What are CCPA & CPRA?

Together, the California Consumer Privacy Act (CCPA) of 2018 and California Privacy Rights Act (CPRA) of 2020 set the bar for the USs most comprehensive and stringent privacy laws. Both now serve as the standard for other State privacy laws in motion or enacted (Virginia, Colorado) as well as the stated standard for many major corporations.

CCPA and CPRA focus exclusively on California residents, no matter where the company is that may serve them. In this way, both are similar to the European Union’s “General Data Protection Regulation (GDPR) which is itself a sweeping pioneering law protecting consumers data privacy rights.

California’s Privacy Laws are landmarks in addressing growing consumer concerns. A broad summary of key provisions are highlighted below.


The stakes are high with fines up to $7,500 per consumer failure and estimated total state privacy expenditures of $5B by 2023

Who is Impacted?

Any for-profit businesses conducting business with Californians, or who collects or processes personal consumer data of California residents AND meets one of the following criteria is impacted

  • Revenue $50MM+ OR
  • Data of 100,000 Californian consumers, OR
  • Derives 50%+ of revenue selling (renting, disclosing, transferring etc.) consumer data

What New Rights Do Consumers Have?

The intent of the CCPA is to provide consumers with greater control over how their personal data is used. Consumers will have the right to:

  • Request what personal data that is being collected about them and with whom it is being shared.
  • To opt-out of the “sale” of their data.
  • Request that their data be deleted by the business.
  • Right to seek damages if the data is breached
  • Right to equal service and price.

What Must You Do?

Enforcement was increased July 1, 2021 and now includes significant foundational consumer disclosures and new required mechanisms for consumers to access and consent to the use of their Personally Identifiable Information (PII).

For many companies, these new laws and obligation are SIGNIFICANT changes to customer service requirements and broadens the definition and actions required when using PII.

New Privacy Obligations Include:

  • Provide clear privacy policy and consent to collect and use PII
  • Establish systems to Respond to ALL consumer requests
  • Discover, inventory and classify the PII you have of consumers – including Human Resources (applicants, employees, past employees)
  • Annually audit and have security programs to ensure safety of the PII you hold.
  • Establish retention and disposal policies and procedure for PII
  • Ensure third party PII use is protected and controlled.
  • Proactively demonstrate compliance through Privacy Governance