CCPA/CPRA
California Consumer Privacy Act, as amended by the California Privacy Rights Act
The CCPA grants California consumers rights over their personal information, and the CPRA expanded those rights and created the California Privacy Protection Agency. Businesses must honor rights to know, delete, correct, and opt out of sale or sharing, and must verify consumer identity before fulfilling requests.
Who it applies to
For-profit businesses doing business in California that meet revenue or data-volume thresholds and collect California residents' personal information, plus their service providers and contractors.
Identity requirements
- Verify the identity of consumers making rights requests to a reasonable degree of certainty before disclosing or deleting personal information
- Provide and honor opt-out mechanisms for the sale and sharing of personal information, including recognized opt-out preference signals
- Obtain opt-in consent for sale or sharing of personal information of consumers under 16
- Implement reasonable security procedures and practices appropriate to the sensitivity of personal information
- Honor consumer rights to know, delete, correct, and limit use of sensitive personal information
- Maintain processes that avoid unauthorized disclosure when responding to identity-based access requests
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Businesses must capture consent and opt-out preferences and manage them across customer identity systems. |
| Identity verification (KYC/proofing) | Consumer rights requests must be verified to a reasonable degree of certainty before data is disclosed or deleted. |
| Data residency & cross-border transfer | Obligations attach to California residents' personal information regardless of where it is processed, shaping data-handling and vendor controls. |
| Breach notification | California's breach law gives consumers a private right of action for breaches caused by failure to maintain reasonable security. |
Penalties
The CPPA and Attorney General can levy administrative or civil penalties up to 2,500 dollars per violation and 7,500 dollars per intentional violation or violation involving minors, plus a consumer private right of action for certain data breaches.
CCPA/CPRA: frequently asked questions
- What is the difference between CCPA and CPRA?
- The CPRA is a 2020 ballot measure that amended and expanded the CCPA, adding new rights, the sensitive personal information category, and the California Privacy Protection Agency; its amendments took effect 1 January 2023.
- Must businesses verify identity before responding to requests?
- Yes. Businesses must verify a consumer's identity to a reasonable degree of certainty before disclosing, correcting, or deleting personal information to prevent unauthorized access.
- Who enforces the CCPA and CPRA?
- The California Privacy Protection Agency has primary administrative enforcement and rulemaking authority, and the California Attorney General also retains civil enforcement power.