CCPA/CPRA Requirements: Complete Guide to California Privacy Law

Consumers have the right to know what personal information you collect, where you got it, why you collect it, who you share it with, and what you do with it. They can request a copy of their data, and you must respond within 45 days.

Consumers can request that you delete their personal information. You must comply and direct your service providers to delete the data too, with limited exceptions (e.g., legal obligations, security, completing a transaction).

Consumers can request correction of inaccurate personal information. You must use commercially reasonable efforts to correct the data and instruct service providers to do the same.

Consumers have the right to opt out of the sale or sharing of their personal information. You must provide a clear "Do Not Sell or Share My Personal Information" link on your website. Once a consumer opts out, you cannot sell or share their data unless they later opt back in.

Consumers can direct you to limit the use of sensitive personal information (SSN, financial data, geolocation, race/ethnicity, health data, etc.) to only what is necessary to provide the services they requested.

Before or at the point of collecting personal information, you must inform consumers about the categories of data being collected, the purposes, whether data is sold or shared, and how long it will be retained. This notice must be easily accessible.

You must provide at least two methods for consumers to submit rights requests (e.g., a toll-free number and a web form). For businesses that operate exclusively online, an email address is sufficient. You must verify the identity of requestors.

You must provide a clear "Do Not Sell or Share My Personal Information" link on your homepage. Under CPRA, you must also honor Global Privacy Control (GPC) signals from browsers as valid opt-out requests.

You must collect, use, retain, and share personal information only as reasonably necessary and proportionate to the purposes for which it was collected. This is a new CPRA principle aligned with GDPR concepts.

You must have written contracts with service providers that restrict how they can use personal information received from you. The contract must prohibit the service provider from selling the data, using it for purposes other than the contracted services, or combining it with data from other sources.

CPRA introduces "contractors" as a new category distinct from service providers. Contractors must certify that they understand the restrictions on personal information use and must agree to comply. Contracts must include the right to audit.

You must implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure. The standard is proportional to the sensitivity of the data.

Under CPRA, businesses engaged in processing that presents significant risk to consumer privacy must conduct regular risk assessments. These assessments must weigh the benefits of processing against potential risks to consumer rights.

Businesses whose processing of personal information presents significant risk to consumer privacy or security must perform annual cybersecurity audits. The scope and criteria for these audits are being defined by CPPA regulations.

If your business suffers a data breach due to failure to implement reasonable security, affected California consumers can sue for statutory damages of $100 to $750 per consumer per incident, or actual damages, whichever is greater. This is the only CCPA provision with a private right of action.