CCPA/CPRA Compliance Guide

The CCPA/CPRA applies to for-profit entities that do business in California and meet one or more of the following thresholds: annual gross revenue exceeding $25 million in the preceding calendar year, buying, selling, or sharing the personal information of 100,000 or more California consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing California consumers' personal information.

It is important to note that a business does not need to be physically located in California to fall within the law's scope. Any for-profit entity that meets the thresholds and collects personal information from California residents while doing business in California is subject to the CCPA/CPRA. This broad jurisdictional reach means that many national and international companies must comply.

The CPRA also introduced the concept of a "contractor" as a distinct category from service providers. Contractors receive personal information from a business pursuant to a written contract that prohibits the contractor from selling or sharing the information, retaining or using the information for purposes other than those specified in the contract, or combining the information with data from other sources. Understanding whether your business partners are service providers or contractors determines the applicable contractual requirements.

The CCPA/CPRA defines personal information broadly as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household. This includes identifiers, commercial information, biometric data, internet activity, geolocation data, professional or employment information, and inferences drawn from any of this information.

The CPRA introduced the category of sensitive personal information, which receives additional protections. Sensitive personal information includes government identifiers (such as Social Security numbers), financial account information, precise geolocation, racial or ethnic origin, religious beliefs, communications content, genetic data, biometric data, health information, and sex life or sexual orientation information. Consumers have the right to limit the use and disclosure of their sensitive personal information to uses necessary to perform the services or provide the goods reasonably expected by the consumer.

ClassifyIQ helps businesses automatically identify and classify both personal information and sensitive personal information across their data systems. This automated classification is essential for applying the correct level of protection and ensuring that consumer rights related to specific data categories can be honored accurately and efficiently.

California consumers have the right to know what personal information a business has collected about them, the categories of sources, the business or commercial purpose for collection, the categories of third parties with whom the information is shared, and the specific pieces of personal information collected. Businesses must provide this information in a readily usable format within 45 days of receiving a verifiable request, with a possible 45-day extension for complex requests.

The right to delete requires businesses to delete personal information collected from the consumer upon a verifiable request, with certain exceptions such as completing a transaction, detecting security incidents, exercising free speech, complying with legal obligations, and internal uses reasonably aligned with consumer expectations. When a deletion request is received, the business must also direct its service providers and contractors to delete the information.

The right to correct requires businesses to correct inaccurate personal information about a consumer upon receiving a verifiable request. The business must use commercially reasonable efforts to correct the information in its existing systems and must instruct service providers and contractors to make the same corrections. SearchIQ streamlines the fulfillment of these requests by quickly locating all instances of a consumer's personal information across connected systems.

Consumers have the right to opt out of the sale or sharing of their personal information. Under the CPRA, "sharing" means making personal information available to a third party for cross-context behavioral advertising, whether or not there is an exchange of money. This significantly broadened the opt-out right beyond traditional data sales to cover common digital advertising practices.

Businesses that sell or share personal information must provide a clear and conspicuous link titled "Do Not Sell or Share My Personal Information" on their website homepage. They must also honor opt-out preference signals, including the Global Privacy Control (GPC), as a valid opt-out request. When a consumer opts out, the business must wait at least 12 months before requesting that the consumer authorize the sale or sharing of their information again.

ConsentIQ provides automated opt-out management that detects GPC signals, processes opt-out requests, and propagates opt-out preferences across advertising partners and data systems. This ensures that businesses can comply with the technical and operational requirements of the opt-out right without manual intervention for each request.

The CPRA grants consumers the right to limit a business's use and disclosure of their sensitive personal information. When a consumer exercises this right, the business may only use sensitive personal information for purposes necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, and for certain other specified purposes such as security, fraud prevention, and short-term transient use.

Businesses that use or disclose sensitive personal information for purposes beyond those permitted must provide a "Limit the Use of My Sensitive Personal Information" link on their website. This link should be presented alongside the "Do Not Sell or Share" link for a consistent consumer experience. Businesses may use a single link that combines both functionalities if clearly labeled.

Implementing this right requires businesses to have granular visibility into how sensitive personal information flows through their systems. ClassifyIQ automatically identifies sensitive personal information and tags it for enhanced protection, while ProtectIQ can apply additional security controls such as masking or encryption to ensure that sensitive data is only used for permitted purposes.

Businesses must provide consumers with a privacy policy that discloses the categories of personal information collected, the purposes of collection, the categories of personal information sold or shared, the categories of third parties to whom information is disclosed, and the consumer rights available under the CCPA/CPRA. The privacy policy must be updated at least once every 12 months and must include the date of last update.

At or before the point of collection, businesses must inform consumers about the categories of personal information to be collected and the purposes for which it will be used. If the business collects additional categories of personal information or uses previously collected information for new purposes, it must provide a new notice to consumers. This at-collection notice requirement applies to all channels through which personal information is collected, including websites, mobile apps, and in-store interactions.

Businesses should also provide a notice of right to opt out if they sell or share personal information, a notice of financial incentive if they offer financial incentives for the collection, retention, or sale of personal information, and an updated privacy policy that reflects all CPRA amendments. ComplyIQ provides privacy notice templates and tracking tools to ensure that all required disclosures are current and complete.

The CCPA/CPRA requires specific contractual provisions in agreements with service providers and contractors. These agreements must prohibit the recipient from selling or sharing the personal information, restrict the use of personal information to the business purposes specified in the contract, require the recipient to comply with CCPA/CPRA obligations, grant the business the right to take steps to ensure the recipient uses personal information consistently with the business's obligations, and require the recipient to notify the business if it can no longer meet its contractual obligations.

Contractors must additionally certify that they understand the restrictions on the use of personal information and will comply with them. Both service providers and contractors must enter into similar agreements with any sub-processors, creating a chain of contractual protections that follows the personal information through all processing relationships.

Organizations should conduct a thorough review of all existing vendor agreements to identify gaps in CCPA/CPRA compliance. Establish a contract management process that ensures all new agreements include the required provisions from the outset. This is particularly important for marketing technology vendors, analytics providers, and cloud service providers that process large volumes of consumer personal information.

The California Privacy Protection Agency (CPPA) is the primary enforcement body for the CCPA/CPRA. It has the authority to investigate potential violations, conduct audits, issue regulations, and impose administrative fines. The CPPA has been actively issuing regulations, conducting enforcement sweeps focused on specific industries, and publishing guidance on compliance best practices.

Administrative fines can reach $2,500 per unintentional violation and $7,500 per intentional violation or per violation involving a minor's personal information. Given that violations are assessed on a per-consumer, per-instance basis, the aggregate penalties for widespread non-compliance can be substantial. The CPPA does not provide a cure period for violations, meaning businesses cannot avoid penalties by quickly remedying issues after enforcement action begins.

In addition to CPPA enforcement, consumers have a private right of action for data breaches resulting from a business's failure to implement and maintain reasonable security procedures. Consumers can seek statutory damages of $100 to $750 per consumer per incident, or actual damages, whichever is greater. This private right of action creates significant litigation risk, particularly for businesses that experience large-scale data breaches affecting California residents.