Framework
CCPA/CPRA
California Consumer Privacy Act & California Privacy Rights Act - leading US state privacy law.
Schedule Consultation → California Consumer Privacy Act & California Privacy Rights Act - leading US state privacy law.
Schedule Consultation →The California Consumer Privacy Act (CCPA), significantly amended by the California Privacy Rights Act (CPRA), establishes comprehensive privacy rights for California residents and obligations for businesses that meet certain thresholds. If your organization has annual gross revenue over $25 million, processes data of 100,000+ California consumers, or derives 50%+ of revenue from selling or sharing personal information, the CCPA/CPRA applies to you.
The CPRA amendments, fully effective since January 2023, strengthened the CCPA significantly. They created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, introduced the concept of 'sensitive personal information' with additional restrictions, expanded consumer rights to include correction and limitation of sensitive data use, and added requirements for data minimization, purpose limitation, and storage limitation that echo GDPR principles.
Key consumer rights under CCPA/CPRA include the right to know what personal information is collected and how it's used, the right to delete personal information, the right to opt out of the sale or sharing of personal information, the right to correct inaccurate personal information, and the right to limit the use of sensitive personal information. Businesses must respond to consumer requests within 45 days and cannot discriminate against consumers who exercise their rights.
We help organizations build CCPA/CPRA compliance programs that work alongside GDPR and other state privacy laws. Given the proliferation of US state privacy legislation - with Virginia, Colorado, Connecticut, and many others following California's lead - we design privacy programs that satisfy multiple jurisdictions simultaneously rather than addressing each law in isolation.
Implementing processes to receive, verify, and respond to consumer rights requests - know, delete, correct, opt-out, and limit use of sensitive data - within the 45-day timeframe.
Drafting and maintaining privacy notices that meet CCPA/CPRA's specific disclosure requirements, including categories of information collected, purposes, and third-party sharing.
Implementing 'Do Not Sell or Share My Personal Information' mechanisms, including recognizing Global Privacy Control signals and managing opt-out preferences.
Identifying processing of sensitive personal information (Social Security numbers, financial accounts, geolocation, etc.) and implementing required disclosures and limitation mechanisms.
Establishing contractual requirements for service providers and contractors that process personal information, including data use restrictions and audit rights.
We determine whether CCPA/CPRA applies to your organization, identify which provisions are relevant to your processing activities, and assess your current compliance posture.
We design and implement workflows for receiving, verifying identity, and responding to consumer rights requests within regulatory timelines across all applicable request types.
We design your privacy program to satisfy CCPA/CPRA alongside other state privacy laws (Virginia, Colorado, Connecticut, and others), avoiding redundant compliance efforts.
We prepare your organization for potential CPPA enforcement actions and audits, ensuring your practices, documentation, and response procedures meet the agency's expectations.
Every engagement starts with a free call. No pitch, just an honest assessment of where you stand with CCPA/CPRA.
Book a Free Call →Book a free consultation and we'll scope out your CCPA/CPRA engagement: timeline, deliverables, and what audit-ready looks like for your team.
Book Your Free Consultation →“I've never met a team who could make compliance as easy, and dare I say FUN!”
Cailey Ryckman, VP of Finance
