “to the extent technically feasible, in a structured, commonly used, machine-readable format.”

Break down the major tasks you need to complete for CPRA compliance - Download the Guide.

Introduction of New Privacy Principles: 

You also need to abide by a new set of “privacy principles” in all of your data-handling practices, many of which are new with the CPRA: 

• Purpose Limitation: You can only use personal data for the purpose for which it was originally collected. 
• Protection of Children’s Data: Compared to the CCPA, the CPRA tripled fines for violations associated with the data privacy of children under 16. Permission from a guardian is needed for the collection of a child’s data, too. Another new piece here is that if you don’t receive consent to collect a child’s data, you have to wait 12 months before asking again. 
• Storage Limitation: Data should be destroyed or deleted once the data has been used for its collected purpose. 
• Reasonable and Appropriate Security: Security for personal data must be appropriate based on how sensitive the data is and the harm that would result because of unauthorized access.  

More Changes via CPPA Rulemaking 

The law was further modified by the California Privacy Protection Agency (known as the CPPA, which isn’t confusing at all, surely). After consulting with stakeholders, the CPPA created a number of “rules” that gave further guidance and specificity on how organizations should comply with the CCPA on March 29, 2023. 

Most notably, the CPPA codified the need for organizations to conduct risk assessments. Prior to certain “high-risk” collections and uses of personal information, you need to conduct an assessment. After completing the assessment, you must file it with the CPPA to prove you’ve considered the dangers surrounding the data collection and mitigated the risk of harm to the consumer.   

Be prepared to create a process in your organization for conducting these risk assessments.   

The CPPA also clarified that organizations must honor authorized third-party opt-out signals. Essentially, certain entities can provide consent on behalf of an individual, such as the Global Privacy Control (GPC). If a user adds the GPC to their browser and instructs it to send out an opt-out signal, businesses need to respond as though the user had opted out of data collection on their website. 

CCPA vs. CPRA: California Privacy Laws Comparison Chart

For a quick, at-a-glance look at other changes from CCPA to CPRA, here’s a handy chart:

CCPA Checklist: How to Build Toward Compliance 

Privacy compliance is an all-hands-on-deck sort of thing, but it will look different at every organization subject to the CCPA, depending on the type of personal information you’re collecting and your business plan. The following checklist isn’t comprehensive (for a more comprehensive resource, check out our eBook CPRA Compliance: How Osano Can Help), but it will help you build a strong foundation for CCPA compliance after the amendment.

1. Appoint a Responsible Party to Oversee Compliance 

CEOs and CIOs often lead the charge, but it may be worthwhile to appoint a chief privacy officer (CPO) or a privacy director of some kind, often in the legal or compliance team, who can be tasked with overseeing compliance. 

2. Establish a Privacy Compliance Program 

Privacy compliance is an ongoing activity, so rather than kicking off a compliance project, you’ll really want to establish a privacy program. The program will be responsible for coordinating and launching compliance activities for the CCPA and any other privacy laws your business is subject to. 

3. Audit How Personal Information Is Collected and Used 

Because so many departments collect and use consumer data, it’s important to record any data collection and processing activities to make sure personal information is being handled appropriately. 

Under the EU’s GDPR, this kind of auditing is formalized in a document known as a record of processing activities, or RoPA, which is essential for maintaining comprehensive consumer privacy.
 Even though the CCPA doesn’t explicitly mention conducting a RoPA, doing so will set the stage for future compliance activities. Check out our article, What Is a RoPA?, to learn more.  

4. Conduct Training 

Understanding where your organization collects personal data is important, but it’s even more important to ensure that your team members who collect personal data know how to handle it compliantly. 

For example, marketers consistently rely on consumer data to influence their campaigns. Consumer data is precisely what makes companies able to effectively target their marketing efforts to the right people at the right time to increase sales. Every time a consumer is tracked with a website cookie, fills out a form, or makes a purchase online, they are giving the company their personal information, which is now protected by the CCPA. 

These marketers need to be trained in how to comply with the law, and systems need to be put into place to make sure they follow policy.  

The same goes for your sales department. All of that customer data that's stored in systems such as Salesforce must be protected and only used appropriately. If it's shared with other departments, those departments now have some ownership. You can see how quickly and easily consumer data spreads across the organization. 

5. Manage Third-Party Relationships 

It’s not just other departments that will handle your consumers’ data; you likely have relationships with other organizations, who may be processing your consumers' personal data. 

These third parties might do things like perform sophisticated data analytics, fill in profiles for people with only partial records, and other potentially privacy-invasive activities. These third-party relationships must be managed via contracts and audits, as you’ll be responsible for how they handle the data supplied to you by your customers and employees. 

Given the volume of third-party relationships you may manage, this task can quickly become overwhelming. That’s why it’s important to identify a vendor privacy risk management solution to streamline the vendor assessment process. 

6. Establish a Means of Managing Consent 

On its face, allowing website visitors to opt out of data collection seems simple enough. But in reality, it can become technically complex very quickly. Consider cookies (just one of several data trackers on your website). Some cookies may be necessary for your website’s functionality; so if you provide a “Do not sell or share my personal information” link on your website, it can’t just block all cookies. 

Furthermore, you’ll need to record individual users’ consent preferences so you don’t accidentally collect data from them in the future, and so you can prove you gathered consent should the CPPA or attorney general come investigating. 

Then, you need to provide a banner that discloses your privacy policy, and you need to do it in a way that complies with the CCPA in the user’s preferred language. 

We dive into the specifics of cookie consent in our blog, Cookie Banners: How to Stay Compliant with Privacy Laws. 

7. Develop and Regularly Review Notices and Privacy Policies 

If you collect data from your consumers (or from your employees) and they aren’t aware of what you’re collecting and why, you’ll be in violation of the CCPA. 

A key part of data privacy compliance as a whole is transparency—that’s why you’ll need to develop and maintain a privacy policy and present that policy at the point of collection. Since the data you collect from consumers and employees may be entirely distinct, it’s a good idea to craft a separate employee privacy policy as well. 

You can also digest these steps towards compliance here: CPRA compliance checklist

CCPA Solutions: Make Sure You Don’t Try to Do It Alone 

Does compliance sound difficult? It is.

Luckily, many companies, like Osano, have created software packages that allow you to: 

• Track and document consent. 
• Manage your contracts and third-party data sharing in a dashboard-like environment. 
• Manage and document consent for cookie placement. 
• Conduct and manage risk assessments. 
• Quickly respond to requests for access, deletion, and correction.  
• Quickly produce privacy notices that are targeted toward the type of information you’re collecting. 

Wait. Cookies?! Does the CPRA Change the Rules Around Cookies? 

Well, yes and no. The CCPA doesn’t focus on the mechanisms involved with how personal data is collected and used; it just focuses on the fact that personal data is actually being collected and used.  

Thus, if your cookies don’t collect personal information, the law isn’t particularly worried about them. But, if your cookies do pass along personal information to your organization or others, then all of the CCPA rules apply.  

Got it? Luckily, there are plenty of cookie consent managers out there to help make sure you know the difference between essential cookies and those that collect data (and those that do both).

Protecting California Consumers' Privacy

The people behind the CCPA, CPRA, and CPPA are first and foremost concerned with protecting the privacy of consumers in California. They are very likely to prioritize enforcement against the most egregious violators of the law.  

However, that does not mean they don’t care about the little guys. While how the CPPA will act is somewhat unpredictable, you should expect audits of classes of websites, roundups of certain types of violations that include large groups of companies, and other enforcement actions that seek to prod large sections of the California marketplace into compliance. 

Most importantly, you don’t want to be caught looking like you don’t care. Good faith efforts will result in kind attention from the regulators; pleas of ignorance will result in much harsher treatment, indeed. 

CCPA and CPRA FAQs: Additional Information About the CCPA 

Who Must Comply With the CCPA (and the CPRA)? 

You must comply with the CCPA if you are a for-profit organization that does business in California, collects the personal data of Californians or has it collected for you, and fits one or more of these criteria:  

• Buys, sells, or shares the personal information of 100,000 people or households.  
• Creates 50% or more of their revenue through the sale or sharing of personal information.  
• Had $25 million in gross revenue in the preceding calendar year.

When Did the CPRA Go Into Effect? 

The CPRA came into force on January 1, 2023, but it also protects data collected starting January 1, 2022. Its enforcement date is July 1, 2023. 

What Is the Definition of Personal Information Under the CCPA? 

The CCPA defines personal information as "Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." 

What Is the CPRA Definition of Sensitive Personal Information? 

Sensitive personal information has extra requirements for its collection and processing. Sensitive personal information includes: 

• A consumer’s social security, driver’s license, and similar identifiers.  
• Account access information.  
• Precise geolocation.  
• Sexual identity, ethnicity, etc. 
• Genetic and biometric data. 
• Neural data.
• And more. 

What Are the CPRA’s Requirements Around Data Collection Consent? 

The CPRA requires businesses to accept opt-out requests, meaning that they can collect users’ personal information by default so long as they provide notice about the collection and means of opting out of it. 

Businesses must provide a "Do not sell or share my personal information” link, which stops the share or sale of personal data to third parties, in particular for the purpose of targeted advertising. Businesses must also honor opt-out requests from authorized third-party signals, like the GPC. 

Businesses must also provide a “Limit the use of my sensitive personal information” link, which prevents any sale or share of sensitive personal information unless it's strictly necessary for the provision of your product or service, or for specific business purposes listed in the law (such as debugging purposes, providing customer service, and other purposes). 

While most personal data collection is opt-out, businesses must acquire opt-in consent (i.e., not collecting unless the user agrees first) in the following circumstances: 

• When selling or sharing personal information of minors. 
• When oOffering participation in financial incentive programs. 
• When selling or sharing the personal information of consumers who have previously opted out. 
• When using personal information for a secondary purpose beyond the original stated purpose. 
• When using personal information for scientific research. 

What Are the CPRA’s Requirements Around Data Subject Rights? 

The CPRA amends the CCPA and provides consumers, employees, and other commercial partners with the following rights:

• Right to Access, Deletion, and Correction  
• Right To Object to Sale or Share  
• Right To Opt-out of Behavioral Profiling and Automated Decision-Making  
• Right To Object to the Use of Sensitive Personal Information  
• Right to Data Portability 

Subject rights requests must be fulfilled within a 45-day window, with the option for a 45-day extension for complex and/or high-volume requests. Businesses may refuse or charge a fee for subject rights request if they are manifestly unfounded or excessive. However, the onus is on the business to prove whether a request is manifestly unfounded or excessive. 

Who Enforces the CCPA, as Amended by the CPRA?

The state attorney general, district attorneys, and the California Privacy Protection Agency may enforce the CPRA. In some limited circumstances, private citizens may sue businesses for CCPA violations.  

Businesses that violate the CCPA may be penalized with: 

• A $2.5k fine per negligent mistakes 
• A $7.5k per willfully negligent violations