CCPA/CPRA

California Consumer Privacy Act & California Privacy Rights Act - leading US state privacy law.

The CCPA, as amended by the CPRA, gives California consumers significant rights over their personal information. We help organizations understand their obligations and build compliance programs that address California's requirements alongside other privacy frameworks.

The California Consumer Privacy Act (CCPA), significantly amended by the California Privacy Rights Act (CPRA), establishes comprehensive privacy rights for California residents and obligations for businesses that meet certain thresholds. If your organization has annual gross revenue over $25 million, processes data of 100,000+ California consumers, or derives 50%+ of revenue from selling or sharing personal information, the CCPA/CPRA applies to you.

The CPRA amendments, fully effective since January 2023, strengthened the CCPA significantly. They created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, introduced the concept of 'sensitive personal information' with additional restrictions, expanded consumer rights to include correction and limitation of sensitive data use, and added requirements for data minimization, purpose limitation, and storage limitation that echo GDPR principles.

Key consumer rights under CCPA/CPRA include the right to know what personal information is collected and how it's used, the right to delete personal information, the right to opt out of the sale or sharing of personal information, the right to correct inaccurate personal information, and the right to limit the use of sensitive personal information. Businesses must respond to consumer requests within 45 days and cannot discriminate against consumers who exercise their rights.

We help organizations build CCPA/CPRA compliance programs that work alongside GDPR and other state privacy laws. Given the proliferation of US state privacy legislation - with Virginia, Colorado, Connecticut, and many others following California's lead - we design privacy programs that satisfy multiple jurisdictions simultaneously rather than addressing each law in isolation.

Key areas of CCPA/CPRA.

01

Consumer Rights Management

Implementing processes to receive, verify, and respond to consumer rights requests - know, delete, correct, opt-out, and limit use of sensitive data - within the 45-day timeframe.

02

Privacy Notices & Disclosures

Drafting and maintaining privacy notices that meet CCPA/CPRA's specific disclosure requirements, including categories of information collected, purposes, and third-party sharing.

03

Opt-Out Mechanisms

Implementing 'Do Not Sell or Share My Personal Information' mechanisms, including recognizing Global Privacy Control signals and managing opt-out preferences.

04

Sensitive Personal Information

Identifying processing of sensitive personal information (Social Security numbers, financial accounts, geolocation, etc.) and implementing required disclosures and limitation mechanisms.

05

Service Provider Management

Establishing contractual requirements for service providers and contractors that process personal information, including data use restrictions and audit rights.

How we help with CCPA/CPRA.

Hands-on expertise from practitioners who've guided dozens of organizations through CCPA/CPRA compliance.

Applicability Assessment

We determine whether CCPA/CPRA applies to your organization, identify which provisions are relevant to your processing activities, and assess your current compliance posture.

Consumer Request Workflows

We design and implement workflows for receiving, verifying identity, and responding to consumer rights requests within regulatory timelines across all applicable request types.

Multi-State Privacy Program

We design your privacy program to satisfy CCPA/CPRA alongside other state privacy laws (Virginia, Colorado, Connecticut, and others), avoiding redundant compliance efforts.

CPPA Readiness

We prepare your organization for potential CPPA enforcement actions and audits, ensuring your practices, documentation, and response procedures meet the agency's expectations.

Ideal For

SaaS companies meeting CCPA/CPRA thresholds that need to establish or mature their compliance program

Organizations that sell or share California consumers' personal information and need opt-out mechanisms

Companies managing privacy compliance across multiple US states and wanting a unified approach

Teams building consumer rights request processes and needing workflows that scale across jurisdictions

Organizations preparing for CPPA enforcement activity and wanting to demonstrate proactive compliance

Talk to an expert

Every engagement starts with a free call. No pitch, just an honest assessment of where you stand with CCPA/CPRA.

Book a Free Call →

How we can help

Privacy Compliance

Navigate the global privacy landscape with confidence.

Virtual Compliance Management

Your dedicated compliance team, without the full-time headcount.

From our blog

Interactive Guide

Compare CCPA/CPRA with other frameworks

See how control areas overlap, what's unique to each standard, and which frameworks complement each other.

Framework Navigator

Ready to move forward?

Book a free consultation with Glenn Chamberlain, Managing Principal. We'll scope out your CCPA/CPRA engagement: timeline, deliverables, and what audit-ready looks like for your team.

Book Your Free Consultation →

“I've never met a team who could make compliance as easy, and dare I say FUN!”

Cailey Ryckman, VP of Finance