California has been the trailblazer of US privacy law since the California Consumer Privacy Act (CCPA) took effect in 2020. With the California Privacy Rights Act (CPRA) amendments now fully in force, businesses face the most comprehensive state privacy framework in America.
As we enter 2025, the California Privacy Protection Agency (CPPA) has dramatically increased enforcement activity, issued new regulations, and continues to shape the future of US privacy law. Understanding these requirements isn't just about California — it's about future-proofing your business for the inevitable wave of state privacy laws sweeping the nation.
CCPA (2020) gave California consumers rights over personal data. CPRA (effective 2023) significantly strengthened these rights, created the CPPA enforcement agency, and added new categories like Sensitive Personal Information. Penalties: up to $7,500 per intentional violation.
From CCPA to CPRA: The Evolution
CCPA (Effective January 1, 2020)
The original California Consumer Privacy Act was the first comprehensive state privacy law in the US, granting consumers:
- Right to know what personal info is collected
- Right to delete personal information
- Right to opt-out of sale
- Right to non-discrimination for exercising rights
CPRA (Effective January 1, 2023)
Approved by California voters in 2020 (Prop 24), CPRA significantly expanded CCPA with:
- New rights: Correction, limiting use of sensitive PI
- Sensitive Personal Information category
- California Privacy Protection Agency (CPPA) for enforcement
- "Sharing" opt-out (for cross-context advertising)
- Data minimization and purpose limitation requirements
- Higher penalties for violations involving minors
- Risk assessments and cybersecurity audits
CCPA/CPRA by the Numbers
Who Must Comply?
CCPA/CPRA applies to for-profit businesses doing business in California that meet at least one of these thresholds:
- Annual gross revenues over $25 million
- Buy, sell, or share personal info of 100,000+ California consumers or households
- Derive 50%+ of annual revenue from selling or sharing consumer personal information
CPRA removed the 50,000 consumer threshold and raised it to 100,000. However, it now includes "sharing" (not just selling) in the threshold calculation — capturing many adtech-dependent businesses.
Consumer Rights Under CPRA
1. Right to Know
Consumers can request:
- What categories of personal info you collect
- Sources of that information
- Business purposes for collection
- Categories of third parties shared with
- Specific pieces of information collected
2. Right to Delete
Consumers can request deletion of their personal information, subject to exceptions (legal obligations, fraud prevention, etc.).
3. Right to Correct (NEW under CPRA)
Consumers can request correction of inaccurate personal information.
4. Right to Opt-Out of Sale/Sharing
Consumers can opt out of:
- Sale of personal information (existing CCPA right)
- Sharing for cross-context behavioral advertising (NEW under CPRA)
5. Right to Limit Use of Sensitive PI (NEW)
Consumers can direct businesses to limit use of Sensitive Personal Information to only what's necessary to perform requested services.
6. Right to Non-Discrimination
Businesses cannot discriminate against consumers for exercising privacy rights through:
- Denying goods or services
- Charging different prices
- Providing different quality
- Suggesting different prices/quality
7. Right to Data Portability
Receive personal information in a portable, readily usable format.
Sensitive Personal Information: A New Category
CPRA created a new category of Sensitive Personal Information (SPI) requiring heightened protection:
What Qualifies as SPI?
- Social Security numbers, driver's licenses, passport numbers
- Financial account info with security/access codes
- Precise geolocation (within 1,850 feet)
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union membership
- Genetic data
- Biometric information for unique identification
- Health information
- Sex life or sexual orientation
- Contents of mail, email, and text messages
Businesses processing SPI must provide a "Limit the Use of My Sensitive Personal Information" link on their homepage, similar to the existing "Do Not Sell" requirement.
Business Obligations
1. Privacy Notice Requirements
Your privacy notice must include:
- Categories of personal info collected (last 12 months)
- Sources, purposes, and recipients of personal info
- Consumer rights and how to exercise them
- "Do Not Sell or Share My Personal Information" link
- "Limit the Use of My Sensitive Personal Information" link (if applicable)
- Data retention periods for each category
- Description of metrics on consumer requests
2. Consumer Request Mechanisms
You must provide:
- Two methods to submit requests (toll-free phone + website form)
- 45-day response (extendable by 45 more days with notice)
- Verification process appropriate to data sensitivity
- Authorized agent handling capabilities
- Free response to first two requests annually
3. Service Provider Contracts
Contracts with service providers must include:
- Specific business purpose
- Prohibition on selling/sharing personal info
- Prohibition on retaining/using outside contract
- Certification of CCPA understanding
- Audit rights for the business
4. Data Minimization & Purpose Limitation
Under CPRA, businesses must:
- Collect only personal info necessary for disclosed purposes
- Not use info for materially different purposes without notice
- Retain personal info only as long as necessary
- Disclose retention periods to consumers
5. Cybersecurity Audits & Risk Assessments
Businesses processing personal information that presents significant risk must conduct:
- Annual cybersecurity audits
- Risk assessments for high-risk processing
- Submit assessments to CPPA on request
Penalty Structure
| Violation Type | Penalty Amount |
|---|---|
| Unintentional violation | Up to $2,500 per violation |
| Intentional violation | Up to $7,500 per violation |
| Violation involving minors under 16 | Up to $7,500 per violation |
| Private right of action (data breach) | $100-$750 per consumer per incident |
*Note: CCPA's 30-day cure period was eliminated by CPRA, making violations immediately actionable.
California Privacy Protection Agency (CPPA)
CPRA created the CPPA as a dedicated privacy enforcement agency — the first of its kind in the US. The CPPA has:
- Rulemaking authority to implement CPRA requirements
- Investigation powers for privacy violations
- Audit authority to compel cybersecurity assessments
- Penalty authority to impose fines independently
- Public hearings on enforcement priorities
Recent CPPA Enforcement Trends
- Aggressive focus on dark patterns in consent flows
- Scrutiny of Global Privacy Control (GPC) compliance
- Audits of sensitive PI handling
- Investigation of adtech/data broker practices
- Examination of employee privacy rights
Need CCPA/CPRA Compliance Help?
Our California privacy specialists can audit your current practices, build compliant programs, and prepare your organization for CPPA enforcement actions and consumer requests.
Get CCPA Compliance AuditEmployee Data: No Longer Exempt
Until January 1, 2023, employee personal information was largely exempt from CCPA. CPRA eliminated this exemption, meaning California-based businesses now must:
- Provide privacy notices to employees and job applicants
- Honor employee/applicant rights requests
- Implement employee data protections
- Limit use of sensitive employee PI
- Handle workplace monitoring transparently
B2B Data: Now Covered
CPRA also eliminated the B2B exemption, meaning personal information collected in business contexts (employees of business customers, vendor contacts) is now subject to full CCPA/CPRA protections.
2025 Compliance Roadmap
Step 1: Data Inventory
Map all personal information you collect — including sensitive PI categories, sources, purposes, and recipients.
Step 2: Update Privacy Notice
Ensure your privacy notice meets all CPRA requirements including SPI disclosures, retention periods, and the new metrics requirements.
Step 3: Implement Opt-Out Mechanisms
Add:
- "Do Not Sell or Share My Personal Information" link
- "Limit the Use of My Sensitive Personal Information" link (if applicable)
- Global Privacy Control (GPC) recognition
Step 4: Build Consumer Request Process
Implement workflows for handling Right to Know, Delete, Correct, and other requests within 45 days.
Step 5: Update Service Provider Contracts
Review and amend all vendor contracts to include required CPRA terms.
Step 6: Conduct Risk Assessments
For high-risk processing, prepare formal risk assessments documenting necessity, safeguards, and consumer impact.
Step 7: Cybersecurity Audit Readiness
Document security controls, conduct annual audits, and prepare for CPPA assessment requests.
Step 8: Employee Privacy Program
Extend privacy protections to employees and job applicants — develop HR-specific privacy notices and processes.
Step 9: Train Your Team
Train staff handling consumer data, customer service, HR, and IT on CCPA/CPRA requirements.
Common Compliance Mistakes
1. Treating "Sale" Too Narrowly
"Sale" under CCPA includes any exchange of personal info for "valuable consideration" — including many adtech relationships not involving money.
2. Ignoring Global Privacy Control
CPPA requires businesses to honor GPC signals as opt-out requests. Non-compliance is a top enforcement priority.
3. Inadequate Verification
Over-verifying creates friction; under-verifying creates security risks. Balance based on data sensitivity.
4. Missing Employee Protections
Many businesses still haven't extended privacy programs to employees post-2023.
5. Stale Privacy Notices
Annual review and updates are essential — practices evolve and so should your disclosures.
Build for multi-state compliance. With Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and more states enacting privacy laws, design programs that scale across jurisdictions rather than California-only solutions.
Looking Ahead: California Privacy in 2025+
Expected developments:
- Finalized CPPA regulations on automated decision-making
- Increased enforcement actions and public penalties
- Joint enforcement with state AG offices
- Focus on AI/ML privacy implications
- Continued evolution of dark pattern regulations
- New federal preemption debates with potential APRA legislation
Conclusion
CCPA and CPRA have transformed how American businesses approach consumer privacy. With the CPPA actively enforcing, expanded consumer rights, and elimination of major exemptions, California compliance is more demanding than ever.
The smart approach: build a robust, scalable privacy program that meets California's high standards. This positions your business not just for California compliance, but for the inevitable expansion of state privacy laws across America — and even for potential federal legislation in the future.
Privacy is no longer just a compliance checkbox. It's a business imperative that affects customer trust, brand reputation, and operational risk. Organizations that embrace privacy as a competitive advantage will thrive in the data-driven economy ahead.