California Consumer Privacy Act

CCPA & CPRA compliance made simple

California's comprehensive privacy law protects 40 million residents with strict consumer rights and business obligations. We help you implement compliant data practices, respond to rights requests and avoid CPPA enforcement actions.

Start compliance assessmentBook compliance consultation

What is CCPA/CPRA?

The California Consumer Privacy Act (CCPA), enacted in 2018 and effective January 1, 2020, created comprehensive privacy rights for California residents. The California Privacy Rights Act (CPRA), passed in 2020, significantly strengthened CCPA with amendments effective January 1, 2023.

Why this matters now: CPRA created the California Privacy Protection Agency (CPPA), California's dedicated privacy regulator with enforcement authority. The enhanced requirements include new consumer rights, sensitive PI protections and AI disclosure obligations.

40M protected

California residents covered

$7,500 max

Per intentional violation

Complements GDPR for global privacy compliance and integrates with EU AI Act for AI governance.

Who needs CCPA compliance?

California revenue threshold

Annual gross revenues over $25 million

Data volume threshold

Buy, sell or share data of 100,000+ consumers/households

Revenue from data sales

50%+ of annual revenue from selling consumer PI

Companies processing CA residents

Doing business in California with consumer data

Service providers

Processing PI on behalf of covered businesses

Third parties

Receiving PI from businesses via sales/sharing

How VerifyWise supports CCPA compliance

Comprehensive tools that address consumer rights, business obligations and CPPA enforcement risks

Consumer rights request management

Automated workflows for processing Know, Delete, Correct, Opt-out and Limit requests within statutory deadlines. Track verification methods, response times and maintain complete audit trails for CPPA compliance.

Addresses: Right to Know, Delete, Correct, Opt-out, Limit

Data inventory and mapping

Comprehensive registry of personal information categories, collection sources, business purposes and third-party sharing. Maintain the detailed data maps CCPA requires for notice obligations.

Addresses: Privacy notice disclosures, data inventory requirements

Privacy notice generation and management

Generate CCPA-compliant privacy notices that clearly disclose collection practices, consumer rights and contact information. Version control ensures historical compliance documentation.

Addresses: §1798.100-130 notice requirements

Automated decision-making technology (ADMT) tracking

Register AI systems used for profiling and automated decisions. Document logic, significance and opt-out mechanisms as required by CPRA's ADMT provisions.

Addresses: CPRA §1798.185(a)(16) ADMT regulations

Security safeguards documentation

Track reasonable security procedures protecting personal information. Document technical, administrative and physical controls that demonstrate compliance with security obligations.

Addresses: §1798.150 security requirements

Third-party and service provider oversight

Maintain vendor contracts with required CCPA provisions. Monitor third-party processing activities and document compliance with service provider restrictions.

Addresses: §1798.140(w) service provider requirements

All consumer requests are timestamped with verification records, response dates and audit trails. This documentation demonstrates good-faith compliance efforts during CPPA investigations.

Complete CCPA/CPRA requirements coverage

VerifyWise addresses all major compliance areas with dedicated workflows

23

CCPA/CPRA requirements

23

Requirements with platform support

100%

Coverage across obligations

Consumer rights8/8

Know, delete, opt-out, correct, limit use

Business obligations6/6

Privacy notices, data minimization, security

ADMT compliance4/4

Automated decision-making disclosures

Data inventory5/5

Categories, sources, purposes, sharing

Built for California privacy law from the ground up

45-day deadline tracking

Automated reminders for statutory response deadlines

ADMT disclosure engine

Automated decision-making technology compliance tracking

Universal opt-out signals

Global Privacy Control and browser signal recognition

Multi-law compliance

GDPR, EU AI Act and state privacy law integration

Consumer rights under CCPA/CPRA

Six core rights California residents can exercise

Right to know

Consumers can request disclosure of categories and specific pieces of personal information collected.

Key requirements

  • • 12-month lookback
  • • Free twice per year
  • • 45-day response (+ 45 extension)

Right to delete

Consumers can request deletion of personal information with specified exceptions.

Key requirements

  • • Verify identity
  • • Direct service providers
  • • Document exceptions

Right to opt-out

Opt-out of sale/sharing of personal information and targeted advertising.

Key requirements

  • • Do Not Sell link
  • • Universal opt-out signals
  • • No discrimination

Right to correct

Request correction of inaccurate personal information (CPRA addition).

Key requirements

  • • Verify corrections
  • • 45-day response
  • • Notify third parties

Right to limit

Limit use and disclosure of sensitive personal information (CPRA addition).

Key requirements

  • • Limit to Collect link
  • • Sensitive data uses
  • • Notice requirements

Right to non-discrimination

Businesses cannot discriminate for exercising CCPA rights with limited exceptions.

Key requirements

  • • Equal service
  • • Equal quality
  • • Financial incentive notices

Business obligations

What CCPA/CPRA requires from covered businesses

Privacy notice at collection

Inform consumers at or before collection about categories of PI collected and purposes

Deadline: At or before collection

Comprehensive privacy policy

Detailed disclosure of data practices, consumer rights and contact information

Deadline: Updated at least annually

Do Not Sell/Share link

Clear and conspicuous link on homepage for opt-out of sales/sharing

Deadline: Immediate implementation

Request verification procedures

Reasonable methods to verify consumer identity for rights requests

Deadline: Before responding to requests

Data retention policies

Retain PI only as long as reasonably necessary for disclosed purposes

Deadline: Ongoing compliance

Third-party contracts

Service provider agreements with required CCPA provisions

Deadline: Before sharing data

20-week implementation roadmap

A practical path to CCPA/CPRA compliance with clear milestones

Phase 1Weeks 1-4

Data discovery

  • Map all personal information flows
  • Identify collection points and sources
  • Document business purposes
  • Catalog third-party sharing
Phase 2Weeks 5-8

Notice compliance

  • Draft privacy notice at collection
  • Update comprehensive privacy policy
  • Implement Do Not Sell/Share links
  • Create financial incentive notices
Phase 3Weeks 9-14

Rights infrastructure

  • Build consumer request portal
  • Establish verification procedures
  • Create response workflows
  • Train staff on rights handling
Phase 4Weeks 15-20

Operational readiness

  • Test request processing end-to-end
  • Implement universal opt-out signals
  • Finalize service provider contracts
  • Document ADMT disclosures

Penalties for non-compliance

CCPA/CPRA creates significant financial and legal risks

Civil penalties

CPPA enforcement actions for violations

  • $2,500 per unintentional violation
  • $7,500 per intentional violation
  • Injunctive relief available

Private right of action

Consumer lawsuits for data breaches (§1798.150)

  • $100-$750 per consumer per incident
  • Or actual damages (whichever greater)
  • Statutory damages add up quickly

Reputational harm

Beyond financial penalties

  • Consumer trust erosion
  • Competitive disadvantage
  • Regulatory scrutiny

Class action exposure

Data breaches affecting thousands of consumers can result in statutory damages multiplying to multimillion-dollar class actions. The private right of action under §1798.150 creates significant litigation risk even with reasonable security measures.

Policy templates

Privacy and AI governance policies

Access ready-to-use privacy policy templates aligned with CCPA/CPRA, GDPR and EU AI Act requirements

Privacy notices

  • • Privacy policy template
  • • Notice at collection
  • • Financial incentive notice
  • • Do Not Sell notice
  • • Service provider agreement
  • • Cookie policy
  • + 3 more templates

Consumer rights

  • • Rights request procedures
  • • Identity verification policy
  • • Request response templates
  • • Opt-out procedures
  • • Data deletion policy
  • • Correction procedures
  • + 4 more templates

AI disclosures

  • • ADMT disclosure template
  • • Profiling notice
  • • AI system inventory
  • • Automated decisions policy
  • • AI risk assessment
  • • Sensitive PI handling
  • + 2 more templates
Browse all policy templates

Frequently asked questions

Common questions about CCPA/CPRA compliance

CCPA applies if you do business in California and meet one of three thresholds: (1) $25M+ annual gross revenue, (2) process data of 100,000+ CA consumers/households annually, or (3) derive 50%+ revenue from selling consumer PI. The law applies regardless of where your business is physically located. See the California AG's CCPA page for official guidance.
CCPA (2018) was California's initial privacy law. CPRA (2020) significantly amended CCPA with stricter requirements effective January 1, 2023. Key CPRA additions: sensitive PI category, right to correct, right to limit, automated decision-making disclosures, and creation of the California Privacy Protection Agency (CPPA). When discussing compliance, assume CPRA's enhanced requirements.
Both are comprehensive privacy laws but differ in scope and approach. CCPA applies to California residents (40M people) with business-focused thresholds. GDPR applies to all EU residents (450M+) with broader territorial scope. CCPA has an opt-out model for sales; GDPR generally requires opt-in consent. CCPA penalties are generally lower than GDPR's 4% global revenue cap.
Businesses must respond to verified requests within 45 days, with a possible 45-day extension (total 90 days) when reasonably necessary. You must notify the consumer of the extension within the initial 45 days and explain the reason. For Know requests, consumers can make requests twice per 12-month period free of charge.
CCPA broadly defines selling as disclosing PI to third parties for monetary or other valuable consideration. This includes many data sharing arrangements that aren't traditional data sales. CPRA added 'sharing' for cross-context behavioral advertising. Most third-party analytics, ad tech and data partnerships trigger Do Not Sell obligations. Review AG guidance on what constitutes selling.
CPRA defines sensitive PI as: SSN, driver's license, passport, financial account details, precise geolocation, racial/ethnic origin, religious beliefs, union membership, mail/email/text contents, genetic data, biometric data, health data, sex life/orientation. Consumers have the right to limit use of sensitive PI to purposes necessary to provide requested services.
CPRA requires businesses using ADMT (including profiling) to disclose this in privacy notices and provide information about the logic involved and likely outcome significance. Regulations under §1798.185(a)(16) detail ADMT compliance. This impacts AI systems used for employment, credit, housing, education, and other consequential decisions. See our EU AI Act page for related AI governance requirements.
Verification requirements are proportionate to request sensitivity and risk. For Know (categories), use a two-step process. For Know (specific pieces) or Delete, use a three-step process or signed declaration under penalty of perjury. Password-protected accounts can verify through existing authentication. Maintain documentation of verification methods and match the degree of certainty reasonably necessary.
Service provider agreements must prohibit: (1) retaining, using or disclosing PI for any purpose other than performing services, (2) retaining, using or disclosing PI outside the direct business relationship, (3) combining PI with other PI unless permitted. Contracts should specify permitted purposes, require deletion/return of PI, allow audits, and require subcontractor flow-down. See §1798.140(w) requirements.
Yes, businesses must recognize browser or device signals that communicate opt-out preference (like Global Privacy Control). CPRA requires treating these signals as valid Do Not Sell/Share requests. You must disclose how you process opt-out signals in your privacy policy and honor them for at least 12 months.
The California Privacy Protection Agency (CPPA) can impose civil penalties of $2,500 per unintentional violation or $7,500 per intentional violation. Consumers also have a private right of action under §1798.150 for data breaches, seeking $100-$750 per consumer per incident or actual damages. Violations affecting thousands of consumers can quickly become multimillion-dollar exposures.
Yes, VerifyWise provides consumer rights request management, data inventory tools, privacy notice generators and ADMT disclosure tracking aligned with CCPA/CPRA requirements. Our platform integrates with GDPR, EU AI Act and other privacy frameworks for comprehensive compliance management.

Ready to achieve CCPA compliance?

Start managing consumer rights requests, data inventories and privacy notices with our compliance platform.

Start compliance assessmentSchedule consultation
CCPA and CPRA compliance requirements guide