CCPA/CPRA Consumer Privacy: Compliance Roadmap

Understanding CCPA and CPRA

The California Consumer Privacy Act (CCPA), effective January 2020, was the first comprehensive consumer privacy law in the United States. The California Privacy Rights Act (CPRA), which took effect January 2023, amended and expanded the CCPA significantly. Together, they create a robust privacy framework enforced by the California Attorney General and the California Privacy Protection Agency (CPPA).

Who Must Comply?

The CCPA/CPRA applies to for-profit businesses that collect California residents' personal information and meet any of these thresholds:

• Annual gross revenue exceeding $25 million
• Buy, sell, or share the personal information of 100,000 or more consumers or households
• Derive 50% or more of annual revenue from selling or sharing personal information

Consumer Rights Under CCPA/CPRA

California consumers have the following rights:

• Right to Know: Disclosure of what personal information is collected, used, and shared
• Right to Delete: Deletion of personal information, subject to exceptions
• Right to Correct: Correction of inaccurate information (added by CPRA)
• Right to Opt-Out of Sale or Sharing: Direct businesses to stop selling or sharing personal information
• Right to Limit Use of Sensitive Personal Information: Restrict use to what is necessary
• Right to Non-Discrimination: Businesses cannot penalise consumers for exercising rights

Businesses must respond to verifiable consumer requests within 45 days.

Implementing Opt-Out Mechanisms

Key implementation steps:

• Place a clear "Do Not Sell or Share My Personal Information" link on your website homepage
• Honour Global Privacy Control (GPC) signals as valid opt-out requests
• Implement processes to propagate opt-out preferences to all systems that sell or share data
• Maintain records of opt-out requests and responses
• Wait at least 12 months before requesting reconsideration from consumers who have opted out

Conducting a Data Inventory

A comprehensive data inventory is foundational. Map the following for each category of personal information:

• Sources from which personal information is collected
• Business purposes for collection and use
• Categories of third parties with whom information is shared
• Whether information is sold or shared for cross-context behavioural advertising
• Retention periods for each category

Update your data inventory at least annually.

Service Provider and Contractor Contracts

CPRA tightened requirements for contracts with service providers and contractors. Required provisions include:

• Specification of business purposes for which personal information is disclosed
• Prohibition on selling or sharing received personal information
• Obligation to comply with CCPA/CPRA and provide the same level of protection
• Right for the business to take reasonable steps to ensure compliance
• Requirement to notify the business if obligations can no longer be met
• Obligation to flow down restrictions to sub-contractors

Privacy Notice Requirements

Your privacy notice must disclose categories of personal information collected, purposes for collection, consumer rights, categories sold or shared, and retention periods. Update the notice at least annually.

Enforcement and Penalties

Penalties include up to $2,500 per unintentional violation and $7,500 per intentional violation or violation involving minors' data. The private right of action for data breaches allows statutory damages between $100 and $750 per incident. Start your compliance roadmap by completing the data inventory, updating notices and opt-out mechanisms, and revising service provider contracts.